01-10-2019 04:57 AM
Hello,
We are currently migrating from Cisco AnyConnect to a GlobalProtect solution that is hosted on an Azure cloud VM and really like the "Always On" feature. The only set back we have noticed is there is no way to manipulate it to only connect when not on an internal LAN. We had manipulated DNS in the past to disable internal users from connecting to our VPN, but with the GlobalProtect client it will display an error message. We are trying to avoid having our end users notice this.
Thank you any assistance is appreciated.
01-10-2019 06:22 AM
Right, you can enable internal host detection (e.g. your domain controller).
If your client is connected to your internal network, you can tell him to connect to an internal global protect gateway.
There you can define e.g. user id and no tunnel configuration.
That is more secure than doing WMI probing or AD logs
01-10-2019 05:33 AM
you can set an external gateway in the agent config.
A tunnel will be only established, if you are outside of your lan.
As an internal gateway you can configure Globalprotect to act as an user-id collector
01-10-2019 05:41 AM
The tunnel will always establish if the gateway is reachable, which it is since the host sits in Azure. We have modified DNS to not resolve the gateway when on the LAN, but the client will display an error message stating it cannot connect. I am not seeing anything within the configuration to state only connect if not on the domain/local network. Am I missing something? Again any help is appreciated.
01-10-2019 05:44 AM
can you post/describe your agent config on the portal?
Do you tried to define the internal host detection to connect to an internal gateway instead?
01-10-2019 05:59 AM
Thank you for your replies, it is much appreciated.
As of right now we have done nothing to tweak the agent configuration and is using the default setup with SSO authentication.
We do not actually have any PaloAlto gateways internally at the moment. As of right now we only have the 1 Azure VM firewall. From what I understand we would need an interface from a PaloAlto internally to achieve this correct?
Forgive me for any ignorance on this. My past experience has been mainly with Pulse and Cisco and am a bit green with GlobalProtect.
01-10-2019 06:22 AM
Right, you can enable internal host detection (e.g. your domain controller).
If your client is connected to your internal network, you can tell him to connect to an internal global protect gateway.
There you can define e.g. user id and no tunnel configuration.
That is more secure than doing WMI probing or AD logs
01-10-2019 06:25 AM
I think I understand now. I really appreciate your responses on this and pointing me to the correct path.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
