Internal Host Detection in GlobalProtect


Changes to the LIVEcommunity experience are coming soon... Here's what you need to know.

L1 Bithead

Internal Host Detection in GlobalProtect

I am confused with GlobalProtect offical documents.

From GlobalProtect troubleshooting guide:

Internal Host Detection
Internal Host Detection provides hints to GP client to determine quickly if the PC is inside or outside office. If it is not configured, GP client will always try to connect to each internal gateway first. If it fails to connect to any internal gateway or if there is no internal gateway defined, it will then attempt to connect to the best external gateway. Admin should try to set internal host detection as it speeds up the tunnel establishment.

From Configuring GlobalProtect Tech Note:

Internal Host Detection: This helps Client determine whether the host is inside or outside the corporate network and then connect to the corresponding Gateway. The DNS name specifies a hostname that only can be reached from internal network and its IP address. The Client performs a reverse lookup on the IP address and if it receives the expected hostname as a response, it will attempt connecting to the Gateways in the internal list. If no response is received that Client will attempt to connect to the external Gateways in the external list
If no “internal-host-detection” configuration is provided, Client always connectes to the external Gateways.

Anyone know which one is correct?

Tags (2)
L3 Networker

So looking at the purpose of Internal Host Detection, the Client will try to resolve the host name to the IP provided. If DNS does not resolve, it will quickly assume you are not on an internal network, and try to create a tunnel with the external IP's provided in your configuration.  Looking at the Admin guide, we can see the following:

External Gateways—Specify the list of firewalls the client will try to establish a tunnel with when not on the corporate network. The client will contact all of the gateways and establish a tunnel with the firewall that provides the fastest response and the lowest priority value.

This implies that the sequence will be internal, then external. The internal IP's will time out rather quickly and a tunnel will then be established with the fasted external IP.

Does this help?


L1 Bithead

Hi Dez,

Thanks for your answer. I understand the function of Internal Host Detection from admin guide. My problem is there is contradiction on GP configuration guide and troubleshooting guide.

Anyway, I have opened a support case and now I can confirmed:

1. If SSO is selected, Internal Host Detection with be used (by reserve DNS lookup, resolve IP to hostname)

2. If On Demand mode is selected. GP client (start from 1.1.4) will always set its network type to 'External' and connect to external gateway.

3. From support team: "The statement in GP troubleshooting guide looks incorrect. I have escalated to verify this"

L3 Networker

If internal host detection is configured, and not internal portals/gateways are defined, will the GP client simply stop trying to establish vpn?  Thats what i'd like to see.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!