Need help with Global Protect Internal Gateway

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

Need help with Global Protect Internal Gateway

L1 Bithead

Hello everyone.  I am hoping to have some guidance/help on figuring out what I am missing with our internal gateway.  Prior to my employment there was an external gateway setup and is working.  I have been tasked to create an internal gateway for this same external vpn.  I used this video as a guide to setup the internal GW portion of the vpn.  When testing, the vpn on my phone detects internal network, but it does not pass any traffic.  Looking at traffic logs, I do not see any blocks, looking at global protect logs, it shows successful.  Not exactly sure what I am missing.


L6 Presenter

Look at which virtual router and security zone the tunnel used for the gateway is. Do you have the proper routes and rules back to your internal/external networks?


Edit: Also, are you trying to run internal host detect? In that case the gateway is only used for HIP checks/data collection, the GP client unblocks and allows direct internal network connection if otherwise in always-on mode.

Hi @emarschang 

Without looking at your exact configuration it will be hard to identify what could be the problem.


However I want to make some fundamental clarification - if you have followed the exact steps from that video (I haven't watched it to the end, but) your internal GP gateway does not actually build any VPN tunnel. In the video the internal gateway use the default settings for tunnel mode (they didn't even opened the agent tab), which is disabled. In this case GP client is not actually building any IPsec/SSL tunnel to the firewall, it just make some HTTP(s) based requests which firewall use for ip-to-user mapping and building HIP profile (if your firewall have GP license). Which means that GP client is not used to process any traffic sourced from that device. So any traffic from that device will use source address the IP from the VLAN where it is connected. So it will not come from tunnel interface, no Zone associated with GP, but you should see it as normal traffic sourced from your LAN. The only noticable difference would be that FW will have ip-to-use mapping for that IP  and if you have license HIP profile matching information.


If your phone is connected to internal GP gateway and you don't have internet access I would start by checking the matching security and NAT policy.

  • 2 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!