While configuring internal gateway settings under Global Protect portal, you can choose to filter which users can connect to the Internal gateway by source IP address. However, when configuring that option users from other source IPs not listed in the configuration are still able to connect to the internal gateway.
Configuring source IP address will not take effect if Internal Host Detection is configured and enabled. Users will always connect to the Internal gateway if their Global Protect app can resolve the IP to DNS name using reverse DNS lookup and the source address will be be considered in this case.
Turn Off Internal Host Detection and configure source IP address for all subnets allowed to connect to the Internal Gateway, a security policy is also required to allow user source IPs to connect to the Internal Gateway IP address.
