Global Protect and Internal Network routing

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Global Protect and Internal Network routing

L1 Bithead

Hello,

 

New Global Protect user here so bare with me. We have started using the Global Protect for our laptop users. As part of our configuration the client is loaded when the laptop boots up. The support team wanted this so they could still connect in the even the laptop lost its trust to the domain and the end user could not sign into the laptop. We have discovered an issue with this when the end user is connected to the corporate network. All traffic is routed over Global Protect and not over the corporate network. We though Internal Host Detection would be the mechanism to prevent this but is reading through what I am finding that is not the case? trying to figure out what we need to fix this issue as they want / need to keep the preload. 

 

Thanks ...

 

Brent

1 REPLY 1

L6 Presenter

Its not quite clear from your explanation if you are running GlobalProtect in Always-On Pre-login (VPN always starts when the machine boots) or Always-On User-Login  (VPN always starts, connects when the user logs in). I suspect the former as you said in case the user could not log in. In either case the laptop would still need valid credentials to connect to the VPN (either valid certs or stored user credentials).

 

If you have Internal Host Detection enabled, it should not be connecting to the VPN on the Corporate network (unless you have specifically configured it for an Internal Gateway, an internal Gateway is not required). I would look carefully at the Internal Host Detection configuration under Agent config. The GlobalProtect client will do a reverse DNS lookup for the specified IP Address when connected to a network. The DNS server must return the exact indicated Hostname (including matching case) in order to discover that it is internally connected and bypass the VPN.

 

If you look through the PanGPS.log file in the GlobalProtect client debug output, you should see a log line for the reverse IP DNS lookup, value returned to the client, and match status.

  • 532 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!