11-09-2022 10:03 AM
Hello,
I have configured Global Protect with Portal + External gateway and pre-logon always-on with Enforced Global protect Connection for Network Access. I have enabled Internal Host Detection IPv4. So far this is working great and Global Protect detects if it is in an Internal Network and if it is not it automatically prompts you for authentication to connect to the external gateway. We are using Azure SAML authentication with Microsoft 2FA. If we don't have a DNS entry for the GP portal internally then the Internal Network detection randomly fails so we need to have a DNS entry to point at portal then at that point only after you log into portal the agent will detect the Internal network. The problem with this is that users require to authenticate to Global Protect Portal even when they are in the Internal network and this constitute an extra steps that management don't want the users to take when they are in the Internal network. So, is there a way that I can have Internal Network detection working properly without authentication when I am in the internal network?
11-27-2022 12:54 PM - edited 11-27-2022 12:54 PM
Hi @mmantilla ,
Unfortunately I am afraid there is no other way. This is how GlobalProtect works - you need to connect to GP portal first, before connecting to GP gateway. In addition GP client will periodically connect to portal to refresh its config (portal config refresh interval).
In real world GP client is caching gateway configuration and in attempt to optimase the process it will try to use the cached config and directly connect to GP first. So it is possible that internal users don't authenticate to portal and connect straight to internal gateway, but this doesn't solve your problem.
One possible workaround would be to use "split DNS zone", or in simple terms create DNS entry for your portal and external gateway, to point to internal IP address. This address to be loopback on the firewall where you have configured different GP gateway/portal using different authentication that does not require MFA (probably only machine cert).
11-27-2022 12:54 PM - edited 11-27-2022 12:54 PM
Hi @mmantilla ,
Unfortunately I am afraid there is no other way. This is how GlobalProtect works - you need to connect to GP portal first, before connecting to GP gateway. In addition GP client will periodically connect to portal to refresh its config (portal config refresh interval).
In real world GP client is caching gateway configuration and in attempt to optimase the process it will try to use the cached config and directly connect to GP first. So it is possible that internal users don't authenticate to portal and connect straight to internal gateway, but this doesn't solve your problem.
One possible workaround would be to use "split DNS zone", or in simple terms create DNS entry for your portal and external gateway, to point to internal IP address. This address to be loopback on the firewall where you have configured different GP gateway/portal using different authentication that does not require MFA (probably only machine cert).
11-28-2022 06:53 AM
Hi, this is a good solution that I attempted to take before since we already have split-DNS setup for the company. I attempted to create a portal/gw in the trust interface but where I am failing is in configuring machine certificate authentication only. I have tried following the two articles below but I am prompted for a username/password still. So either you always get prompted and that is how GP works or there is something I am doing wrong. I would really appreciate if you have some sort of guide or idea in what I can be doing wrong when attempting this. Please let me know and thanks a lot for taking the time to reply.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PPQCCA4
08-16-2024 08:00 AM
Hi, I came across this thread searching for a solution to a similar problem on getting MFA challange while on the internal network even when interna host detection is configured and based on logs working. Could you please share the solution approach details if you were able to address your concerns. Thanks in advance.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
