Global Protect Internal Host detection

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

Global Protect Internal Host detection

L1 Bithead

Hello, 

I have configured Global Protect with Portal + External gateway and pre-logon always-on with Enforced Global protect Connection for Network Access. I have enabled Internal Host Detection IPv4. So far this is working great and Global Protect detects if it is in an Internal Network and if it is not it automatically prompts you for authentication to connect to the external gateway. We are using Azure SAML authentication with Microsoft 2FA. If we don't have a DNS entry for the GP portal internally then the Internal Network detection randomly fails so we need to have a DNS entry to point at portal then at that point only after you log into portal the agent will detect the Internal network. The problem with this is that users require to authenticate to Global Protect Portal even when they are in the Internal network and this constitute an extra steps that management don't want the users to take when they are in the Internal network. So, is there a way that I can have Internal Network detection working properly without authentication when I am in the internal network? 

1 accepted solution

Accepted Solutions

Hi @mmantilla ,

Unfortunately I am afraid there is no other way. This is how GlobalProtect works - you need to connect to GP portal first, before connecting to GP gateway. In addition GP client will periodically connect to portal to refresh its config (portal config refresh interval).

 

In real world GP client is caching gateway configuration and in attempt to optimase the process it will try to use the cached config and directly connect to GP first. So it is possible that internal users don't authenticate to portal and connect straight to internal gateway, but this doesn't solve your problem.

 

One possible workaround would be to use "split DNS zone", or in simple terms create DNS entry for your portal and external gateway, to point to internal IP address. This address to be loopback on the firewall where you have configured different GP gateway/portal using different authentication that does not require MFA (probably only machine cert).

 

View solution in original post

3 REPLIES 3

Hi @mmantilla ,

Unfortunately I am afraid there is no other way. This is how GlobalProtect works - you need to connect to GP portal first, before connecting to GP gateway. In addition GP client will periodically connect to portal to refresh its config (portal config refresh interval).

 

In real world GP client is caching gateway configuration and in attempt to optimase the process it will try to use the cached config and directly connect to GP first. So it is possible that internal users don't authenticate to portal and connect straight to internal gateway, but this doesn't solve your problem.

 

One possible workaround would be to use "split DNS zone", or in simple terms create DNS entry for your portal and external gateway, to point to internal IP address. This address to be loopback on the firewall where you have configured different GP gateway/portal using different authentication that does not require MFA (probably only machine cert).

 

Hi, this is a good solution that I attempted to take before since we already have split-DNS setup for the company. I attempted to create a portal/gw in the trust interface but where I am failing is in configuring machine certificate authentication only. I have tried following the two articles below but I am prompted for a username/password still. So either you always get prompted and that is how GP works or there is something I am doing wrong. I would really appreciate if you have some sort of guide or idea in what I can be doing wrong when attempting this. Please let me know and thanks a lot for taking the time to reply.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PPQCCA4

https://docs.paloaltonetworks.com/globalprotect/9-1/globalprotect-admin/authentication/set-up-client...

Hi, I came across this thread searching for a solution to a similar problem on getting MFA challange while on the internal network even when interna  host detection  is configured and based on logs working. Could you please share the solution approach details if you were able to address your concerns. Thanks in advance. 

  • 1 accepted solution
  • 3972 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!