Global Protect users not able to use internet when they move to office from Home

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Global Protect users not able to use internet when they move to office from Home

L3 Networker

Hi All,

 

We had configured an GP Portal/Gateway on the firewall. The login method configured on GP is Pre-Logon method and we also had enabled "No Direct Access to local network". The Authentication method used is LDAP. Gateway is configured in Full tunnel mode

 

As the user were working from home previously they will be able to access internet only when GP VPN is enabled. Now the users started moving to office and also in office environment they need to connect through GP to access internal network and internet.

 

Is there any way to configure GP in such an manner that when the user is using his laptop in home he need to connect to GP-VPN to use their system and when they come to office no need to connect to GP-VPN to use their system to access internet and organization internal network.

 

Thanks in advance!!

 

 

 

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

Hi @tamilvanan ,

 

Yes, this can be done.  In addition to your external gateway, you would configure an internal gateway in non-tunnel mode with Internal Host Detection enabled.  https://knowledgebase.paloaltonetworks.com/kCSArticleDetail?id=kA10g000000ClH1

 

Note in the doc that (1) the trust interface is used, (2) the Agent tab on the gateway is not configured (Tunnel Mode is not checked).  As the name implies, no encrypted tunnel is formed between the client and the gateway.

 

This configuration has the added benefit of providing accurate User-ID inside the network and enforcing HIP checks if configured.

 

Here is more info on Internal Host Detection -> https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-web-interface-help/globalprotect/network-global....

 

Here is more info on types of gateways -> https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/globalprotect-gateways/glob....

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

View solution in original post

3 REPLIES 3

L0 Member

Hello

 

You can use Internal Gateway as possible solution.

 

 

Cyber Elite
Cyber Elite

Hi @tamilvanan ,

 

Yes, this can be done.  In addition to your external gateway, you would configure an internal gateway in non-tunnel mode with Internal Host Detection enabled.  https://knowledgebase.paloaltonetworks.com/kCSArticleDetail?id=kA10g000000ClH1

 

Note in the doc that (1) the trust interface is used, (2) the Agent tab on the gateway is not configured (Tunnel Mode is not checked).  As the name implies, no encrypted tunnel is formed between the client and the gateway.

 

This configuration has the added benefit of providing accurate User-ID inside the network and enforcing HIP checks if configured.

 

Here is more info on Internal Host Detection -> https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-web-interface-help/globalprotect/network-global....

 

Here is more info on types of gateways -> https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/globalprotect-gateways/glob....

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

When configuring this, when it comes to portal configuration, do I edit our existing external portal?  In the portal configuration assuming im using our existing external portal, do I change the interface to the internal interface/IP?

  • 1 accepted solution
  • 4347 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!