Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
09-29-2021 05:50 AM
Hi All,
We had configured an GP Portal/Gateway on the firewall. The login method configured on GP is Pre-Logon method and we also had enabled "No Direct Access to local network". The Authentication method used is LDAP. Gateway is configured in Full tunnel mode
As the user were working from home previously they will be able to access internet only when GP VPN is enabled. Now the users started moving to office and also in office environment they need to connect through GP to access internal network and internet.
Is there any way to configure GP in such an manner that when the user is using his laptop in home he need to connect to GP-VPN to use their system and when they come to office no need to connect to GP-VPN to use their system to access internet and organization internal network.
Thanks in advance!!
10-26-2021 08:23 PM - edited 10-26-2021 08:25 PM
Hi @tamilvanan ,
Yes, this can be done. In addition to your external gateway, you would configure an internal gateway in non-tunnel mode with Internal Host Detection enabled. https://knowledgebase.paloaltonetworks.com/kCSArticleDetail?id=kA10g000000ClH1
Note in the doc that (1) the trust interface is used, (2) the Agent tab on the gateway is not configured (Tunnel Mode is not checked). As the name implies, no encrypted tunnel is formed between the client and the gateway.
This configuration has the added benefit of providing accurate User-ID inside the network and enforcing HIP checks if configured.
Here is more info on Internal Host Detection -> https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-web-interface-help/globalprotect/network-global....
Here is more info on types of gateways -> https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/globalprotect-gateways/glob....
Thanks,
Tom
10-26-2021 05:20 AM
Hello
You can use Internal Gateway as possible solution.
10-26-2021 08:23 PM - edited 10-26-2021 08:25 PM
Hi @tamilvanan ,
Yes, this can be done. In addition to your external gateway, you would configure an internal gateway in non-tunnel mode with Internal Host Detection enabled. https://knowledgebase.paloaltonetworks.com/kCSArticleDetail?id=kA10g000000ClH1
Note in the doc that (1) the trust interface is used, (2) the Agent tab on the gateway is not configured (Tunnel Mode is not checked). As the name implies, no encrypted tunnel is formed between the client and the gateway.
This configuration has the added benefit of providing accurate User-ID inside the network and enforcing HIP checks if configured.
Here is more info on Internal Host Detection -> https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-web-interface-help/globalprotect/network-global....
Here is more info on types of gateways -> https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/globalprotect-gateways/glob....
Thanks,
Tom
07-11-2022 02:51 PM
When configuring this, when it comes to portal configuration, do I edit our existing external portal? In the portal configuration assuming im using our existing external portal, do I change the interface to the internal interface/IP?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
