GlobalProtect installation triggers/settings for Internal Host Detection

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

GlobalProtect installation triggers/settings for Internal Host Detection

L0 Member

I'm looking to find out if anyone is aware of how to configure the Internal Host Detection prior to authenticating through the Portal.

I've dug through every GP client installation manual I could find whether it be regkey settings or msi installation triggers but can't seem to find it. 


Scenario - If we image a new workstation with GP installed, pointed to our Prisma portal with Always-On enabled, when it arrives to users location and hooked up to our corporate network the GP client will SSO them in to the portal to pull the config which includes the Internal Host Detection settings. What this is causing since the user successfully authenticated in to the portal (not the gateway), it then shows them as "connected - internal" - Being they are successfully auth'ing in to the portal it is consuming one of our Prisma Access licenses for that user even though they will never be a remote VPN user.


I know that blocking the portal is always an option from the internal network, but what issues could come from that? How would the GP client act with always-on enabled but is unable to reach the portal able to ever get the Internal Host Detection settings to know it is on the corporate network? I would imagine it would start blocking everything because it doesn't know any better without that setting.


I do know the license is removed from the user after 90 days, however, being we only have 10k licenses with 70k+ users daily if every machine has GP installed on it each user is going to grab a license every time they login to Windows even though 65k of them are on the corporate network just doesn't make sense.


Disabling SSO is pretty much not going to help because they are still going to get prompted to login to the GP client after windows is logged in to, and most users will just type in their creds because it will ask for them.


There has to be a way to set this setting per device rather than per authenticated user so even if you are logging in as a local admin account the GP client would know it's connected internally or not.






Cyber Elite
Cyber Elite

you can only get the internal host detection configuration after receiving the configuration from the portal (the first time)

if an agent is unable to connect to the portal thereafter, it will use the 'previously retrieved config' instead and be on it's merry way, so blocking the portal from inside (or redirecting it's internal DNS record to an internal portal fielding the same config?) would to the trick

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Thanks for the quick response. Not as simple as I would have thought after all, that's unfortunate. I'll work on trying to get an internal Portal with some DNS trickery to point them to it.

  • 2 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!