GlobalProtect Internal Gateway - Non-tunnel mode - does it provide encryption?

cancel
Showing results for 
Search instead for 
Did you mean: 

GlobalProtect Internal Gateway - Non-tunnel mode - does it provide encryption?

L2 Linker
Hello Experts,
 
Can you please clarify if Non-tunnel mode provide packet encryption, or just HIP/User-ID for the gateway?
 
Does the traffic goes in from GlobalProtect  (laptop) to GlobalProtect gateway (firewall) in non-tunnel mode setup?
 If it is encrypted, how much of IP header retained, is it just IP or ports are in clear as well?
 
It is not clear from the documentation:
 
Internal —An internal gateway is an interface on the internal network that is configured as a GlobalProtect gateway and applies security policies for internal resource access. When used in conjunction with User-ID and/or HIP checks, an internal gateway can be used to provide a secure, accurate method of identifying and controlling traffic based on user and/or device state. Internal gateways are useful in sensitive environments where authenticated access to critical resources is required. You can configure an internal gateway in either tunnel mode or non-tunnel mode. The GlobalProtect app connects to the internal gateway after performing internal host detection to determine the location of the endpoint.

 

References:

https://docs.paloaltonetworks.com/globalprotect/8-1/globalprotect-admin/globalprotect-gateways/globa...

https://docs.paloaltonetworks.com/globalprotect/10-0/globalprotect-admin/globalprotect-quick-configs...

1 REPLY 1

Cyber Elite
Cyber Elite

@SergGur,

If you choose not to tunnel the traffic back to the gateway the only thing you are doing is HIP and User-ID through GlobalProtect. It doesn't add any form of encryption and the traffic outside of agent checks never hits the internal gateway. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!