This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew

Looking for documentation on how to set up an internal GP gateway for User-ID

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Looking for documentation on how to set up an internal GP gateway for User-ID

inSync-MarkValpreda
L2 Linker

‎06-17-2026 06:58 PM

This is a PA environment I have inherited and I don't have a PA background, most everything was already set up....I just maintain security rules, NAT, etc....basic stuff. 

 

Been having quite a time with our Macs and User-ID through Active Directory and using the App-ID Agent on a server. After a few cases and frustrated users, think we need to pivot to an internal GP gateway for user ID. 

 

I don't know if I should take my existing GP portal that is set on a loopback address to include internal detection, or set up a new one with my LAN interface? Do I need to set my GP DNS name internally to point to an IP on my PA-1410? How do I make this seamless to the users so they don't have to log into GP client on their machine? 

 

In looking at some links on here as well as through other searches, I didn't find anything that really jumped out at me that matches what we are trying to accomplish. I'm hoping that someone can nudge me in the right direction.

 

0 Likes Likes
1 REPLY 1

JayGolf
Community Team Member

‎06-18-2026 11:30 AM

Hi @inSync-MarkValpreda ,

 

You typically do not need a separate portal. The existing portal can provide the GP client config, including internal host detection and the internal gateway. The internal gateway can be on an internal interface or loopback, as long as the FQDN resolves internally to that firewall IP and the gateway certificate matches the name users connect to.

 

To make this seamless, configure the GP app for User-Logon / Always On so the client can automatically detect whether it is internal or external and connect accordingly. For User-ID only, the internal gateway can be configured without tunneling user traffic.

 

I would recommend reviewing these docs first:

GlobalProtect for Internal HIP Checking and User-Based Access

Global Protect Internal Host Detection & Internal Gateways - Packetswitch

 

Hope this helps! and please let us know how it goes or if anything comes up. 

LIVEcommunity team member
Stay Secure,
Jay
Don't forget to Like items if a post is helpful to you!

Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.
0 Likes Likes
  • 87 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks