04-03-2025 08:20 PM
Hi All,
Has anyone had used Prisma Access Internal Gateway for user-to-IP mapping from Remote Networks to Prisma Access?
It doesn't work for me!
I can view the source user under GlobalProtect Logs/Strata Logging Service but not under traffic logs
The connection method is always on.
Hopefully someone out there has configured it and it is working for them.
04-07-2025 01:12 AM - edited 04-07-2025 01:18 AM
Hello @AhmedAlRashed
Are you Panorama or SCM Managed ?
You said it didn't work or it's just the mapping. Were you able to connect and did IHD (Internal Host Detection) succeed?
On your GlobalProtect, do you see the message: "You are on the Internal Corporate Network" ?
What's your GP client version et Prisma Access version (Plugin/dataplane) ?
04-07-2025 03:58 PM
Hey @ClementADNOV
It’s SCM-managed.
Initially I tried using our own internal DNS server to set up IHD. The GlobalProtect client didn’t establish the tunnel - it just showed “You are on the Internal Corporate Network”.
I checked the PanGPS logs and it looks like the client isn’t able to reach any-igw.gpojgsy2ony.gw.gpcloudservice.com:443.
I then enabled Remote Network IHD and set up the laptop to use the Prisma Access DNS proxy - and that worked. I could see the source users in the traffic logs.
TAC have advised that we need to use the Prisma Access DNS proxy for IHD to work, and it doesn’t support using our internal DNS for the client to perform the IHD check.
Bit odd really, as the documentation doesn’t mention that the Prisma Access DNS proxy is a requirement
(P5036-T8420)Debug( 930): 04/04/25 18:31:03:733 SSL connecting to any-igw.gpojgsy2ony.gw.gpcloudservice.com
(P5036-T8420)Debug( 316): 04/04/25 18:31:03:733 host is FQDN: any-igw.gpojgsy2ony.gw.gpcloudservice.com
(P5036-T8420)Error( 856): 04/04/25 18:31:03:733 getaddrinfo for fqdn any-igw.gpojgsy2ony.gw.gpcloudservice.com failed, 0.
(P5036-T8420)Debug( 567): 04/04/25 18:31:03:733 getaddrinfo of any-igw.gpojgsy2ony.gw.gpcloudservice.com failed with error 11001, No such host is known.
(P5036-T8420)Debug( 935): 04/04/25 18:31:03:733 do_tcp_connect() failed
(P5036-T8420)Error(6795): 04/04/25 18:31:03:733 Failed to ssl connect to 'any-igw.gpojgsy2ony.gw.gpcloudservice.com:443', Disconect ssl and returns FALSE.
(P5036-T8420)Debug(6823): 04/04/25 18:31:03:733 Already tried both ipv4 and ipv6 for gateway any-igw.gpojgsy2ony.gw.gpcloudservice.com
(P5036-T8420)Debug(6030): 04/04/25 18:31:03:733 Show Gateway Prisma Access Internal Gateway: The network connection is unreachable or the gateway is unresponsive. Check the network connection and reconnect.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
