12-15-2025 09:12 AM - edited 12-16-2025 09:00 AM
Hi all,
I’m looking for clarification on Internal Gateway selection in a Strata Cloud Manager–managed Prisma Access deployment.
Context
Prisma Access fully managed by SCM
Remote Network connected
Internal Gateway enabled
Internal Host Detection (IHD) enabled
GlobalProtect set to Always-On
Issue:
GlobalProtect correctly detects the endpoint as internal (“You are on the internal corporate network”), but still selects an external gateway.
Logs show:
Internal network detection succeeds
PTR lookup succeeds technically
Internal gateway count = 0 → fallback to external gateways
This suggests a DNS / IHD interpretation issue, not network detection.
Questions:
When IHD is enabled in Prisma Access (SCM), must endpoints use the Prisma Access DNS Proxy for Internal Gateway discovery (PTR any-igw.*.gw.gpcloudservice.com)?
If endpoints use a corporate/internal DNS, is it expected that IHD may succeed but Internal Gateway selection still fail?
Any other required configuration (GP app settings, auth profiles, User-ID/HIP) needed for Internal Gateway selection in Remote Networks?
Any insights or real-world experience appreciated. Thanks!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
