03-25-2020 04:54 AM - edited 03-25-2020 04:56 AM
We want to prevent Globalprotect from connecting when user is on the internal network. We have the client set to manual connect/disconnect but users can be stupid and connect anyway.
We don't have an internal gateway, and dont want any ssl tunnel when user is on internal network.
We tried putting in an ip address of a reachable lan server in the "internal host detection" box and left the "internal gateways" list blank but didnt seem to work.
We also tried removing the DNS entry of the gateway from internal DNS zone (we have split-horizon DNS) but that was more trouble than it was worth due to caching of NX records leaving users unable to connect to VPN until zone TTL expiry when they jumped off the LAN network and tried to connect shortly after.
What is the correct way (by correct I mean best practice) to prevent clients from connecting to GP from internal network (keeping in mind we do not have internal GP gateway and do not want any VPN running when users are on LAN)
