GlobalProtect installation triggers/settings for Internal Host Detection

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

GlobalProtect installation triggers/settings for Internal Host Detection

L1 Bithead

I'm looking to find out if anyone is aware of how to configure the Internal Host Detection prior to authenticating through the Portal.

I've dug through every GP client installation manual I could find whether it be regkey settings or msi installation triggers but can't seem to find it. 

 

Scenario - If we image a new workstation with GP installed, pointed to our Prisma portal with Always-On enabled, when it arrives to users location and hooked up to our corporate network the GP client will SSO them in to the portal to pull the config which includes the Internal Host Detection settings. What this is causing since the user successfully authenticated in to the portal (not the gateway), it then shows them as "connected - internal" - Being they are successfully auth'ing in to the portal it is consuming one of our Prisma Access licenses for that user even though they will never be a remote VPN user.

 

I know that blocking the portal is always an option from the internal network, but what issues could come from that? How would the GP client act with always-on enabled but is unable to reach the portal able to ever get the Internal Host Detection settings to know it is on the corporate network? I would imagine it would start blocking everything because it doesn't know any better without that setting.

 

I do know the license is removed from the user after 90 days, however, being we only have 10k licenses with 70k+ users daily if every machine has GP installed on it each user is going to grab a license every time they login to Windows even though 65k of them are on the corporate network just doesn't make sense.

 

Disabling SSO is pretty much not going to help because they are still going to get prompted to login to the GP client after windows is logged in to, and most users will just type in their creds because it will ask for them.

 

There has to be a way to set this setting per device rather than per authenticated user so even if you are logging in as a local admin account the GP client would know it's connected internally or not.

 

 

 

 

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

you can only get the internal host detection configuration after receiving the configuration from the portal (the first time)

if an agent is unable to connect to the portal thereafter, it will use the 'previously retrieved config' instead and be on it's merry way, so blocking the portal from inside (or redirecting it's internal DNS record to an internal portal fielding the same config?) would to the trick

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

View solution in original post

3 REPLIES 3

Cyber Elite
Cyber Elite

you can only get the internal host detection configuration after receiving the configuration from the portal (the first time)

if an agent is unable to connect to the portal thereafter, it will use the 'previously retrieved config' instead and be on it's merry way, so blocking the portal from inside (or redirecting it's internal DNS record to an internal portal fielding the same config?) would to the trick

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Thanks for the quick response. Not as simple as I would have thought after all, that's unfortunate. I'll work on trying to get an internal Portal with some DNS trickery to point them to it.

Hello, I finally got around to trying some of your suggestions.

I attempted the internal DNS trick, but since our GP clients use on-prem DNS rather than the cloud, it pretty much bricked everyone who was remotely connected.....or at least that is what appeared to happen as the connected user count began rapidly decreasing as their clients would refresh.

 

So I went with a hairpin approach + internal portal. If you are on the corp network and your traffic is trying to go to our prisma portal it hairpins it to a loopback on a PA that has an internal portal configured with the internal host detection settings. Basically same thing just a different method of redirect.

 

While not the prettiest it is the best I could come up without being able to predefine that IHD during the install or with regkeys.

 

Thanks again for your help!

  • 1 accepted solution
  • 1319 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!