This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

GlobalProtect installation triggers/settings for Internal Host Detection

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

GlobalProtect installation triggers/settings for Internal Host Detection

Go to solution
ZMeredith1
L1 Bithead

‎12-28-2023 12:35 PM

I'm looking to find out if anyone is aware of how to configure the Internal Host Detection prior to authenticating through the Portal.

I've dug through every GP client installation manual I could find whether it be regkey settings or msi installation triggers but can't seem to find it. 

 

Scenario - If we image a new workstation with GP installed, pointed to our Prisma portal with Always-On enabled, when it arrives to users location and hooked up to our corporate network the GP client will SSO them in to the portal to pull the config which includes the Internal Host Detection settings. What this is causing since the user successfully authenticated in to the portal (not the gateway), it then shows them as "connected - internal" - Being they are successfully auth'ing in to the portal it is consuming one of our Prisma Access licenses for that user even though they will never be a remote VPN user.

 

I know that blocking the portal is always an option from the internal network, but what issues could come from that? How would the GP client act with always-on enabled but is unable to reach the portal able to ever get the Internal Host Detection settings to know it is on the corporate network? I would imagine it would start blocking everything because it doesn't know any better without that setting.

 

I do know the license is removed from the user after 90 days, however, being we only have 10k licenses with 70k+ users daily if every machine has GP installed on it each user is going to grab a license every time they login to Windows even though 65k of them are on the corporate network just doesn't make sense.

 

Disabling SSO is pretty much not going to help because they are still going to get prompted to login to the GP client after windows is logged in to, and most users will just type in their creds because it will ask for them.

 

There has to be a way to set this setting per device rather than per authenticated user so even if you are logging in as a local admin account the GP client would know it's connected internally or not.

 

 

 

 

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
reaper
Cyber Elite
Cyber Elite

‎12-29-2023 02:52 PM

you can only get the internal host detection configuration after receiving the configuration from the portal (the first time)

if an agent is unable to connect to the portal thereafter, it will use the 'previously retrieved config' instead and be on it's merry way, so blocking the portal from inside (or redirecting it's internal DNS record to an internal portal fielding the same config?) would to the trick

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

View solution in original post

3 REPLIES 3

Go to solution
reaper
Cyber Elite
Cyber Elite

‎12-29-2023 02:52 PM

you can only get the internal host detection configuration after receiving the configuration from the portal (the first time)

if an agent is unable to connect to the portal thereafter, it will use the 'previously retrieved config' instead and be on it's merry way, so blocking the portal from inside (or redirecting it's internal DNS record to an internal portal fielding the same config?) would to the trick

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Go to solution
ZMeredith1
L1 Bithead
In response to reaper

‎01-02-2024 09:20 AM

Thanks for the quick response. Not as simple as I would have thought after all, that's unfortunate. I'll work on trying to get an internal Portal with some DNS trickery to point them to it.

0 Likes Likes

Go to solution
ZMeredith1
L1 Bithead
In response to reaper

‎03-04-2024 03:29 PM

Hello, I finally got around to trying some of your suggestions.

I attempted the internal DNS trick, but since our GP clients use on-prem DNS rather than the cloud, it pretty much bricked everyone who was remotely connected.....or at least that is what appeared to happen as the connected user count began rapidly decreasing as their clients would refresh.

 

So I went with a hairpin approach + internal portal. If you are on the corp network and your traffic is trying to go to our prisma portal it hairpins it to a loopback on a PA that has an internal portal configured with the internal host detection settings. Basically same thing just a different method of redirect.

 

While not the prettiest it is the best I could come up without being able to predefine that IHD during the install or with regkeys.

 

Thanks again for your help!

0 Likes Likes
  • 1 accepted solution
  • 1032 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks