[SOLVED] GlobalProtect (PAN) is disabled for internal networks
👨💻
I’ve set up GlobalProtect (Palo Alto Networks) to be “always on” for a bunch of clients but I don’t want them to connect when they’re on the internal network so as not to put an unnecessary load on the firewall. I’ve currently resolved this by creating firewall rules that prevent connection from inside but this is causing the client to display an error message that the connection failed and the user should contact the administrator. This does not feel ideal…
I know I can set up an internal gateway and use internal host discovery and in that gateway it can be said that I can use split tunneling in such a way that no traffic is passed through the VPN. This will get rid of the error message, but it seems like a weird way to go about resolving this.
I also gather that internal host detection only works once the external connection timeout is hit, so a user who goes off to Starbucks and connects to the external VPN and then back in the office in 2 hours won’t go to the internal gw.
Does anyone know what the best practices are here?
jalapeno
OP
DigiDoug
This person is a certified professional.
Verify your account to let your IT peers know you’re a professional. Sep 30, 2019 14:44 UTC
You have two options. If the GP is not configured in an “always on” way, this is not really an issue as users only need to be taught that they only need to connect manually when they are outside the corporate network.
If it is set to Always On, you can do one of the following:
- Configure an internal gate
- Configure internal host discovery on the external gateway (see image below) with no selection and internal gateway. This will cause the proxy to look for the host which will tell it if it is on and the internal network, and if it is, it won’t do anything because there is no internal gateway defined. The trick here is that the PA does a reverse IP lookup and if it returns the matching hostname, it knows it’s on the internal network. So you need to make sure you have a pointer register configured for whatever host you decide to use.
[ad_1]
Don’t forget to share this post with friends !
