Hi,
I have a requirement where two scenario, Branch office and Head Office.
++Branch office has Sophos firewall and Head office have Palo alto firewall.
++Branch office users are enforced with using Global Protect when they are outside of the organization that is BO(Work From Home). Which the GP wil directly connect with HO.
++When the same user is entering the premises that is (LAN) of the Branch Office, since they are entering different network their GP needs to disable automatically since the GP is enforced.
++What could be the possible way that when a user Gets to the Branch office and their GP gets disabled and once they leave the organization GP needs to be enforced. What could be the possibilities.
Share the same here so that it will be helpful for me.
Cheeerss...
You can set GP to always-on mode and then configure an internal gateway (with tunneling disabled). In the internal host detection, set a host that can only be resolved when internal. When GP detects it is internal it will connect to the internal gateway. Sin e tunneling is disabled on this gateway, GP will be "disconnected" (internal mode)
What about the external gateway mode is there any options
Could the above be applied for a large part of network??
Absolutely, it is common practice
If possible could you share any document related to this?
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-web-interface-help/globalprotect/network-globalprotect-portals/globalprotect-portals-agent-configuration-tab/globalprotect-portals-agent-internal-tab
@Reaper But this will work only for device behind Palo Alto right?? It will not work for other network devices.
What do youean by other devices? This config works for global protect, it does not impact devices that do not have GP installed
Devices means sophos device. When user gets into BO office LAN network with this particular Internal Host Detection works? Since this will work when the user has a Palo alto inplace instead of Sophos.
Internal host detection relies on the ability to reverse lookup an IP address into a hostname. This mechanism relies on an internal DNS server holding that record, and the client having access to that DNS server through DHCP
Ok But how will this work if the user is connected to internal network of another firewall type like sophos?
Internal host detection relies on connectivity with an internal DNS that holds a reverse record (in-addr-arpa), so if the remote office has a local DNS server, you can add that record there. If the remote office doesn't have its own dbs server, but it does have a connection (static site-to-site vpn/mpls/sdwan) you can set the head office dns in the remote office DHCP config