All things Palo Alto Networks

  • Blog

  • Forum

  • Members

  • More

    Use tab to navigate through the menu items.
    To see this working, head to your live site.
    • Categories
    • All Posts
    • My Posts
    vijaya.vasan
    Nov 30, 2021

    Automatic disconnection of GP according to user activity

    in General discussion

    Hi,


    I have a requirement where two scenario, Branch office and Head Office.


    ++Branch office has Sophos firewall and Head office have Palo alto firewall.

    ++Branch office users are enforced with using Global Protect when they are outside of the organization that is BO(Work From Home). Which the GP wil directly connect with HO.

    ++When the same user is entering the premises that is (LAN) of the Branch Office, since they are entering different network their GP needs to disable automatically since the GP is enforced.

    ++What could be the possible way that when a user Gets to the Branch office and their GP gets disabled and once they leave the organization GP needs to be enforced. What could be the possibilities.


    Share the same here so that it will be helpful for me.

    Cheeerss...

    12 comments
    0
    Reaper
    Nov 30, 2021

    You can set GP to always-on mode and then configure an internal gateway (with tunneling disabled). In the internal host detection, set a host that can only be resolved when internal. When GP detects it is internal it will connect to the internal gateway. Sin e tunneling is disabled on this gateway, GP will be "disconnected" (internal mode)

    0
    vijaya.vasan
    Nov 30, 2021

    What about the external gateway mode is there any options


    0
    vijaya.vasan
    Nov 30, 2021

    Could the above be applied for a large part of network??

    0
    Reaper
    Nov 30, 2021

    Absolutely, it is common practice

    0
    vijaya.vasan
    Nov 30, 2021

    If possible could you share any document related to this?

    0
    Reaper
    Dec 01, 2021

    https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-web-interface-help/globalprotect/network-globalprotect-portals/globalprotect-portals-agent-configuration-tab/globalprotect-portals-agent-internal-tab

    0
    vijaya.vasan
    Dec 02, 2021

    @Reaper But this will work only for device behind Palo Alto right?? It will not work for other network devices.

    0
    Reaper
    Dec 02, 2021

    What do youean by other devices? This config works for global protect, it does not impact devices that do not have GP installed

    0
    vijaya.vasan
    Dec 05, 2021

    Devices means sophos device. When user gets into BO office LAN network with this particular Internal Host Detection works? Since this will work when the user has a Palo alto inplace instead of Sophos.

    0
    Reaper
    Dec 05, 2021

    Internal host detection relies on the ability to reverse lookup an IP address into a hostname. This mechanism relies on an internal DNS server holding that record, and the client having access to that DNS server through DHCP

    0
    vijaya.vasan
    Dec 05, 2021

    Ok But how will this work if the user is connected to internal network of another firewall type like sophos?

    0
    Reaper
    Dec 05, 2021

    Internal host detection relies on connectivity with an internal DNS that holds a reverse record (in-addr-arpa), so if the remote office has a local DNS server, you can add that record there. If the remote office doesn't have its own dbs server, but it does have a connection (static site-to-site vpn/mpls/sdwan) you can set the head office dns in the remote office DHCP config

    12 comments
     
    • Mastering Palo Alto Networks