Hi,
I have a requirement where two scenario, Branch office and Head Office.
++Branch office has Sophos firewall and Head office have Palo alto firewall.
++Branch office users are enforced with using Global Protect when they are outside of the organization that is BO(Work From Home). Which the GP wil directly connect with HO.
++When the same user is entering the premises that is (LAN) of the Branch Office, since they are entering different network their GP needs to disable automatically since the GP is enforced.
++What could be the possible way that when a user Gets to the Branch office and their GP gets disabled and once they leave the organization GP needs to be enforced. What could be the possibilities.
Share the same here so that it will be helpful for me.
Cheeerss...
Ok But how will this work if the user is connected to internal network of another firewall type like sophos?
Internal host detection relies on the ability to reverse lookup an IP address into a hostname. This mechanism relies on an internal DNS server holding that record, and the client having access to that DNS server through DHCP
Devices means sophos device. When user gets into BO office LAN network with this particular Internal Host Detection works? Since this will work when the user has a Palo alto inplace instead of Sophos.
What do youean by other devices? This config works for global protect, it does not impact devices that do not have GP installed
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-web-interface-help/globalprotect/network-globalprotect-portals/globalprotect-portals-agent-configuration-tab/globalprotect-portals-agent-internal-tab
If possible could you share any document related to this?
Absolutely, it is common practice
You can set GP to always-on mode and then configure an internal gateway (with tunneling disabled). In the internal host detection, set a host that can only be resolved when internal. When GP detects it is internal it will connect to the internal gateway. Sin e tunneling is disabled on this gateway, GP will be "disconnected" (internal mode)