To see this working, head to your live site.

Automatic disconnection of GP according to user activity

Hi,

I have a requirement where two scenario, Branch office and Head Office.

++Branch office has Sophos firewall and Head office have Palo alto firewall.

++Branch office users are enforced with using Global Protect when they are outside of the organization that is BO(Work From Home). Which the GP wil directly connect with HO.

++When the same user is entering the premises that is (LAN) of the Branch Office, since they are entering different network their GP needs to disable automatically since the GP is enforced.

++What could be the possible way that when a user Gets to the Branch office and their GP gets disabled and once they leave the organization GP needs to be enforced. What could be the possibilities.

Share the same here so that it will be helpful for me.

Cheeerss...

12 comments

12 Comments

vijaya.vasan

Dec 05, 2021

Ok But how will this work if the user is connected to internal network of another firewall type like sophos?

Reaper

Dec 05, 2021

Replying to

Internal host detection relies on connectivity with an internal DNS that holds a reverse record (in-addr-arpa), so if the remote office has a local DNS server, you can add that record there. If the remote office doesn't have its own dbs server, but it does have a connection (static site-to-site vpn/mpls/sdwan) you can set the head office dns in the remote office DHCP config

Reaper

Dec 05, 2021

Internal host detection relies on the ability to reverse lookup an IP address into a hostname. This mechanism relies on an internal DNS server holding that record, and the client having access to that DNS server through DHCP

vijaya.vasan

Dec 05, 2021

Devices means sophos device. When user gets into BO office LAN network with this particular Internal Host Detection works? Since this will work when the user has a Palo alto inplace instead of Sophos.

Reaper

Dec 02, 2021

What do youean by other devices? This config works for global protect, it does not impact devices that do not have GP installed

Reaper

Dec 01, 2021

https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-web-interface-help/globalprotect/network-globalprotect-portals/globalprotect-portals-agent-configuration-tab/globalprotect-portals-agent-internal-tab

vijaya.vasan

Dec 02, 2021

Replying to

@Reaper But this will work only for device behind Palo Alto right?? It will not work for other network devices.

vijaya.vasan

Nov 30, 2021

If possible could you share any document related to this?

Reaper

Nov 30, 2021

Absolutely, it is common practice

Reaper

Nov 30, 2021

You can set GP to always-on mode and then configure an internal gateway (with tunneling disabled). In the internal host detection, set a host that can only be resolved when internal. When GP detects it is internal it will connect to the internal gateway. Sin e tunneling is disabled on this gateway, GP will be "disconnected" (internal mode)

vijaya.vasan

Nov 30, 2021

Replying to

What about the external gateway mode is there any options

vijaya.vasan

Nov 30, 2021

Replying to

Could the above be applied for a large part of network??

Forum: Forum