Prisma Access

Internal Gateway (

Strata Cloud Manager

)

In
Strata Cloud Manager
, set up GlobalProtect, add app settings, and onboard remote networks.
Notice that there are no internal host detection and internal gateway configurations at present.
Make a note of the
Remote Networks DNS IP Address
from
Workflows
Prisma Access
Setup
Prisma Access
.
Make a note of the
Gateway FQDNs
from
Workflows
Prisma Access
Setup
GlobalProtect
Infrastructure
Infrastructure Settings
Gateway FQDNs
.
Select
Workflows
Prisma Access
Setup
Remote Networks
Advanced Settings
.
Edit the settings of
Prisma Access
Internal Gateway
to enable the internal gateway and
Save
the changes.
(
Optional
)
Enable Internal Host Detection
for IPv4 if you don't want to use your own DNS server. You can enable the internal host detection only after you select
Enable Internal Gateway
.
Prisma Access
supports internal host detection only for the
Always On
connect method.
When you enable the internal gateway, the remote network instances act as internal gateways. When you enable the internal host detection,
Prisma Access
creates PTR records on the remote network DNS proxy servers for the internal host detection process.
Select
Workflows
Prisma Access
Setup
GlobalProtect
GlobalProtect App
.
Select an app setting and view the internal host detection details and internal gateway details.
When you enable the internal gateway and internal host detection in step 5, Prisma Access enables IPv4 internal host detection and internal gateway here as well.
Prisma Access
populates the
Remote Networks DNS IP Address
value, from step 2, as the IP address.
Note that IPv6 internal host detection on
Prisma Access
DNS proxies isn't supported.
You can't remove this
Prisma Access
Internal Gateway
entry. However, you can add your self-deployed internal gateways. You can deploy your own DNS servers in the internal network for internal host detection, but ensure to add PTR records so that the internal host detection is possible.
Prisma Access
appends the
Gateway FQDNs
value, from step 3, to the address.
You can view the DNS proxy server IP address details by selecting
Workflows
Prisma Access
Setup
Prisma Access
.
If you enable
Internal Host Detection
, verify that the DNS resolution is working, perform a reverse DNS lookup from your internal network to DNS proxy server IP, and ensure it returns an FQDN starting with
any-igw
.
Push
the changes to mobile users and remote networks at the same time.
Log into the endpoint.
When you connect to GlobalProtect, first you authenticate with the GlobalProtect portal. The internal host detection triggers GlobalProtect to connect to the internal gateway. Then, as GlobalProtect agent continues to operate in the non-tunnel mode, the second authentication appears and submits the host information to the internal gateway on remote networks.