Advanced Internal Host Detection

Software Support

: Starting with GlobalProtect™ app 6.1. Requires content release version 8615-7549.

OS Support

: Windows 10, ARM64-Based Windows 10, macOS 11 and later releases, and ARM-Based macOS 11 and later releases

, and Linux

.

You can now configure advanced internal host detection through the portal if you want to add an extra security layer during internal host detection by the GlobalProtect app. With the advanced internal host detection, the app validates the server certificate of the internal gateways in addition to performing a reverse DNS lookup of the internal host to determine whether the app is inside the enterprise network.

Enabling the advanced internal host detection stops malicious actors from spoofing the reverse DNS server response during the internal host detection and thereby prevents unauthorized access to the endpoints in the enterprise network. When you enable the advanced internal host detection through the portal and the user logs in to the GlobalProtect app, the workflow looks as follows:

When a user attempts to log in with advanced internal host detection enabled, the GlobalProtect app is considered as inside the enterprise network only when:

The reverse DNS lookup of an internal host using the specified IP address to the hostname is successful during the internal host detection process.
The app successfully validates the server certificate of at least one of the configured internal gateways.

If the advanced internal host detection fails, the endpoint is considered as outside the network and the app performs a network discovery to connect to the best available external gateway.

By default, advanced internal host detection is disabled.

Ensure that the GlobalProtect internal gateway is configured.
Ensure that the internal host detection is configured through the portal.
Enable advanced internal host detection.
Select
Network
GlobalProtect
Portals
.
Select the portal configuration to which you are adding the agent configuration, and then select the
Agent
tab and select the desired agent configuration.
Select
App
. The App Configurations area displays the app settings with default values that you can customize for each agent configuration.

In the
App Configurations
area, set
Enable Advance Internal Host Detection
to
Yes
to add an additional security layer during the internal host detection by the app.
Click
OK
and commit the changes.
View the logs to verify that advanced internal host detection is configured through portal.
Verify the GlobalProtect logs for advanced internal hosting detection for GlobalProtect app troubleshooting. To view the logs:
From the firewall hosting the portal, select
Monitor
Logs
GlobalProtect.
Filter for advanced internal host detection to view the following events on the GlobalProtect logs page.
Advanced Internal Host Detection successful
Advanced Internal Host Detection failed
You can also view the advanced internal host detection related events in the PanGPS logs.
Verify the advanced internal host detection events in the PanGPS logs. The PanGPS log displays the following events when:
Advanced Internal Host Detection is enabled.
Advanced IHD is yes
Advanced Internal Host Detection is not enabled.
Advanced IHD is no
Advanced Internal Host Detection setting does not exist in portal configuration.
Advanced IHD is not enabled
Advanced Internal Host Detection fails and GlobalProtect falls back to external network discovery.
Advanced IHD failed. Fallback to external network discovery.
Advanced Internal Host Detection is enabled and Internal Host Detection is resolved to internal network.
Skip setting network discovery ready for Advanced IHD.
Server certificate validation is successful for at least one internal gateway.
Set network ready to internal network for Advanced IHD.