GlobalProtect gateways provide security enforcement
for traffic from GlobalProtect agents/apps. Additionally, if the
HIP feature is enabled, the gateway generates a HIP report from
the raw host data the clients submit and can use this information
in policy enforcement.
a GlobalProtect Gateway on an interface on any Palo Alto
Networks next-generation firewall. You can run both a gateway and
a portal on the same firewall, or you can have multiple, distributed
gateways throughout your enterprise.
You can configure any of the following types of gateways:
—An internal gateway is an interface on
the internal network configured as a GlobalProtect gateway for applying
security policy for access to internal resources. When used in conjunction with
User-ID and/or HIP checks, an internal gateway can be used to provide
a secure, accurate method of identifying and controlling traffic
by user and/or device state. Internal gateways are useful in sensitive
environments where authenticated access to critical resources is
required. You can configure an internal gateway in either tunnel
mode or non-tunnel mode. An agent connects to the internal gateway
after performing internal host detection to determine the location
of the endpoint.
External gateway (auto discovery)
—An external gateway
resides outside of the corporate network and provides security enforcement
and/or virtual private network (VPN) access for your remote users.
The agent automatically connects to the external gateway depending
on the priority you assign to the gateway, source region, and the
response time (see Gateway
Priority in a Multiple Gateway Configuration). When you configure
an external gateway in the GlobalProtect portal agent configuration,
auto discovery is the default. See Define
the GlobalProtect Agent Configurations.
External gateway (manual)
—A manual external gateway
also resides outside of the corporate network and provides security
enforcement and/or VPN access for your remote users. The difference between
the auto-discovery external gateway and the manual external gateway
is that the GlobalProtect agent only connects to a manual external
gateway when the user initiates a connection. You can also configure
different authentication requirements for manual external gateways.
To configure a manual gateway, you must identify the gateway as