Types of Gateways

GlobalProtect gateways provide security enforcement for traffic from GlobalProtect agents/apps. Additionally, if the HIP feature is enabled, the gateway generates a HIP report from the raw host data the clients submit and can use this information in policy enforcement.
You Configure a GlobalProtect Gateway on an interface on any Palo Alto Networks next-generation firewall. You can run both a gateway and a portal on the same firewall, or you can have multiple, distributed gateways throughout your enterprise.
You can configure any of the following types of gateways:
  • Internal
    —An internal gateway is an interface on the internal network configured as a GlobalProtect gateway for applying security policy for access to internal resources. When used in conjunction with User-ID and/or HIP checks, an internal gateway can be used to provide a secure, accurate method of identifying and controlling traffic by user and/or device state. Internal gateways are useful in sensitive environments where authenticated access to critical resources is required. You can configure an internal gateway in either tunnel mode or non-tunnel mode. An agent connects to the internal gateway after performing internal host detection to determine the location of the endpoint.
  • External gateway (auto discovery)
    —An external gateway resides outside of the corporate network and provides security enforcement and/or virtual private network (VPN) access for your remote users. The agent automatically connects to the external gateway depending on the priority you assign to the gateway, source region, and the response time (see Gateway Priority in a Multiple Gateway Configuration). When you configure an external gateway in the GlobalProtect portal agent configuration, auto discovery is the default. See Define the GlobalProtect Agent Configurations.
  • External gateway (manual)
    —A manual external gateway also resides outside of the corporate network and provides security enforcement and/or VPN access for your remote users. The difference between the auto-discovery external gateway and the manual external gateway is that the GlobalProtect agent only connects to a manual external gateway when the user initiates a connection. You can also configure different authentication requirements for manual external gateways. To configure a manual gateway, you must identify the gateway as
    Manual
    in the GlobalProtect portal agent configuration. See Define the GlobalProtect Agent Configurations.

Related Documentation