GlobalProtect Gateways
Focus
Focus
GlobalProtect

GlobalProtect Gateways

Table of Contents
End-of-Life (EoL)

GlobalProtect Gateways

GlobalProtect gateways provide security enforcement for traffic from the GlobalProtect apps and generate HIP reports from host data. They can be configured on Palo Alto Networks NGFW or Prisma Access and support internal and external gateway types.
GlobalProtect gateways provide security enforcement for traffic from the GlobalProtect apps. Additionally, if the Host Information Profile (HIP) feature is enabled, the gateway generates a HIP report from the raw host data that the endpoints submit, which it can use for policy enforcement.
Configure a GlobalProtect Gateway on any Palo Alto Networks next-generation firewall. You can run both a gateway and portal on the same firewall, or you can have multiple distributed gateways throughout your enterprise.
GlobalProtect supports the following gateway types:
  • Internal—An internal gateway is an interface on the internal network that is configured as a GlobalProtect gateway and applies security policies for internal resource access. When used in conjunction with User-ID and/or HIP checks, an internal gateway can be used to provide a secure, accurate method of identifying and controlling traffic based on user and/or device state. Internal gateways are useful in sensitive environments where authenticated access to critical resources is required. You can configure an internal gateway in either tunnel mode or non-tunnel mode. The GlobalProtect app connects to the internal gateway after performing internal host detection to determine the location of the endpoint. If internal host detection is not configured, the GlobalProtect app first connects to the internal gateway followed by external gateway upon connection failure.
  • External gateway (auto discovery)—An external gateway resides outside of the corporate network and provides security enforcement and/or virtual private network (VPN) access for your remote users. By default, the GlobalProtect app automatically connects to the Best Available external gateway, based on the priority you assign to the gateway, source region, and the response time (see Gateway Priority in a Multiple Gateway Configuration).
  • External gateway (manual)—A manual external gateway also resides outside of the corporate network and provides security enforcement and/or VPN access for your remote users. The difference between the auto-discovery external gateway and the manual external gateway is that the GlobalProtect app only connects to a manual external gateway when the user initiates a connection. You can also configure different authentication requirements for manual external gateways. To configure a manual gateway, you must identify the gateway as Manual when you Define the GlobalProtect Agent Configurations.