GlobalProtect Gateways
GlobalProtect gateways provide security enforcement for traffic from the
GlobalProtect apps and generate HIP reports from host data. They can be configured on Palo
Alto Networks NGFW or Prisma Access and support internal and external gateway
types.
GlobalProtect gateways provide security enforcement for traffic from the GlobalProtect
apps. Additionally, if the
Host Information Profile (HIP)
feature is enabled, the gateway generates a HIP report from the raw host data that the
endpoints submit, which it can use for policy enforcement.
Configure a GlobalProtect
Gateway on any Palo Alto Networks next-generation firewall. You can run both
a gateway and portal on the same firewall, or you can have multiple distributed gateways
throughout your enterprise.
GlobalProtect supports the following gateway types:
-
Internal—An internal gateway is an interface on the internal network that
is configured as a GlobalProtect gateway and applies security policies for
internal resource access. When used in conjunction with User-ID and/or HIP
checks, an internal gateway can be used to provide a secure, accurate method of
identifying and controlling traffic based on user and/or device state. Internal
gateways are useful in sensitive environments where authenticated access to
critical resources is required. You can configure an internal gateway in either
tunnel mode or non-tunnel mode. The GlobalProtect app connects to the internal
gateway after performing internal host detection to determine the location of
the endpoint. If internal host detection is not configured, the GlobalProtect
app first connects to the internal gateway followed by external gateway upon
connection failure.
-
External gateway (auto discovery)—An external gateway resides outside of
the corporate network and provides security enforcement and/or virtual private
network (VPN) access for your remote users. By default, the GlobalProtect app
automatically connects to the
Best Available external
gateway, based on the priority you assign to the gateway, source region, and the
response time (see
Gateway
Priority in a Multiple Gateway Configuration).
-
External gateway (manual)—A manual external gateway also resides outside
of the corporate network and provides security enforcement and/or VPN access for
your remote users. The difference between the auto-discovery external gateway
and the manual external gateway is that the GlobalProtect app only connects to a
manual external gateway when the user initiates a connection. You can also
configure different authentication requirements for manual external gateways. To
configure a manual gateway, you must identify the gateway as
Manual when you
Define the
GlobalProtect Agent Configurations.