Internal Gateway Selection by Source IP Address
GlobalProtect can now restrict internal gateway connection choices based on the source IP address of the client. In a distributed enterprise, this feature allows users from a branch authenticate and send HIP reports to the firewall configured as the internal gateway for that branch as opposed to authenticating and sending HIP reports to all branches. Previously, to prevent GlobalProtect applications from sending HIP information to a large number of gateways, you had to configure multiple portals.
With this feature, internal gateway selection is based on the following considerations:
- The source IP address of the connecting endpoint. The GlobalProtect client only authenticates to internal gateways which are configured to accept connections from selected ranges of IP addresses.
- If the connecting endpoint uses DHCP for IP addressing, the GlobalProtect client authenticates to internal gateways based on a list of gateways obtained as an option from a DHCP server.
When both the source address and DHCP options are configured, the list of available gateways presented to the client is based on the combination (union) of the two configurations.
- Define a GlobalProtect Agent Configuration.
- On the Internal tab, Add a new internal gateway configuration for the agent, or modify an existing internal gateway configuration.
- (Optional) Add one or more Source Addresses to the gateway configuration. The source address can be an IP subnet or range. It can also be a predefined address. When users connect, GlobalProtect recognizes the source address of the device and only allows users to connect to gateways that are configured for that address.
- Click OK to save your changes.
- (Optional) Add a DHCP
Option 43 Code to the gateway configuration. You can
include one or more sub-option codes associated with the vendor-specific
information (Option 43) that the DHCP server has been configured
to offer the client. For example, you might have a sub-option code
100 that is associated with an IP address of 192.168.3.1.When a user connects, the GlobalProtect portal sends the list of option codes in the portal configuration to the GlobalProtect agent and the agent selects gateways indicated by the options.When both the source address and DHCP options are configured, the list of available gateways presented to the client is based on the combination (union) of the two configurations.DHCP options are supported on Windows and Mac endpoints only. DHCP options cannot be used to select gateways that use IPv6 addressing.
- Save the agent configuration.
- Click OK.
- Commit your changes.
GlobalProtect Portals Agent Internal Tab
GlobalProtect Portals Agent Internal Tab Select Network GlobalProtect Portals Agent Internal to configure the settings for internal gateways for an agent configuration. GlobalProtect Portal Internal ...
Define the GlobalProtect Agent Configurations
Define the GlobalProtect Agent Configurations After a GlobalProtect user connects to the portal and is authenticated by the GlobalProtect portal, the portal sends the agent ...
Types of Gateways
Types of Gateways GlobalProtect gateways provide security enforcement for traffic from GlobalProtect agents/apps. Additionally, if the HIP feature is enabled, the gateway generates a HIP ...
GlobalProtect for Internal HIP Checking and User-Based Access
GlobalProtect for Internal HIP Checking and User-Based Access When used in conjunction with User-ID and/or HIP checks, an internal gateway can be used to provide ...
Mixed Internal and External Gateway Configuration
Mixed Internal and External Gateway Configuration In a GlobalProtect mixed internal and external gateway configuration, you configure separate gateways for VPN access and for access ...
GlobalProtect Features New GlobalProtect Features Description Clientless VPN You can now use Clientless VPN for securing remote access to common enterprise web applications that use ...
Configure a GlobalProtect Gateway
Configure a GlobalProtect gateway to enforce security policies and provide VPN access for your users. ...
GlobalProtect Features Clientless VPN IPv6 for GlobalProtect Split Tunnel to Exclude by Access Route External Gateway Priority by Source Region Internal Gateway Selection by Source ...
GlobalProtect Gateways The PA-3020 in the co-location space (mentioned previously) also doubles as a GlobalProtect gateway (the Santa Clara Gateway). 10 additional gateways are deployed ...