>
    Prisma Access Internal Gateway
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma Access
    3. Prisma Access Administration
    4. Prisma Access Advanced Deployments
    5. Prisma Access Remote Network Advanced Deployments
    6. Prisma Access Internal Gateway
    Download PDF
    Prisma Access

    Prisma Access Internal Gateway

    Table of Contents

    Prisma Access Internal Gateway

    Learn how to set up the Prisma Access internal gateway and its requirements.
    Where Can I Use This?What Do I Need?
    • Prisma Access (Managed by Strata Cloud Manager)
    • Prisma Access (Managed by Panorama)
    • Prisma Access and mobile user license
    • Minimum Prisma Access version required: 5.1
    • Remote Networks—High Performance deployments require a minimumPrisma Access Preferred version of 6.0 and a minimum dataplane version of 10.2.6
    • Minimum required dataplane version for Prisma Access (Managed by Panorama) deployments: 10.2.4 (10.2.6 required for Remote Networks—High Performance deployments)
    • Minimum Required GlobalProtect™ Client Version: 6.0
    Previously, to generate User-ID-to-IP address mappings and HIP information for hosts running GlobalProtect client software in Prisma Access remote networks, you'd have to deploy an on-premises NGFW as an internal gateway. This solution isn't cloud-native. With the Prisma Access cloud-native internal gateway, you can get User-ID and HIP information without deploying an on-premises internal gateway.
    You can’t deploy an internal gateway that has a single branch terminating multiple IPSec tunnels (for example, an active/active tunnel or aggregated bandwidth site).
    The following diagram shows an example of a supported environment for an internal gateway deployment.
    The following diagram provides examples of deployments where internal gateways are not supported.
    Use one of the following procedures to set up an internal gateway.

    Prisma Access Internal Gateway (Strata Cloud Manager)

    Learn how to set up the Prisma Access internal gateway and its requirements.
    Complete the following steps to set up the Prisma Access internal gateway.
    1. In Strata Cloud Manager, set up GlobalProtect, add app settings, and onboard remote networks.
      Notice that there are no internal host detection and internal gateway configurations at present.
    2. Make a note of the Remote Networks DNS IP Address from WorkflowsPrisma Access SetupPrisma Access.
    3. Make a note of the Gateway FQDNs from WorkflowsPrisma Access SetupGlobalProtectInfrastructureInfrastructure SettingsGateway FQDNs.
    4. Select WorkflowsPrisma Access SetupRemote NetworksAdvanced Settings.
    5. Edit the settings of Prisma Access Internal Gateway to enable the internal gateway and Save the changes.
      (Optional) Enable Internal Host Detection for IPv4 if you don't want to use your own DNS server. You can enable the internal host detection only after you select Enable Internal Gateway.
      Prisma Access supports internal host detection only for the Always On connect method.
      When you enable the internal gateway, the remote network instances act as internal gateways. When you enable the internal host detection, Prisma Access creates PTR records on the remote network DNS proxy servers for the internal host detection process.
    6. Select WorkflowsPrisma Access SetupGlobalProtectGlobalProtect App.
    7. Select an app setting and view the internal host detection details and internal gateway details.
      When you enable the internal gateway and internal host detection in step 5, Prisma Access enables IPv4 internal host detection and internal gateway here as well. Prisma Access populates the Remote Networks DNS IP Address value, from step 2, as the IP address.
      IPv6 internal host detection on Prisma Access DNS proxies isn't supported.
      You can't remove this Prisma Access Internal Gateway entry. However, you can add your self-deployed internal gateways. You can deploy your own DNS servers in the internal network for internal host detection, but ensure to add PTR records so that the internal host detection is possible. Prisma Access appends the Gateway FQDNs value, from step 3, to the address.
      You can view the DNS proxy server IP address details by selecting WorkflowsPrisma Access SetupPrisma Access.
      If you enable Internal Host Detection, verify that the DNS resolution is working, perform a reverse DNS lookup from your internal network to DNS proxy server IP address, and ensure it returns an FQDN starting with any-igw.
    8. Push the changes to mobile users and remote networks at the same time.
    9. Log in to the endpoint.
      When you connect to GlobalProtect, first you authenticate with the GlobalProtect portal. The internal host detection triggers GlobalProtect to connect to the internal gateway. Then, as the GlobalProtect app continues to operate in the nontunnel mode, the second authentication appears and submits the host information to the internal gateway on remote networks.

    Prisma Access Internal Gateway (Panorama)

    1. In Panorama, set up GlobalProtect, add app settings, and onboard remote networks.
      Notice that there are no internal host detection and internal gateway configurations at present.
    2. Go to PanoramaCloud ServicesConfigurationRemote NetworksSettings.
    3. Enable Internal Gateway and save the changes.
      (Optional) Enable Prisma Access Internal Host Detection for IPv4 if you don't want to use your own DNS server. You can enable the internal host detection only after you select Enable Internal Gateway.
      Prisma Access supports internal host detection only for the Always On connect method.
      When you enable the internal gateway, the remote network instances act as internal gateways. When you enable the internal host detection, Prisma Access creates PTR records on the remote network DNS proxy servers for the internal host detection process.
      When you enable the internal gateway, Prisma Access creates an internal gateway configuration in a remote network template.
    4. Go to TemplatesNetworkGlobalProtectGateways and select Remote_Network_Template.
      You will find the GlobalProtect_Internal_Gateway template created for the internal gateway.
    5. Create an authentication profile for this remote network template similar to the authentication profile in the mobile user template.
      1. Select the remote network template, GlobalProtect_Internal_Gateway template, hyperlink.
      2. Go to AuthenticationClient Authentication.
      3. Edit the authentication profile details of the DEFAULT client authentication.
        Create an authentication profile same as the one in the mobile user template. You can find the authentication profile used in the mobile user template under TemplateDeviceAuthentication Profile. Ensure to select Mobile_User_Template.
        You can also view the authentication profile for the remote network template by selecting TemplatesDeviceAuthentication Profile. Select Remote_Network_Template.
    6. Create a device certificate for the remote network template similar to the device certificate in the mobile user template.
      1. Select the remote network template, GlobalProtect_Internal_Gateway, hyperlink.
      2. Go to AgentClient Settings.
      3. Select the DEFAULT configuration, and go to Authentication Override settings.
      4. Edit the Certificate to Encrypt/Decrypt Cookie settings, and create a new device certificate.
        Create a device certificate same as the one in the mobile user template. You can find the device certificate used in the mobile user template under TemplateDeviceCertificate ManagementCertificatesDevice Certificates. Ensure to select Mobile_User_Template. The DEFAULT configuration references the Authentication Cookie CA certificate. Follow the same hierarchy as the one in Mobile_User_Template for successful authentication.
        You can also view the device certificate for the remote network template by selecting TemplateDeviceCertificate ManagementCertificatesDevice Certificates. Select Remote_Network_Template.
    7. Push the changes to mobile users and remote networks at the same time.

    © 2025 Palo Alto Networks, Inc. All rights reserved.