PAN-OS: GlobalProtect Internal vs. External Gateways

Introduction: Location Matters

GlobalProtect provides secure access to corporate resources, but the user's location when they connect determines which type of GlobalProtect Gateway they should ideally use. PAN-OS allows administrators to configure distinct gateways optimized for users connecting from either outside or inside the corporate network perimeter.

External Gateways: Designed for users connecting from the internet (e.g., home, public Wi-Fi, hotels). These gateways terminate VPN tunnels initiated from untrusted networks. This is the standard "remote access VPN" gateway.
Internal Gateways: Designed for users who are already physically inside the corporate network (e.g., connected to the office LAN or trusted WLAN) but still need to have their traffic inspected and security policies applied consistently, often as part of a Zero Trust strategy or to access resources in different security segments.

The GlobalProtect agent intelligently selects the appropriate gateway type based on its ability to reach predefined internal resources ( Internal Host Detection ).

External Gateways

Purpose

Provide secure, encrypted VPN tunnels for remote users connecting from untrusted external networks.
Authenticate remote users.
Enforce security policy (App-ID, Threat Prevention, URL Filtering, etc.) on traffic entering the corporate network from remote users.
Provide access to internal resources based on user identity and potentially device posture (HIP).

Typical Configuration

Listening Interface: Configured on an external-facing firewall interface (e.g., in the `Untrust` zone).
Tunnel Interface: Terminates tunnels on a logical Tunnel Interface assigned to a specific VPN zone (e.g., `GP-External-VPN`).
Authentication: Uses configured Authentication Profiles (LDAP, SAML, RADIUS, etc.) suitable for remote users.
Client IP Pool: Assigns IP addresses to remote clients from a dedicated pool.
Split/Full Tunnel: Configured via Access Routes in the Agent Client Settings to control routing for remote users.

Internal Gateways

Purpose

Enforce Consistent Security Policy: Ensure users *already inside* the network are subject to the same rigorous security inspection (App-ID, Threat Prevention, etc.) as remote users when accessing sensitive internal resources or different network segments.
Apply HIP Checks Internally: Verify the security posture (compliance) of devices connected to the internal network before granting access to critical resources.
Implement Zero Trust Principles Internally: Treat internal network connections with the same level of scrutiny as external connections – verify user and device before trusting.
Segment Internal Access: Provide controlled access to specific internal zones or applications based on user identity and device posture, even for users already on the LAN/WLAN.
Visibility: Gain user-based visibility (User-ID logging) for traffic originating internally.

Internal Gateways do *not* necessarily encrypt traffic (though they can be configured to), as the primary goal is often policy enforcement and posture assessment rather than confidentiality from the internal network itself.

Typical Configuration

Listening Interface: Configured on an internal-facing firewall interface (e.g., in the `Trust` or a specific internal zone).
Tunnel Interface: Terminates "tunnels" (connections) on a logical Tunnel Interface assigned to a specific internal VPN zone (e.g., `GP-Internal-VPN`).
Authentication: Often configured for seamless authentication (e.g., using Kerberos, or relying on cookies from Portal authentication if Internal Host Detection triggers connection before Portal timeout). Standard Authentication Profiles can also be used.
Client IP Pool: Assigns IPs (optional, can sometimes use client's physical IP if configured).
Split/Full Tunnel: Access Routes are configured differently; often, you might want internal users to retain access to local network resources while tunneling traffic to specific sensitive internal segments.
Requires Internal Host Detection (IHD) to be configured so the agent knows it's inside and should connect to this gateway.

Internal Host Detection (IHD) - The Key Differentiator

For the GlobalProtect agent to automatically choose between External and Internal Gateways, Internal Host Detection (IHD) must be configured within the Portal's Agent configuration.

Location: Network > GlobalProtect > Portals > [Portal Name] > Agent > [Agent Config] > Internal tab.
Mechanism: The agent attempts to connect to specific IP addresses or resolve specific DNS names that should *only* be reachable when the client is *inside* the corporate network.
Configuration:
- Specify one or more Internal Host IP addresses or FQDNs.
- Define the connection attempt method (e.g., HTTPS probe on port 443, ICMP ping).
- If the agent successfully connects/resolves the specified host, it determines it is internal and attempts to connect to an Internal Gateway listed in its configuration.
- If the agent fails to reach any IHD host, it determines it is external and attempts to connect to an External Gateway .
Reliability: Choose IHD targets that are highly available and uniquely reachable only from the internal network. Using multiple targets improves reliability.

Configuration and Selection Workflow

Portal Configuration: ( Network > GlobalProtect > Portals > ... > Agent > External/Internal ) Define BOTH External and Internal Gateways in the agent configuration distributed by the Portal. Specify addresses (FQDN recommended) and priorities.
Internal Host Detection Config: Configure IHD criteria within the same Portal Agent configuration.
Gateway Configuration: Create separate Gateway objects ( Network > GlobalProtect > Gateways ):
- One (or more) for External Gateways listening on external interfaces.
- One (or more) for Internal Gateways listening on internal interfaces.
- Each gateway type will likely have different Agent > Client Settings (especially Split Tunnel Access Routes).
Agent Connection Logic:
- Agent starts and attempts Internal Host Detection based on Portal config.
- **If IHD Succeeds:** Agent marks itself as "Internal". It then attempts to connect to the highest priority *Internal Gateway* listed in its configuration.
- **If IHD Fails:** Agent marks itself as "External". It then attempts to connect to the highest priority *External Gateway* listed in its configuration.
Policy Enforcement: Security Policy rules are applied based on the zone associated with the Tunnel Interface used by the connected Gateway (either the External VPN zone or the Internal VPN zone).

    graph TD
        Client[GP Agent] --> IHD{Internal Host
Detection};
        IHD -- Success --> Internal{Status: Internal};
        IHD -- Failure --> External{Status: External};

        Internal --> ConnectInternal[Connect to
Internal Gateway];
        External --> ConnectExternal[Connect to
External Gateway];

        ConnectInternal --> GW_Int(Internal Gateway
Listens on Trust Intf);
        ConnectExternal --> GW_Ext(External Gateway
Listens on Untrust Intf);

        GW_Int --> Tun_Int(Tunnel Interface
Zone: GP-Internal);
        GW_Ext --> Tun_Ext(Tunnel Interface
Zone: GP-External);

        Tun_Int --> Policy_Int(Security Policy
Src=GP-Internal);
        Tun_Ext --> Policy_Ext(Security Policy
Src=GP-External);

        Policy_Int --> Resources[(Internal Resources)];
        Policy_Ext --> Resources;

        style IHD fill:#f9f,stroke:#333,stroke-width:2px
        style Internal fill:#d5f5e3,stroke:#58d68d,stroke-width:1px
        style External fill:#fdebd0,stroke:#f5b041,stroke-width:1px

Agent Gateway Selection Logic based on IHD.

Caveats and Considerations

IHD Reliability: The effectiveness of the internal/external distinction hinges on reliable Internal Host Detection. If IHD targets are down or DNS fails, internal clients might incorrectly connect to an external gateway (or fail to connect).
User Experience (Internal): Forcing internal users through an Internal Gateway can add a slight connection delay and potentially alter their source IP address for internal resource access (if using an IP pool). Ensure the benefits outweigh any perceived friction.
Split Tunnel Complexity: Defining appropriate split tunnel rules (Access Routes, Excludes) can be complex, especially ensuring internal users retain access to local network resources (printers, file shares) while tunneling other traffic.
Performance: While often focused on policy enforcement, if an Internal Gateway *is* configured to encrypt traffic (e.g., for specific internal segments), it will consume resources similar to an external gateway.
Configuration Overhead: Requires configuring and managing distinct gateway objects and potentially different agent configurations.

Best Practices

Use Internal Gateways for Zero Trust: Implement Internal Gateways when aiming for consistent security policy enforcement and device posture checks for all users, regardless of location.
Configure Reliable IHD: Use multiple, stable IHD targets (IPs or FQDNs) that are uniquely reachable only from inside the network.
Separate Zones: Use distinct Security Zones for external gateway tunnels (e.g., `GP-External`) and internal gateway tunnels (e.g., `GP-Internal`) for granular policy control.
Consistent Authentication: Aim for consistent or seamless authentication methods across internal and external gateways where possible (e.g., using cookies, SAML).
Tailor Agent Settings: Carefully configure IP Pools, DNS, and especially Split Tunnel Access Routes appropriately for internal vs. external client settings within the respective Gateway configurations.
Policy Consistency (Goal): While zones differ, strive to apply similar *levels* of security inspection (Threat Prevention profiles, etc.) to traffic coming from both internal and external gateway zones where appropriate for your security goals.

PCNSE Exam Focus

For the PCNSE exam, understand:

The distinct purpose of External Gateways (remote access from untrusted networks) vs. Internal Gateways (policy/posture enforcement for users already inside).
The primary use case for Internal Gateways: Achieving consistent security posture and implementing Zero Trust principles internally.
The role and configuration of Internal Host Detection (IHD) in enabling the agent to select the correct gateway type.
Where External and Internal Gateways are defined for the agent: In the Portal's Agent configuration .
The typical interface location for each gateway type (External = Untrust-facing, Internal = Trust-facing).
That separate Gateway objects are configured for internal and external functions.
That different Agent Client Settings (IP Pools, DNS, Split Tunnel) can be applied based on whether the user connects to an internal or external gateway.

PAN-OS: GlobalProtect Internal vs. External Gateways

Introduction: Location Matters

External Gateways

Purpose

Typical Configuration

Internal Gateways

Purpose

Typical Configuration

Internal Host Detection (IHD) - The Key Differentiator

Configuration and Selection Workflow

Caveats and Considerations

Best Practices

PCNSE Exam Focus

GlobalProtect Internal vs. External Gateways Quiz

References