It also maintains a list of Internal and external gateways. That would get rid of the error message but it feel like an odd way to go about solving this. On the GlobalProtect Gateway, navigate to Network > GlobalProtect > Gateways and create a. It allows my globalprotect users to still auth to the gateway and get the proper configurations regardless of where they log in. Then using the internal host detection to determine whether tunneling is needed or not.
I know I can set up an internal gateway and use internal host detection and in that gateway I could arguably use split tunneling in such a way that no traffic is passed through the VPN. I have my portal and gateway reachable internally and use NAT for outside access to the gateway. When GlobalProtect is deployed in this manner, the internal network gateways may be configured with or without a VPN tunnel. Internal gateways - An interface on the internal network configured as a GlobalProtect gateway for applying security policy for access to internal resources. You can see a diagram of the environment here. In this post, we are going to configure multiple external authentication types as well as add an internal gateway. Currently I solved this by creating firewall rules disallowing the connection from inside but this causes the client to display an error message stating that the connection failed and that the user should contact the administrator. In my previous post, we covered the initial setup of GlobalProtect, which included a portal, external gateway, and user authentication via local database. I have set up GlobalProtect (Palo Alto Networks) to be "Always On" for a group of clients but I don't want them to connect when they're on the internal network to not put unnecessary load on the firewall.