GlobalProtect Gateways

• Internal—An internal gateway is an interface on the internal network that is configured as a GlobalProtect gateway and applies security policies for internal resource access. When used in conjunction with User-ID and/or HIP checks, an internal gateway can be used to provide a secure, accurate method of identifying and controlling traffic based on user and/or device state. Internal gateways are useful in sensitive environments where authenticated access to critical resources is required. You can configure an internal gateway in either tunnel mode or non-tunnel mode. The GlobalProtect app connects to the internal gateway after performing internal host detection to determine the location of the endpoint. If internal host detection is not configured, the GlobalProtect app first connects to the internal gateway followed by the external gateway upon connection failure.
  If an internal gateway and internal host detection are configured without an external gateway and internal host detection fails, the GlobalProtect app will retry network discovery if the Enable Intelligent Internal Host Detection parameter is set yes. This feature applies when users use the GlobalProtect app in internal host detection mode for User-ID while using 3rd party VPN for accessing private party applications. When internal host detection takes place before the 3rd party VPN establishes a tunnel, it fails to establish the User-ID. With the Enable Intelligent Internal Host Detection parameter, the GlobalProtect app can now detect Internal Host Detection in presence of 3rd party VPN agent by re-triggering network discovery until Internal Host Detection is successful. For information on where to set this parameter, see step 18 in Customize the GlobalProtect App.

  The Enable Intelligent Internal Host Detection parameter is available only for GlobalProtect app 6.3.1 and later versions. The minimum required Content release version is 8890-8951.
• External gateway (auto discovery)—An external gateway resides outside of the corporate network and provides security enforcement and/or virtual private network (VPN) access for your remote users. By default, the GlobalProtect app automatically connects to the Best Available external gateway, based on the priority you assign to the gateway, source region, and the response time (see Gateway Priority in a Multiple Gateway Configuration).
• External gateway (manual)—A manual external gateway also resides outside of the corporate network and provides security enforcement and/or VPN access for your remote users. The difference between the auto-discovery external gateway and the manual external gateway is that the GlobalProtect app only connects to a manual external gateway when the user initiates a connection. You can also configure different authentication requirements for manual external gateways. To configure a manual gateway, you must identify the gateway as Manual when you Define the GlobalProtect Agent Configurations.