Internal Gateway Selection by Source IP Address

GlobalProtect can now restrict internal gateway connection choices based on the source IP address of the client. In a distributed enterprise, this feature allows users from a branch authenticate and send HIP reports to the firewall configured as the internal gateway for that branch as opposed to authenticating and sending HIP reports to all branches. Previously, to prevent GlobalProtect applications from sending HIP information to a large number of gateways, you had to configure multiple portals.
With this feature, internal gateway selection is based on the following considerations:
  • The source IP address of the connecting endpoint. The GlobalProtect client only authenticates to internal gateways which are configured to accept connections from selected ranges of IP addresses.
  • If the connecting endpoint uses DHCP for IP addressing, the GlobalProtect client authenticates to internal gateways based on a list of gateways obtained as an option from a DHCP server.
When both the source address and DHCP options are configured, the list of available gateways presented to the client is based on the combination (union) of the two configurations.
  1. Define a GlobalProtect Agent Configuration .
  2. On the Internal tab, Add a new internal gateway configuration for the agent, or modify an existing internal gateway configuration.
  3. (Optional) Add one or more Source Addresses to the gateway configuration. The source address can be an IP subnet or range. It can also be a predefined address. When users connect, GlobalProtect recognizes the source address of the device and only allows users to connect to gateways that are configured for that address.
    gp-portal-DHCP-highlight.png
  4. Click OK to save your changes.
  5. (Optional) Add a DHCP Option 43 Code to the gateway configuration. You can include one or more sub-option codes associated with the vendor-specific information (Option 43) that the DHCP server has been configured to offer the client. For example, you might have a sub-option code 100 that is associated with an IP address of 192.168.3.1.
    When a user connects, the GlobalProtect portal sends the list of option codes in the portal configuration to the GlobalProtect agent and the agent selects gateways indicated by the options.
    When both the source address and DHCP options are configured, the list of available gateways presented to the client is based on the combination (union) of the two configurations.
    DHCP options are supported on Windows and Mac endpoints only. DHCP options cannot be used to select gateways that use IPv6 addressing.
  6. Save the agent configuration.
    • Click OK.
    • Commit your changes.

Related Documentation