GlobalProtect app fails to detect Internal Network with Internal Host Detection enabled
Symptom
GlobalProtect app fails to detect if it is in the internal to the corporate network when Internal Host Detection is enabled.
Environment
- GlobalProtect app
- Windows clients
- macOS clients
Resolution
Once the GlobalProtect app has successfully connected to portal and downloaded its agent configuration, it performs network discovery during which it checks if Internal Host Detection is configured or not. If configured, GlobalProtect app will attempt a reverse DNS lookup using the specified IP address to the specified hostname. In either case (failure or success), an entry would be made in the PanGPS.log file about the reverse DNS lookup result. If it fails, please check the following for troubleshooting Internal Host Detection issues:
-
Check the following article for common DNS query response errors in PanGPS.log file
Most Common DNS Query Responses for Internal Host Detection -
Run below command from the affected machine to check if the reverse DNS lookup returns the hostname that matches the hostname configured under Internal tab of GlobalProtect portal agent configuration
ping -a <IP-address>
- The specified IP address does not have to be reachable internally. GlobalProtect app only verifies by reverse DNS lookup, not by pinging the IP address
- Hostname is case-sensitive. Please make sure that hostname in the PTR record matches exactly to the GlobalProtect portal agent configured hostname
- When no hostname is returned, kindly check if the internal DNS server(s) have the PTR record and has been configured with the specified IP address
Additional Information
Internal Host Detection is not supported when the Connect Method is On-Demand