When a GlobalProtect client starts a connection it checks the location.
The GlobalProtect client will try to do a reverse lookup for the configured IP address and will try to match it to the configured hostname in the Internal Host Detection on the portal configuration.
If the lookup works, GlobalProtect will identify the network as an internal network. If the resolution fails it will identify the network as public and will try to create a VPN tunnel.
If the network is identified as internal, GlobalProtect will try to connect to the internal gateway. An additional gateway license is needed for the internal gateway connection to work.
Note: Make sure the lookup is not initiated from the public network.
During this process the logs may say that the GlobalProtect client is in lite mode, but was able to detect that it is in the intranet.
The Internal Host Detection is working in "lite" mode, which means an internal gateway is not defined and the name resolution is used only for location detection:
(T8984) 11/13/14 17:03:20:955 Debug(1225): IP 10.10.10.10
(T8984) 11/13/14 17:03:20:955 Debug(1244): host ilija-dc-1.al.com
(T8984) 11/13/14 17:03:20:957 Debug(1260): DnsQuery returns 0
(T8984) 11/13/14 17:03:20:957 Debug(1285): The host name is ilija-dc-1.al.com
(T8984) 11/13/14 17:03:20:957 Debug(2232): warning! lite mode, but we are in intranet.
Note: This is not an error message, just a warning that is shown when the Internal Host Detection is on and an internal gateway is not created.