How and when does a GlobalProtect app detect if it is on an internal network?

When does GlobalProtect app detect for whether its external or internal to the corporate network?

• Palo Alto Firewalls
• Supported PAN-OS
• GlobalProtect (GP) App
• Internal Host Detection (IHD)
• Always-on connect methods

1. GP app will perform network detection when "Network Discover" event is initiated.
2. There are several ways that trigger network discovery event:
   1. Loss of connection occurring due to gateway not responding to GP keepalive packets. This leads to tunnel restoration process where 3 attempts are made for revival till tunnel is torn down and network discovery starts. This is for Always-on mode.
   2. Upon network switch from external to internal or vice versa.
   3. When performing Refresh Connection.
3. Once network discovery is triggered, GP app performs IHD i.e. reverse DNS lookup against the IP address configured in portal agent configuration.
4. If it is successful, GP app will detect that it is internal.
5. If there are multiple internal gateways, GP app will try to connect to all internal gateways unless a specific source address subnet is specified or DHCP Option 43 is configured for gateway selection.
6. If the GP app fails to connect to any internal gateway, GP app will still show "Internal" since IHD was successful
7. To enforce "Internal" GP app status based on internal gateway connection, Advanced Internal Host Detection can be configured where GP app will move to external gateway connection when IHD is successful but none of the internal gateways are reachable.
8. If GP app has on-demand connect method but would still like to use IHD feature, Conditional Connect Method can be configured.

• Internal Host Detection configured but Global Protect Users still connecting to External Gateway
• GlobalProtect app fails to detect Internal Network with Internal Host Detection enabled
• Most Common DNS Query Responses for Internal Host Detection