How does GlobalProtect Enforcer function when Internal Host Detection (IHD) is configured and the configuration do not have Internal Gateways defined? 

• Administrator has configured Internal Host Detection (IHD).
• The configuration "does not" have any Internal Gateways defined.
• How does the GlobalProtect Enforcer function in the above scenario?

• GlobalProtect all versions
• Internal Gateway 
• GlobalProtect Enforcer 

In this case GlobalProtect will treat the tunnel status as "Internal" and blocking is NOT enforced.

Additional details, in an alternate scenario. 

• When Internal Host Detection (IHD) is not configured, and the network-type identified is Internal, but both External/Internal Gateways are configured, the GlobalProtect will assume the network-type as Internal and will connect to the Internal Gateway. After successfully establishing connection to the Internal Gateway, the enforcer will disengage, unblocking traffic. 
• Tunnel or No Tunnel for Internal Gateway does not make any difference.