Hardware reference guide
GlobalProtect Administrator’s Guide 163
GlobalProtect Quick Configs GlobalProtect for Internal HIP Checking and User-Based Access
GlobalProtect for Internal HIP Checking and User-Based
Access
When used in conjunction with User-ID and/or HIP checks, an internal gateway can be used to provide a
secure, accurate method of identifying and controlling traffic by user and/or device state, replacing other
network access control (NAC) services. Internal gateways are useful in sensitive environments where
authenticated access to critical resources is required.
In a configuration with only internal gateways, all clients must be configured with user-logon; on-demand mode
is not supported. In addition, it is recommended that you configure all client configurations to use single sign-on
(SSO). Additionally, because internal hosts do not need to establish a tunnel connection with the gateway, the
IP address of the physical network adapter on the client system is used.
In this quick config, internal gateways are used to enforce group based policies that allow users in the
Engineering group access to the internal source control and bug databases and users in the Finance group to
the CRM applications. All authenticated users have access to internal web resources. In addition, HIP profiles
configured on the gateway check each host to ensure compliance with internal maintenance requirements, such
as whether the latest security patches and antivirus definitions are installed, whether disk encryption is enabled,
or whether the required software is installed.
Figure: GlobalProtect Internal Gateway Configuration