https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xdr-network-location-configuration-amp-vpn/m-p/380855#M493 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/168714">@mdsgn1</a>,</P><P>If I understand correctly, you want a way to mark tunneled VPN traffic as "external" so that the Cortex XDR-Managed Windows Firewall can scrutinize the traffic. If that is accurate, I would recommend disabling the Network Location Configuration setting in the Agent Settings Profile for your target endpoint(s). You can do this by going to Endpoints &gt; Profiles, Editing your target profile, and then disabling the Network Location Configuration item as shown below.</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Disable_Network Location Configuration_TakeI.gif" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/29594i5D1A1019350D54E9/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="Disable_Network Location Configuration_TakeI.gif" alt="Disable_Network Location Configuration_TakeI.gif" /></span></P><P> </P><P>Once completed, all traffic will be considered External as there will no longer be tests to evaluate positioning. Please let me know how this works for you.<BR /><BR />PS:&nbsp; As an alternative, you can also configure the Network Location Configuration to test for an IP or Domain that you know will fail over the VPN tunnel. However, this would require more advanced knowledge of the network configuration.</P> Tue, 19 Jan 2021 19:36:41 GMT gjenkins 2021-01-19T19:36:41Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xdr-network-location-configuration-amp-vpn/m-p/380736#M491 <P>Hello!</P><P>&nbsp;</P><P>On all our endpoints we are using XDR with firewall(Uses built in Windows firewall) and Palo Alto GlobalProtect VPN connecting to PanOS devices at our office. We use split tunneling for the VPN, that means that only specified traffic goes through VPN tunnel to access internal resources and Active Directory services, the rest stays out of it. We also have different profiles for Internal and External network types, with a lot more restriction on the External.</P><P>&nbsp;</P><P>The issue is that due to most traffic being outside the tunnel, we want XDR Firewall to consider being an external network when connected to VPN. But the check that determines what type of network profile to apply does that with an LDAP connectivity test and a DNS resolve test for some internal domain. Both of these tests pass when connected to VPN.</P><P>&nbsp;</P><P>So far the only idea I have had is blocking LDAP connections in our office firewall when the traffic comes from VPN, but that seems like a bad solution. So maybe someone has experience with how to best solve this?</P><P>&nbsp;</P><P>If the DNS check would be rather ping, than resolve, then it would be an easy trick to just block pinging to that name for VPN subnet, but that is not the case.</P> Tue, 19 Jan 2021 10:01:58 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xdr-network-location-configuration-amp-vpn/m-p/380736#M491 mdsgn1 2021-01-19T10:01:58Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xdr-network-location-configuration-amp-vpn/m-p/380855#M493 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/168714">@mdsgn1</a>,</P><P>If I understand correctly, you want a way to mark tunneled VPN traffic as "external" so that the Cortex XDR-Managed Windows Firewall can scrutinize the traffic. If that is accurate, I would recommend disabling the Network Location Configuration setting in the Agent Settings Profile for your target endpoint(s). You can do this by going to Endpoints &gt; Profiles, Editing your target profile, and then disabling the Network Location Configuration item as shown below.</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Disable_Network Location Configuration_TakeI.gif" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/29594i5D1A1019350D54E9/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="Disable_Network Location Configuration_TakeI.gif" alt="Disable_Network Location Configuration_TakeI.gif" /></span></P><P> </P><P>Once completed, all traffic will be considered External as there will no longer be tests to evaluate positioning. Please let me know how this works for you.<BR /><BR />PS:&nbsp; As an alternative, you can also configure the Network Location Configuration to test for an IP or Domain that you know will fail over the VPN tunnel. However, this would require more advanced knowledge of the network configuration.</P> Tue, 19 Jan 2021 19:36:41 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xdr-network-location-configuration-amp-vpn/m-p/380855#M493 gjenkins 2021-01-19T19:36:41Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xdr-network-location-configuration-amp-vpn/m-p/381029#M495 <P>Thank you for the reply!</P><P>Then it is as I understood it from the start, I guess there are workarounds, but no simple and direct way of keeping the automated detection and switching.</P> Wed, 20 Jan 2021 16:46:05 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xdr-network-location-configuration-amp-vpn/m-p/381029#M495 mdsgn1 2021-01-20T16:46:05Z