https://live.paloaltonetworks.com/t5/globalprotect-discussions/implications-of-quot-no-direct-access-to-local-network-quot/m-p/430008#M1664 <P>Hey folks.</P><P>&nbsp;</P><P>I, like probably a lot of us these days, use Global protect for the major percentage of the company's workforce. I run split tunneling - internal resources go over the tunnel, anything else just uses the local internet.</P><P>&nbsp;</P><P>Recently, I have had the need thrown at me the requirement to provide split tunneling for a set of addresses which are a dynamic DNS entry rather than&nbsp; fixed IP or subnet.</P><P>&nbsp;</P><P>This seems to be perfect for adding into the "Domains and Applications' section of the client configuration - but after researching, I find this won't work without ticking the "No Direct access to Local Network" toggle.</P><P>&nbsp;</P><P>Can anyone tell me the implications of doing this? Is it <STRONG>just</STRONG> the local interface network which can't be accessed while Global protect is running - or does this effectively make split tunneling useless by locking out anything except the tunnel?</P><P>&nbsp;</P><P>I can't seem to find a definitive answer - it <STRONG>should</STRONG> just be what the wording says - lockout of the local LAN used to get internet access - but I've had situations where the logical interpretation of Palo Alto speak turns out to be not so logical before!</P><P>&nbsp;</P><P>Thanks for any input</P> Sun, 29 Aug 2021 23:49:42 GMT darren_g 2021-08-29T23:49:42Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/implications-of-quot-no-direct-access-to-local-network-quot/m-p/430008#M1664 <P>Hey folks.</P><P>&nbsp;</P><P>I, like probably a lot of us these days, use Global protect for the major percentage of the company's workforce. I run split tunneling - internal resources go over the tunnel, anything else just uses the local internet.</P><P>&nbsp;</P><P>Recently, I have had the need thrown at me the requirement to provide split tunneling for a set of addresses which are a dynamic DNS entry rather than&nbsp; fixed IP or subnet.</P><P>&nbsp;</P><P>This seems to be perfect for adding into the "Domains and Applications' section of the client configuration - but after researching, I find this won't work without ticking the "No Direct access to Local Network" toggle.</P><P>&nbsp;</P><P>Can anyone tell me the implications of doing this? Is it <STRONG>just</STRONG> the local interface network which can't be accessed while Global protect is running - or does this effectively make split tunneling useless by locking out anything except the tunnel?</P><P>&nbsp;</P><P>I can't seem to find a definitive answer - it <STRONG>should</STRONG> just be what the wording says - lockout of the local LAN used to get internet access - but I've had situations where the logical interpretation of Palo Alto speak turns out to be not so logical before!</P><P>&nbsp;</P><P>Thanks for any input</P> Sun, 29 Aug 2021 23:49:42 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/implications-of-quot-no-direct-access-to-local-network-quot/m-p/430008#M1664 darren_g 2021-08-29T23:49:42Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/implications-of-quot-no-direct-access-to-local-network-quot/m-p/430042#M1666 <P>Hello</P><P>&nbsp;</P><P>Can you please point out where you read the constraints of "No direct access to Local Networks" in relation with "Domains and Applications".</P><P>On our systems "No direct access to Local Networks" is NOT ticked, but access to domain based destinations is configured (and it seems to work fine).</P> Mon, 30 Aug 2021 06:17:49 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/implications-of-quot-no-direct-access-to-local-network-quot/m-p/430042#M1666 JoergSchuetter 2021-08-30T06:17:49Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/implications-of-quot-no-direct-access-to-local-network-quot/m-p/430046#M1667 <P>The 'domains and apps' section in split tunnelling does require a license, but the access to local network does not need to be enabled</P><P>The latter option prevents access to resources on the client's local interface subnet (home printers/Nas device,...) But local internet breakout and tunneled subnets will still be accessible</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 30 Aug 2021 06:40:19 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/implications-of-quot-no-direct-access-to-local-network-quot/m-p/430046#M1667 reaper 2021-08-30T06:40:19Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/implications-of-quot-no-direct-access-to-local-network-quot/m-p/430255#M1668 <P>It was a discussion or article I found on here (live community), from memory - I didn't save it, but if I can find it again, I will.</P><P>&nbsp;</P><P>So if I simply add the domains I want into the domain based destinations, it should just work? Are the ports optional? or do I have to add them?</P> Tue, 31 Aug 2021 00:27:54 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/implications-of-quot-no-direct-access-to-local-network-quot/m-p/430255#M1668 darren_g 2021-08-31T00:27:54Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/implications-of-quot-no-direct-access-to-local-network-quot/m-p/430257#M1669 <P>I do have the Global protect license on the firewall, so that's not an issue.</P><P>&nbsp;</P><P>I guess I'll just add the domains into the configuration and see what happens. Do you know if the port are optional, or if I have to include them?</P> Tue, 31 Aug 2021 00:34:57 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/implications-of-quot-no-direct-access-to-local-network-quot/m-p/430257#M1669 darren_g 2021-08-31T00:34:57Z