https://live.paloaltonetworks.com/t5/globalprotect-discussions/global-protect-at-a-ipsec-s2s-branch-office/m-p/436121#M1814 <P>Hi all</P><P>We have a load of small branch offices that terminate at our azure Palo Alto gateway over an IPsec tunnel (via a Draytek router). This all works and allows printing &amp; RDP to onprem services. We also have the Global Protect gateway on the same Palo Alto albeit on a separate subnet</P><P>We are starting to pilot win10 devices with global protect. The branch offices have a separate wifi which is essentially a public wifi</P><P>The setup is that they (intuned) Win10 device has 2 networks; when docked are hardwired into the IPsec router (so are connected to the LAN that is connected to Azure over IPsec tunnel), and when undocked are connected to the public wifi and Global Protect allows them to access 365/onprem resources</P><P>What I'm unclear about is when the device is docked and therefore hardwired to the Draytek router so traffic flows over the IPsec tunnel and Global Protect is also connected - both methods have the same destination subnets incl. in their routing tables - device traffic flows through GP but;</P><P>&nbsp;</P><P>- is there an overhead with GP connecting through an IPsec tunnel? I imagine this will add to the latency at the very least</P><P>&nbsp;</P><P>I've tried configuring policy routing on the Draytek to force all traffic through the IPSec tunnel (so GP can be disabled when hardwired) but have struggled to set this up consistently across the various Draytek models that we have at the +70 sites, this would have allowed us to use the Palo for URL filtering etc</P><P>&nbsp;</P><P>Thanks in advance</P><P>&nbsp;</P><P>Ben</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 23 Sep 2021 10:42:07 GMT benslade 2021-09-23T10:42:07Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/global-protect-at-a-ipsec-s2s-branch-office/m-p/436121#M1814 <P>Hi all</P><P>We have a load of small branch offices that terminate at our azure Palo Alto gateway over an IPsec tunnel (via a Draytek router). This all works and allows printing &amp; RDP to onprem services. We also have the Global Protect gateway on the same Palo Alto albeit on a separate subnet</P><P>We are starting to pilot win10 devices with global protect. The branch offices have a separate wifi which is essentially a public wifi</P><P>The setup is that they (intuned) Win10 device has 2 networks; when docked are hardwired into the IPsec router (so are connected to the LAN that is connected to Azure over IPsec tunnel), and when undocked are connected to the public wifi and Global Protect allows them to access 365/onprem resources</P><P>What I'm unclear about is when the device is docked and therefore hardwired to the Draytek router so traffic flows over the IPsec tunnel and Global Protect is also connected - both methods have the same destination subnets incl. in their routing tables - device traffic flows through GP but;</P><P>&nbsp;</P><P>- is there an overhead with GP connecting through an IPsec tunnel? I imagine this will add to the latency at the very least</P><P>&nbsp;</P><P>I've tried configuring policy routing on the Draytek to force all traffic through the IPSec tunnel (so GP can be disabled when hardwired) but have struggled to set this up consistently across the various Draytek models that we have at the +70 sites, this would have allowed us to use the Palo for URL filtering etc</P><P>&nbsp;</P><P>Thanks in advance</P><P>&nbsp;</P><P>Ben</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 23 Sep 2021 10:42:07 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/global-protect-at-a-ipsec-s2s-branch-office/m-p/436121#M1814 benslade 2021-09-23T10:42:07Z