topic starting the GP linux client blocks inbound communication in GlobalProtect Discussions

starting the GP linux client blocks inbound communication

chrisr — Mon, 18 Jan 2021 14:36:56 GMT

Hello. I have a server that I use as a "bridge" that I use to keep a persistent VPN connection active to a restricted network, to extract report data. We were previously using the openconnect client for the bridge, but recently, the secure network changed to use GlobalProtect. When I tried to replace openclient with the linux GP client, something odd starting happening. Typically, I ssh into the bridge server, and start up the vpn client, and then ping some of the restricted servers to make sure the vpn connection is running correctly. This worked fine with openclient. Now though, after establishing the ssh connection, and starting the GP client, my ssh session seems to become blocked, and any attempt to start a new ssh session also fails. I left a little script running on the bridge server to see if the connection is being established ok, and it looks like it is, so it would appear that starting the connection is somehow preventing inbound connectivity. Does the GP client enable/change inbound firewall rules or something? The only way I can get back into the bridge server is to reboot the server, or possibly wait for the vpn connection to disconnect. If it does start up some firewall rules, is there some way to allowlist specific subnets or something?

Re: starting the GP linux client blocks inbound communication

chrisr — Wed, 20 Jan 2021 15:48:09 GMT

Apparently, starting up the GP client changes the routing tables on the box, blocking inbound connections.

Re: starting the GP linux client blocks inbound communication

BPry — Wed, 20 Jan 2021 16:01:06 GMT

@chrisr,

This depends entirely on how the folks running this secure network have configured GlobalProtect, and if it is in fact a secured network I would expect them to not allow local network access while the VPN is active. This is a pretty common configuration option, and I would expect that it's entirely intentional. That being said, it may be worth asking if it was intentional to see if they even realize that they checked that option. My guess is they know what they've done however.