topic Re: Disabling Direct Access To Local Networks - GP VPN in General Topics

Disabling Direct Access To Local Networks - GP VPN

indysogi — Tue, 24 Nov 2015 15:40:02 GMT

Hi,

I was wondering whether someone can provide me clarification on this feature.

Palo states

"You can now disable direct access to local networks so that users cannot send traffic to proxies or local resources while connected to a GlobalProtect VPN. For example, if a user establishes a GlobalProtect VPN tunnel while connected to a public hotspot or hotel Wi-Fi, and this feature is enabled, all traffic is routed through the tunnel and is subject to policy enforcement by the firewall."

I was under the impression that security policies would enforce what a GP VPN client can access or not including local networks as well as advising the access routes. Are Palo saying local networks/zones/interfaces directly conneced to the firewall? If the security policy allows access to proxies or local resources, surely this feature would be useless.

Re: Disabling Direct Access To Local Networks - GP VPN

BenjAudy.MTL — Tue, 24 Nov 2015 16:03:22 GMT

Hi,

The way I understand it, GlobalProtect normally adds entries in the routing table so that trafic meant for your enterprise network (the access routes you configured) will go through the VPN tunnel, while the rest of the traffic will not. With this option, there will be only one route in your client computer: the one going to the VPN tunnel. This way, the client computer will not be able to talk directly to other network resources on his network (at home, for example).

Hope this helps,

Benjamin

Re: Disabling Direct Access To Local Networks - GP VPN

gtomte — Tue, 24 Nov 2015 18:01:38 GMT

By default, if GP have a default route into the VPN, the client can still communicate with all devices on the local LAN. There are no security policies on the endpoint. This new feature is great, and restricts local LAN access for the client.