topic Re: GlobalProtect Route Precedence in General Topics

GlobalProtect Cloud Services Route Precedence

LCMember2050 — Thu, 11 Jul 2019 02:47:50 GMT

We have had overlapping subnet scenarios where someone is connecting using GlobalProtect Cloud Services from a subnet that overlaps our internal subnet and, as they have a more specific route, access to internal resources is failing as the taffic is being routed via the local router instead of over the VPN due to the more specific route. Due to the size of our internal network, adding more specific routes for all of our subnets isn't really an option and this could be undone anyway with a more specific route.

Does anyone know a way to force all internal traffic down the VPN instead of following more specific routes?

NOTE: GlobalProtect Cloud Service has changed to Prisma Access.

Re: GlobalProtect Route Precedence

Mick_Ball — Thu, 27 Sep 2018 14:36:29 GMT

Hmm.. no, but do they need local routing, seems a bit odd if your route takes precedence, or is it all the other routes that are local...

never had this issue as we do not allow split tunneling...

Re: GlobalProtect Route Precedence

Mick_Ball — Thu, 27 Sep 2018 14:37:15 GMT

well i say "No" but watch this space...

Re: GlobalProtect Route Precedence

LCMember2050 — Fri, 28 Sep 2018 08:28:58 GMT

We mostly see the issue when users are connecting from hotel networks so have no control on their routes. We can manually remove the local route to get the traffic down the tunnel but not the easiest solution for users.

Re: GlobalProtect Route Precedence

Mick_Ball — Fri, 28 Sep 2018 08:36:40 GMT

if you remove all routes from the gateway config on the palo alto it will auto force all traffic down the tunnel by default.

Re: GlobalProtect Route Precedence

LCMember2050 — Fri, 28 Sep 2018 12:03:38 GMT

Have removed all routes but traffic matching the local route still isn't going down the tunnel.

P.S. thanks for your helpful replies.

Re: GlobalProtect Route Precedence

LCMember2050 — Fri, 28 Sep 2018 12:28:14 GMT

It looks like we need to enable the option "No direct access to local network" to force all traffic down the tunnel but this would prevent access to local resources like printers. Guess thats a decision we'll have to make.

Thanks again for your help Mick.

Re: GlobalProtect Route Precedence

OtakarKlier — Fri, 28 Sep 2018 14:27:52 GMT

Hello,

How about something like in the article:

https://www.paloaltonetworks.com/documentation/10/cloud-services/globalprotect-cloud-service-gsg/gpcs-quick-configs/remote-network-locations-with-overlapping-subnets

Regards,

Re: GlobalProtect Route Precedence

Mick_Ball — Fri, 28 Sep 2018 15:29:41 GMT

Sure, but the user could just disable GP to print, or use USB, you have a few options but if you deffo need access to both then specific host routes could be an option as you only need to set them once for all users.

luckily we have a strict no split tunnel policy so never been an issue and for a small group of users that must remote print they have a seperate portal config via AD group that allows GP disable.

Re: GlobalProtect Route Precedence

Mick_Ball — Fri, 28 Sep 2018 15:31:25 GMT

Sorry @OtakarKlier, that was not a reply to you... i only just read your post. Is this doable on local kit or do you need to invest in cloud services.

Re: GlobalProtect Route Precedence

OtakarKlier — Fri, 28 Sep 2018 16:20:37 GMT

Hello,

The PAN's can do this nativly, I should have read more rather than pasting :). Check this out:

https://live.paloaltonetworks.com/t5/Featured-Articles/DotW-Help-with-IPSec-Proxy-IDs-with-overlapping-IPs/ta-p/69123

Does this more closely resendble the scenario?

Re: GlobalProtect Cloud Services Route Precedence

jasonrakers — Thu, 28 Jul 2022 19:03:12 GMT

I think we have a fix for this issue of overlapping addresses for Mobile Users of Prisma Access. We applied the traditional GlobalProtect approach by updating the split-tunnel settings to include both the internal network which should be routed over the tunnel and the 0.0.0.0/0. By default (with no entries in this box), Prisma Access sends all traffic to the regional gateway. With the overlapping issue, we need the client to ignore the local network routing. The default route is needed in order to send client internet traffic to the regional gateway. Without the default route, internet is offloaded at the local network POP rather than the regional Prisma Access gateway.