GlobalProtect: Disable Local Subnet Access
Resolution
In pre 7.0. PAN-OS versions, when a GlobalProtect connection was established, users would have access to their local subnet. They would still be able to access local printers, local file shares, etc.
This presents a potential risk because one can print sensitive information and/or send this information to local file servers.
Since PAN-OS 7.0, administrators have a way to disable access to the local subnets. All requests to the local subnets will then be routed through the tunnel.
Note that this feature is not supported on iOS or Android clients, so it's Windows or OSX only.
This feature works with different network types. Some examples are hotel/public hotspot, private networks, systems with existing VPN or virtual adapters present, and systems using proxy servers.
Note that this feature supports IPv4 only.
How this works in Windows:
- When GlobalProtect is connected, it will scan the routing table of the local PC and create new, masked routes for all existing local subnet routes with the exception of the localhost route (127.0.0.1) and self-pointing routes of physical adapters.
- When GlobalProtect is disconnected, all these masked routes are removed.
- If GlobalProtect terminates unexpectedly, the masked routes are removed shortly afterwards
- by the OS because the GlobalProtect virtual adapter is no longer present
- if the OS fails to do so, GP will remove them when it restarts
For example, the destination route can be masked as follows:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.177.1 192.168.177.100 257
can be masked to
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.177.1 192.168.177.100 257
0.0.0.0 0.0.0.0 On-link 172.20.30.40 1
Notice that the added route has a lower metric (1) and will therefore be the prefered route.
How this works on OSX:
- Pretty much works the same way. Only OSX handles the masked routes somewhat differently. The Mac adds a flag "I" to the masked route, saying that it's only used for that specific interface scope.
For example, the destination route can be masked as follows:
Destination Gateway Flags Refs Use Netif Expire
10.35.14/24 Link#5 UCS 3 0 en1
can be masked to
Destination Gateway Flags Refs Use Netif Expire
10.35.14/24 7.7.7.5 UGdCSc 0 2 gpd0
10.35.14/24 Link#5 UCSI 1 0 en1
As explained above, the flag 'I' means that RTF_IFSCOPE is used.
Configuration is very easy and can be done on CLI and/or GUI.
Via the CLI:
# set global-protect global-protect-gateway <NAME> remote-user-tunnel-configs <name> no-direct-access-to-local-network
no no
yes yes
Via the GUI:
- PAN-OS 7.0 : Network tab > GlobalProtect > Gateways > <Your Gateway> > Client Configuration > Network Settings > <Your Config> > Network Settings
Setting in PAN-OS 7.0
- PAN-OS 7.1 : Network tab > GlobalProtect > Gateways > <Your Gateway> > Agent > Client Settings > <Your Config> > Network Settings
Setting in PAN-OS 7.1
Note that split tunneling is overridden by this feature! Access routes will not work if you enable this feature, because they will be masked. There is no error or warning message and the 'Access Route' box is not grayed out. You will still be able to create access routes, but just keep in mind they won't work if you have enabled this feature.
For troubleshooting, note that there are no logs added in PAN-OS, PanGPA.log or PanGPS.log. You can see if the feature is enabled or not in PanGPS.log and PanGPA.log. This confirms that your gateway is sending down this configuration.
In Windows, check the Application and System logs for failures to create a route. In OSX, check /var/log/system.log for failures to create a route.