01-19-2021 02:01 AM
On all our endpoints we are using XDR with firewall(Uses built in Windows firewall) and Palo Alto GlobalProtect VPN connecting to PanOS devices at our office. We use split tunneling for the VPN, that means that only specified traffic goes through VPN tunnel to access internal resources and Active Directory services, the rest stays out of it. We also have different profiles for Internal and External network types, with a lot more restriction on the External.
The issue is that due to most traffic being outside the tunnel, we want XDR Firewall to consider being an external network when connected to VPN. But the check that determines what type of network profile to apply does that with an LDAP connectivity test and a DNS resolve test for some internal domain. Both of these tests pass when connected to VPN.
So far the only idea I have had is blocking LDAP connections in our office firewall when the traffic comes from VPN, but that seems like a bad solution. So maybe someone has experience with how to best solve this?
If the DNS check would be rather ping, than resolve, then it would be an easy trick to just block pinging to that name for VPN subnet, but that is not the case.
01-19-2021 11:17 AM - edited 01-19-2021 11:36 AM
If I understand correctly, you want a way to mark tunneled VPN traffic as "external" so that the Cortex XDR-Managed Windows Firewall can scrutinize the traffic. If that is accurate, I would recommend disabling the Network Location Configuration setting in the Agent Settings Profile for your target endpoint(s). You can do this by going to Endpoints > Profiles, Editing your target profile, and then disabling the Network Location Configuration item as shown below.
Once completed, all traffic will be considered External as there will no longer be tests to evaluate positioning. Please let me know how this works for you.
PS: As an alternative, you can also configure the Network Location Configuration to test for an IP or Domain that you know will fail over the VPN tunnel. However, this would require more advanced knowledge of the network configuration.
01-20-2021 08:46 AM
Thank you for the reply!
Then it is as I understood it from the start, I guess there are workarounds, but no simple and direct way of keeping the automated detection and switching.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!