XDR Network location configuration & VPN

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

XDR Network location configuration & VPN

L1 Bithead

Hello!

 

On all our endpoints we are using XDR with firewall(Uses built in Windows firewall) and Palo Alto GlobalProtect VPN connecting to PanOS devices at our office. We use split tunneling for the VPN, that means that only specified traffic goes through VPN tunnel to access internal resources and Active Directory services, the rest stays out of it. We also have different profiles for Internal and External network types, with a lot more restriction on the External.

 

The issue is that due to most traffic being outside the tunnel, we want XDR Firewall to consider being an external network when connected to VPN. But the check that determines what type of network profile to apply does that with an LDAP connectivity test and a DNS resolve test for some internal domain. Both of these tests pass when connected to VPN.

 

So far the only idea I have had is blocking LDAP connections in our office firewall when the traffic comes from VPN, but that seems like a bad solution. So maybe someone has experience with how to best solve this?

 

If the DNS check would be rather ping, than resolve, then it would be an easy trick to just block pinging to that name for VPN subnet, but that is not the case.

2 REPLIES 2

L4 Transporter

Hi @mdsgn1,

If I understand correctly, you want a way to mark tunneled VPN traffic as "external" so that the Cortex XDR-Managed Windows Firewall can scrutinize the traffic. If that is accurate, I would recommend disabling the Network Location Configuration setting in the Agent Settings Profile for your target endpoint(s). You can do this by going to Endpoints > Profiles, Editing your target profile, and then disabling the Network Location Configuration item as shown below.

 

Disable_Network Location Configuration_TakeI.gif

Once completed, all traffic will be considered External as there will no longer be tests to evaluate positioning. Please let me know how this works for you.

PS:  As an alternative, you can also configure the Network Location Configuration to test for an IP or Domain that you know will fail over the VPN tunnel. However, this would require more advanced knowledge of the network configuration.

Visit our Cortex XDR Customer Corner on Live Community to access resources for your product journey, engage in discussions with community members and subject matter experts, and register for upcoming events!

*Cortex XDR Customer Corner: https://live.paloaltonetworks.com/t5/cortex-xdr-customer-corner/ct-p/Cortex_XDR_Customer_Corner

Join our Cortex XDR Office Hours to receive live guidance and training from our Customer Success Architects.

*Cortex XDR Office Hours [NAM]: https://paloaltonetworks.zoom.us/webinar/register/3316669859020/WN_yMpAB-aBTt6xk2h-gsra4w
*Cortex XDR Office Hours [EMEA/APAC]: https://paloaltonetworks.zoom.us/webinar/register/4116709604301/WN_CZuFE5CHQbG9LUEqugsIOw

Thank you for the reply!

Then it is as I understood it from the start, I guess there are workarounds, but no simple and direct way of keeping the automated detection and switching.

  • 3541 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!