Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
on 09-01-2022 09:24 AM - edited on 09-01-2022 09:32 AM by jforsythe
This article is based on a discussion, What does No Direct access to Local Network actually do and when do we use it??, posted by @Schneur_Feldman and answered by @BPry and @OtakarKlier. Read on to see the discussion and solution!
Can anyone please explain SIMPLY to me what the "No Direct access to Local Network" under Global Protect actually does and mostly when are we supposed to use it?
Basically what does it block and when should we enable it? Full tunnel? Split tunnel? Only split tunnel domain?
It restricts outgoing traffic on the local connected subnet. Instead of that traffic exiting through the local physical adapter like you would expect, the traffic is sent through the tunnel and (usually) dropped by the firewall. There's some behavioral considerations when it comes to existing traffic since macOS won't terminate the existing sessions like Windows does.
When you enable this feature really depends on your own configuration/environment requirements. I'd personally recommend enabling it across the board, but I know some environments don't go that far because it breaks local network functions like network printing to someone's home printer.
This feature is to satisfy compliance requirements around 'No Split Tunneling'. It prevents a user from being on VPN and, at the same time, connecting to their local systems on their home network (as an example).
For example: If your home subnet is 192.168.1.0 and your GP subnet is 10.0.0.0.
By enabling "No Direct access to Local Network," you won't be able to access for example a printer on the local 192.168.1.0 network while being connected to the VPN.
Essentially you'll be cutting off Local LAN access.
