General Articles
LIVEcommunity's General Articles area is home to how-to resources, technical documentation, and discussions with Accepted Solutions that turn into articles related to all Palo Alto Networks products.
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.
About General Articles
LIVEcommunity's General Articles area is home to how-to resources, technical documentation, and discussions with Accepted Solutions that turn into articles related to all Palo Alto Networks products.
This article is based on a discussion, What does No Direct access to Local Network actually do and when do we use it??, posted by @Schneur_Feldman and answered by @BPry and @OtakarKlier. Read on to see the discussion and solution!   Can anyone please explain SIMPLY to me what the "No Direct access to Local Network" under Global Protect actually does and mostly when are we supposed to use it?   Basically what does it block and when should we enable it? Full tunnel? Split tunnel? Only split tunnel domain? It restricts outgoing traffic on the local connected subnet. Instead of that traffic exiting through the local physical adapter like you would expect, the traffic is sent through the tunnel and (usually) dropped by the firewall. There's some behavioral considerations when it comes to existing traffic since macOS won't terminate the existing sessions like Windows does.   When you enable this feature really depends on your own configuration/environment requirements. I'd personally recommend enabling it across the board, but I know some environments don't go that far because it breaks local network functions like network printing to someone's home printer.   This feature is to satisfy compliance requirements around 'No Split Tunneling'. It prevents a user from being on VPN and, at the same time, connecting to their local systems on their home network (as an example).   For example: If your home subnet is 192.168.1.0 and your GP subnet is 10.0.0.0. By enabling "No Direct access to Local Network," you won't be able to access for example a printer on the local 192.168.1.0 network while being connected to the VPN.   Essentially you'll be cutting off Local LAN access.
View full article
  • 182 Posts
  • 261 Subscriptions
Customer Advisories

Your security posture is important to us. If you’re a Palo Alto Networks customer, be sure to login to see the latest critical announcements and updates in our Customer Advisories area.

Learn how to subscribe to and receive email notifications here.

Listen to PANCast

PANCast is a Palo Alto Networks podcast that provides actionable insights to customers, helping you maximize your investment while improving your cybersecurity posture.

Labels
Top Contributors