Disabling Direct Access To Local Networks - GP VPN

Reply
Highlighted
L2 Linker

Disabling Direct Access To Local Networks - GP VPN

Hi,

 

I was wondering whether someone can provide me clarification on this feature.

 

Palo states 

"You can now disable direct access to local networks so that users cannot send traffic to proxies or local resources while connected to a GlobalProtect VPN. For example, if a user establishes a GlobalProtect VPN tunnel while connected to a public hotspot or hotel Wi-Fi, and this feature is enabled, all traffic is routed through the tunnel and is subject to policy enforcement by the firewall."

 

I was under the impression that security policies would enforce what a GP VPN client can access or not including local networks as well as advising the access routes.  Are Palo saying local networks/zones/interfaces directly conneced to the firewall?  If the security policy allows access to proxies or local resources, surely this feature would be useless.


Accepted Solutions
Highlighted
L4 Transporter

Re: Disabling Direct Access To Local Networks - GP VPN

Hi,

 

The way I understand it, GlobalProtect normally adds entries in the routing table so that trafic meant for your enterprise network (the access routes you configured) will go through the VPN tunnel, while the rest of the traffic will not. With this option, there will be only one route in your client computer: the one going to the VPN tunnel. This way, the client computer will not be able to talk directly to other network resources on his network (at home, for example).

 

Hope this helps,

 

Benjamin

View solution in original post


All Replies
Highlighted
L4 Transporter

Re: Disabling Direct Access To Local Networks - GP VPN

Hi,

 

The way I understand it, GlobalProtect normally adds entries in the routing table so that trafic meant for your enterprise network (the access routes you configured) will go through the VPN tunnel, while the rest of the traffic will not. With this option, there will be only one route in your client computer: the one going to the VPN tunnel. This way, the client computer will not be able to talk directly to other network resources on his network (at home, for example).

 

Hope this helps,

 

Benjamin

View solution in original post

Highlighted
L3 Networker

Re: Disabling Direct Access To Local Networks - GP VPN

By default, if GP have a default route into the VPN, the client can still communicate with all devices on the local LAN. There are no security policies on the endpoint. This new feature is great, and restricts local LAN access for the client.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!