Disabling Direct Access To Local Networks - GP VPN

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Disabling Direct Access To Local Networks - GP VPN

L2 Linker

Hi,

 

I was wondering whether someone can provide me clarification on this feature.

 

Palo states 

"You can now disable direct access to local networks so that users cannot send traffic to proxies or local resources while connected to a GlobalProtect VPN. For example, if a user establishes a GlobalProtect VPN tunnel while connected to a public hotspot or hotel Wi-Fi, and this feature is enabled, all traffic is routed through the tunnel and is subject to policy enforcement by the firewall."

 

I was under the impression that security policies would enforce what a GP VPN client can access or not including local networks as well as advising the access routes.  Are Palo saying local networks/zones/interfaces directly conneced to the firewall?  If the security policy allows access to proxies or local resources, surely this feature would be useless.

1 accepted solution

Accepted Solutions

L4 Transporter

Hi,

 

The way I understand it, GlobalProtect normally adds entries in the routing table so that trafic meant for your enterprise network (the access routes you configured) will go through the VPN tunnel, while the rest of the traffic will not. With this option, there will be only one route in your client computer: the one going to the VPN tunnel. This way, the client computer will not be able to talk directly to other network resources on his network (at home, for example).

 

Hope this helps,

 

Benjamin

View solution in original post

2 REPLIES 2

L4 Transporter

Hi,

 

The way I understand it, GlobalProtect normally adds entries in the routing table so that trafic meant for your enterprise network (the access routes you configured) will go through the VPN tunnel, while the rest of the traffic will not. With this option, there will be only one route in your client computer: the one going to the VPN tunnel. This way, the client computer will not be able to talk directly to other network resources on his network (at home, for example).

 

Hope this helps,

 

Benjamin

L3 Networker

By default, if GP have a default route into the VPN, the client can still communicate with all devices on the local LAN. There are no security policies on the endpoint. This new feature is great, and restricts local LAN access for the client.

  • 1 accepted solution
  • 2908 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!