This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Disabling Direct Access To Local Networks - GP VPN

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Disabling Direct Access To Local Networks - GP VPN

Go to solution
indysogi
L2 Linker

‎11-24-2015 07:40 AM

Hi,

 

I was wondering whether someone can provide me clarification on this feature.

 

Palo states 

"You can now disable direct access to local networks so that users cannot send traffic to proxies or local resources while connected to a GlobalProtect VPN. For example, if a user establishes a GlobalProtect VPN tunnel while connected to a public hotspot or hotel Wi-Fi, and this feature is enabled, all traffic is routed through the tunnel and is subject to policy enforcement by the firewall."

 

I was under the impression that security policies would enforce what a GP VPN client can access or not including local networks as well as advising the access routes.  Are Palo saying local networks/zones/interfaces directly conneced to the firewall?  If the security policy allows access to proxies or local resources, surely this feature would be useless.

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
BenjAudy.MTL
L4 Transporter

‎11-24-2015 08:03 AM

Hi,

 

The way I understand it, GlobalProtect normally adds entries in the routing table so that trafic meant for your enterprise network (the access routes you configured) will go through the VPN tunnel, while the rest of the traffic will not. With this option, there will be only one route in your client computer: the one going to the VPN tunnel. This way, the client computer will not be able to talk directly to other network resources on his network (at home, for example).

 

Hope this helps,

 

Benjamin

View solution in original post

2 REPLIES 2

Go to solution
BenjAudy.MTL
L4 Transporter

‎11-24-2015 08:03 AM

Hi,

 

The way I understand it, GlobalProtect normally adds entries in the routing table so that trafic meant for your enterprise network (the access routes you configured) will go through the VPN tunnel, while the rest of the traffic will not. With this option, there will be only one route in your client computer: the one going to the VPN tunnel. This way, the client computer will not be able to talk directly to other network resources on his network (at home, for example).

 

Hope this helps,

 

Benjamin

Go to solution
gtomte
L3 Networker

‎11-24-2015 10:01 AM

By default, if GP have a default route into the VPN, the client can still communicate with all devices on the local LAN. There are no security policies on the endpoint. This new feature is great, and restricts local LAN access for the client.

0 Likes Likes
  • 1 accepted solution
  • 3288 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks