Global protect excluded networks

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Global protect excluded networks

Not applicable

Hi all,

there is a method on global protect to send all my traffic into the tunnel, but exclude the subnet range of the customer to remain connected with the office network and browse the web protected from office infrastructure, but with the possibility to work on all customer network and not only on the same lan?

Thanks.

3 REPLIES 3

L4 Transporter

Hi,

Do you want to remain connectd to the local LAN and have only the traffic intended for the remote office tunneled? If so, you'd want to configure split tunneling on the PAN FW  such that the Global Protect Clients access the remote Office LAN via the tunnel and all other traffic (to the Internet and local LAN) via their own ISP and local connection.

However, you cannot configure this on the Global Prorect Client itself - Access Routes (split tunneling) are configured on the PAN FW.

If your requirement is different from what is explained here, please explain further.

Thanks

Thats not exactly what i said... i want all traffic from my pc when i'm from a customer goes by tunnel to my office, included my internet connection, and exclude from the tunnell only the subnet who i have to the customer.

EX all 0.0.0.0/0 Pa-500 to office...(all traffic internet included)

10.50.0.0 Network customer excluded from tunnel.

So i can reach all that i want inside my customer network without disconnect vpn connection.

The vpn split as i see on PA i can specify the network to tunnel but i can't exclude a specific network, but is a things possible on small router with cisco vpn integrated isn't possible on Paloalto FW?

@fcellini:

Your requirement looks like it is not currently supported by the available GP configuration options. I would suggest talking to your sales team to have them file a feature request for this use case.

As a workaround you could defined all networks in the access routes with the exclusion of the 10.150.0.0/24 subnet. This should work as a short term band-aid for your use case.

-Benjamin

  • 2273 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!