I am fairly new to Palo Alto devices. We are in the process of testing the GlobalProtect client and have set it up without split-tunneling.
I have confirmed this works for web browsing (get the PA NAT address), but we are still able to get to all local LAN resouces. We are able to use local wireless printers, I am able to ping to and from the GP client on the local subnet. Based on my previous experience with Cisco, without split-tunneling there was no access to the local LAN. Is this how this works with PA or is something incorrect in my configuration?
Local LAN access (local as defined by the native/underlying IP subnet mask) is configurable on the Cisco IPSec and AnyConnect clients, but with GlobalProtect, it seems as though its built in as a 'feature', and no choice is available to the administrator (I'd really like to hear from PaloAlto tech guys on this - by design? undocumented?). Its a form of split-tunneling, allowing only local traffic (defined by subnet mask), and tunneling everything else. In the case of IP range overlap, or mistakes in local subnet masking, there can be some very interesting/annoying scenarios that crop up.
I understand that local LAN access is often desirable by end users, particularly when wanting to print locally while 'in-tunnel'. The machine itself is no more or less vulnerable to attack (from the local LAN) when it is 'in-tunnel', except of course that it can potentially be leveraged to compromise the protected network in real time. There is little difference in my mind between a machine that can be compromised when it is not tunneled (assuming you are using the client on-demand) and one that can also be compromised while tunneled. A compromised system is a compromised system - the protected network is vulnerable in either case - just a matter of degrees. Windows (or other) firewall can/should be configured (by GPO in MS enterprise networks) to protect any machine that is going to spend any time on the 'dirty' Internet (hotels, airports, starbucks, home, etc), not allowing any connections TO the machine while 'offnet' (off the corporate network) - but I digress.
In any event, the admin of the GlobalProtect gateway should be able to choose the operating mode they desire - this is a major shortcoming if there is not that level of control built into the GP client/server, and PA needs to speak to this issue. Have either of you opened a ticket on this?
I brought it to our SE who is making a case for this - he told me others have requested same. One of the primary reasons they gave for having that way is for compulsory vpn connections to be able to still talk to captive portals in hotels, airports, etc. I said, if that's the case, why not only allow the apps necessary to do captive portals and not wide open.
Fingers crossed they'll make it at least a configurable option for their customers...
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!