cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

GlobalProtect Cloud Services Route Precedence

Announcements

Changes to the LIVEcommunity experience are coming soon... Here's what you need to know.

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Reply
LCMember2050
L1 Bithead
‎09-27-2018 07:21 AM
‎09-27-2018 07:21 AM

GlobalProtect Cloud Services Route Precedence

We have had overlapping subnet scenarios where someone is connecting using GlobalProtect Cloud Services from a subnet that overlaps our internal subnet and, as they have a more specific route, access to internal resources is failing as the taffic is being routed via the local router instead of over the VPN due to the more specific route. Due to the size of our internal network, adding more specific routes for all of our subnets isn't really an option and this could be undone anyway with a more specific route.

 

Does anyone know a way to force all internal traffic down the VPN instead of following more specific routes?

 

NOTE: GlobalProtect Cloud Service has changed to Prisma Access.

0 Likes
Reply
MickBall
L7 Applicator
‎09-27-2018 07:36 AM
‎09-27-2018 07:36 AM

Hmm.. no, but do they need local routing, seems a bit odd if your route takes precedence, or is it all the other routes that are local...

never had this issue as we do not allow split tunneling...

0 Likes
Reply
MickBall
L7 Applicator
‎09-27-2018 07:37 AM
‎09-27-2018 07:37 AM

well i say "No" but watch this space...

0 Likes
Reply
LCMember2050
L1 Bithead
‎09-28-2018 01:28 AM
‎09-28-2018 01:28 AM

We mostly see the issue when users are connecting from hotel networks so have no control on their routes. We can manually remove the local route to get the traffic down the tunnel but not the easiest solution for users.

0 Likes
Reply
MickBall
L7 Applicator
‎09-28-2018 01:36 AM
‎09-28-2018 01:36 AM

if you remove all routes from the gateway config on the palo alto it will auto force all traffic down the tunnel by default.

Reply
LCMember2050
L1 Bithead
‎09-28-2018 04:59 AM
‎09-28-2018 04:59 AM

Have removed all routes but traffic matching the local route still isn't going down the tunnel.

 

P.S. thanks for your helpful replies.

0 Likes
Reply
LCMember2050
L1 Bithead
‎09-28-2018 05:22 AM
‎09-28-2018 05:22 AM

It looks like we need to enable the option "No direct access to local network" to force all traffic down the tunnel but this would prevent access to local resources like printers. Guess thats a decision we'll have to make.

 

Thanks again for your help Mick.

0 Likes
Reply
OtakarKlier
Cyber Elite
Cyber Elite
‎09-28-2018 07:27 AM
‎09-28-2018 07:27 AM

Hello,

How about something like in the article:

 

https://www.paloaltonetworks.com/documentation/10/cloud-services/globalprotect-cloud-service-gsg/gpc...

 

Regards,

0 Likes
Reply
MickBall
L7 Applicator
‎09-28-2018 08:29 AM
‎09-28-2018 08:29 AM

Sure, but the user could just disable GP to print, or use USB, you have a few options but if you deffo need access to both then specific host routes could be an option as you only need to set them once for all users.

 

luckily we have a strict no split tunnel policy so never been an issue and for a small group of users that must remote print they have a seperate portal config via AD group that allows GP disable.

0 Likes
Reply
MickBall
L7 Applicator
‎09-28-2018 08:31 AM
‎09-28-2018 08:31 AM

Sorry @OtakarKlier, that was not a reply to you... i only just read your post. Is this doable on local kit or do you need to invest in cloud services.

0 Likes
Reply
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

Latest Blogs
Latest Posts
Privacy Policy Terms of Use
Copyright 2007 - 2021 - Palo Alto Networks