04-26-2020 08:19 PM
This depends solely on your requirements and what you are looking to accomplish. One option is not necessarily "better" than the other if you aren't looking at the full picture. I'm going to assume that you are talking about GlobalProtect and not an IPSec tunnel.
1) Full Tunnel
The benefit of a full tunnel GlobalProtect configuration is that you can inspect all traffic from a connected endpoint, tied together with always-on and pre-logon and it's similar to having the device sitting in your office. All of the traffic will be inspected by the firewall and the endpoint is effectively never not connected to your network. This is actually how GlobalProtect configures by default, if you leave your 'Split Tunnel' configuration empty or include 0.0.0.0/0 in your include list it'll tunnel everything through GlobalProtect.
2) Split Tunnel
The benefit of split-tunnel is that you don't have to process all of the endpoints network traffic, which can save you bandwidth if you don't have a connection capable of processing all of the traffic. This is extremely common in a lot of businesses where you have a BYOD VPN tunnel to allow someone to, for example, remote onto their desktop at work.
This is actually a common practice that I use for customers who simply want a way for someone to RDP back to their desktop at work. The configuration will simply allow for RDP traffic back to the access VLANs and ensure that the connected desktop passes a number of HIP checks to ensure that the client itself is up-to-date and has a supported antivirus solution. In this type of setup, I don't want to process all of the endpoints traffic, just the RDP traffic.
Under the Split Tunnel configuration you simply need to include whatever subnets you need to traverse the VPN in the include list.
What solution you pick is really going to depend on your requirements and the business and regulatory needs. Banks for example that I've worked with don't allow any non-issued device to connect to their VPN and all traffic is processed through the VPN tunnel. SMB customers might not have the bandwidth to support all of that traffic and just want to allow RDP traffic as I mentioned before while performing a few HIP checks. Completely dependent on what your needs are.
04-28-2020 12:20 PM
Hello,
I say tunnel all. You have a fantastic security appliance, Palo Alto, why not use it to inspect all the traffic?
Just my thoughts.
04-28-2020 03:02 PM - edited 04-29-2020 03:34 AM
Hi,
My concern is bandwidth if it is full tunnel . and does it require NAT-T ?
Thanks
04-29-2020 07:06 AM
Hello,
That is only used for site to site vpn tunnels. You will need a NAT policy for the traffic.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFbCAK
Regards,
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
