06-02-2025 09:56 AM - edited 06-02-2025 09:57 AM
Hello, we have the need to stop split-tunneling all networks, and send all through GlobalProtect. However we notice when we connect, the local network a device is on is still added to the route table on a mac, and is accessible. We do see the option in GP to "No direct access to local network", and that works. However we have a business case to allow some sanctioned OpenVPN profiles outside of GlobalProtect. However with that "no direct access to local network" checked, all routing for those OpenVPN's when joined, are added to the GlobalProtect interface in our MAC routing tables.
Is there a solution where we do not allow even local network traffic, but can allow a user to join a VPN outside of GlobalProtect, or within GlobalProtect, and allow that traffic to occur?
06-02-2025 12:33 PM
Hello,
The only way I can see it being done is to do it on the OpenVPN systems individually. A more drastic approach would be to force all users to VPN into your environment and control traffic flow that way.
https://skrzsecurity.net/zero-trust
Regards,
.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
