Global Protect at a IPsec S2S branch office

cancel
Showing results for 
Search instead for 
Did you mean: 

Global Protect at a IPsec S2S branch office

L1 Bithead

Hi all

We have a load of small branch offices that terminate at our azure Palo Alto gateway over an IPsec tunnel (via a Draytek router). This all works and allows printing & RDP to onprem services. We also have the Global Protect gateway on the same Palo Alto albeit on a separate subnet

We are starting to pilot win10 devices with global protect. The branch offices have a separate wifi which is essentially a public wifi

The setup is that they (intuned) Win10 device has 2 networks; when docked are hardwired into the IPsec router (so are connected to the LAN that is connected to Azure over IPsec tunnel), and when undocked are connected to the public wifi and Global Protect allows them to access 365/onprem resources

What I'm unclear about is when the device is docked and therefore hardwired to the Draytek router so traffic flows over the IPsec tunnel and Global Protect is also connected - both methods have the same destination subnets incl. in their routing tables - device traffic flows through GP but;

 

- is there an overhead with GP connecting through an IPsec tunnel? I imagine this will add to the latency at the very least

 

I've tried configuring policy routing on the Draytek to force all traffic through the IPSec tunnel (so GP can be disabled when hardwired) but have struggled to set this up consistently across the various Draytek models that we have at the +70 sites, this would have allowed us to use the Palo for URL filtering etc

 

Thanks in advance

 

Ben

 

 

0 REPLIES 0
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!