- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
09-02-2022 06:22 AM
If you are using Global Protect AND you have split-tunneling enabled. Your PC is accessible via the local LAN. So if your in an insecure location the other people on that LAN can hack at your computer. If you don't believe me try it out.
09-02-2022 07:33 AM
Hi @MarkDufault ,
Have you tested with the "No direct access to local network" box checked? https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PPbACAW This should disable local LAN access.
It is also good to know how the Exclusions tab interacts with this feature. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000001V2dCAE
Thanks,
Tom
09-02-2022 08:11 AM
That is the way we had it configured. "No direct access to local network" configured with split tunnel. The problem is that if we add any IP or domain under exclude, the "No direct access to local network" setting is overridden inbound. The GP-connected device cannot access the public or home network, but devices on the said public or home network can access the GP-connected device. The assumption would be that the exclusion would be applied to only the IPs or domains in the exclusion list. No so.
Specific Example. On our GP gateway, we have "No direct access to local network" enabled. We exclude IPs for Microsoft updates and Teams, Zoom, and Webex, as well as domains related to Zoom and Webex. Now an enterprise laptop, connected to a home network with IP 192.168.0.16, with GlobalProtect enabled, cannot ping or connect to anything in the 192.168.0.0/24 local network. But a device on the local network, say 192.168.0.10 can ping and RDP to 192.168.0.16. That is a problem.
We currently have removed all exclusions, and "No direct access to local network" works as expected. 192.168.0.16 cannot connect to 192.168.0.10, and 192.168.0.10 cannot connect to 192.168.0.16. This means that "No direct access to local network" is an all-or-nothing function. At least that is the way I see it. We have a ticket open with Palo Alto, and the engineers helping me on the case have verified what I have said and told me that is the case. They have made a "feature request" on our behalf.
The second link you provided (https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000001V2dCAE) states the following:
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!