Implications of "No direct Access to Local Network" toggle in Global protect client settings?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Implications of "No direct Access to Local Network" toggle in Global protect client settings?

L4 Transporter

Hey folks.

 

I, like probably a lot of us these days, use Global protect for the major percentage of the company's workforce. I run split tunneling - internal resources go over the tunnel, anything else just uses the local internet.

 

Recently, I have had the need thrown at me the requirement to provide split tunneling for a set of addresses which are a dynamic DNS entry rather than  fixed IP or subnet.

 

This seems to be perfect for adding into the "Domains and Applications' section of the client configuration - but after researching, I find this won't work without ticking the "No Direct access to Local Network" toggle.

 

Can anyone tell me the implications of doing this? Is it just the local interface network which can't be accessed while Global protect is running - or does this effectively make split tunneling useless by locking out anything except the tunnel?

 

I can't seem to find a definitive answer - it should just be what the wording says - lockout of the local LAN used to get internet access - but I've had situations where the logical interpretation of Palo Alto speak turns out to be not so logical before!

 

Thanks for any input

4 REPLIES 4

L4 Transporter

Hello

 

Can you please point out where you read the constraints of "No direct access to Local Networks" in relation with "Domains and Applications".

On our systems "No direct access to Local Networks" is NOT ticked, but access to domain based destinations is configured (and it seems to work fine).

Cyber Elite
Cyber Elite

The 'domains and apps' section in split tunnelling does require a license, but the access to local network does not need to be enabled

The latter option prevents access to resources on the client's local interface subnet (home printers/Nas device,...) But local internet breakout and tunneled subnets will still be accessible

 

 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

It was a discussion or article I found on here (live community), from memory - I didn't save it, but if I can find it again, I will.

 

So if I simply add the domains I want into the domain based destinations, it should just work? Are the ports optional? or do I have to add them?

I do have the Global protect license on the firewall, so that's not an issue.

 

I guess I'll just add the domains into the configuration and see what happens. Do you know if the port are optional, or if I have to include them?

  • 3392 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!