I, like probably a lot of us these days, use Global protect for the major percentage of the company's workforce. I run split tunneling - internal resources go over the tunnel, anything else just uses the local internet.
Recently, I have had the need thrown at me the requirement to provide split tunneling for a set of addresses which are a dynamic DNS entry rather than fixed IP or subnet.
This seems to be perfect for adding into the "Domains and Applications' section of the client configuration - but after researching, I find this won't work without ticking the "No Direct access to Local Network" toggle.
Can anyone tell me the implications of doing this? Is it just the local interface network which can't be accessed while Global protect is running - or does this effectively make split tunneling useless by locking out anything except the tunnel?
I can't seem to find a definitive answer - it should just be what the wording says - lockout of the local LAN used to get internet access - but I've had situations where the logical interpretation of Palo Alto speak turns out to be not so logical before!
Thanks for any input
Can you please point out where you read the constraints of "No direct access to Local Networks" in relation with "Domains and Applications".
On our systems "No direct access to Local Networks" is NOT ticked, but access to domain based destinations is configured (and it seems to work fine).
The 'domains and apps' section in split tunnelling does require a license, but the access to local network does not need to be enabled
The latter option prevents access to resources on the client's local interface subnet (home printers/Nas device,...) But local internet breakout and tunneled subnets will still be accessible
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!