Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
08-29-2021 04:49 PM
Hey folks.
I, like probably a lot of us these days, use Global protect for the major percentage of the company's workforce. I run split tunneling - internal resources go over the tunnel, anything else just uses the local internet.
Recently, I have had the need thrown at me the requirement to provide split tunneling for a set of addresses which are a dynamic DNS entry rather than fixed IP or subnet.
This seems to be perfect for adding into the "Domains and Applications' section of the client configuration - but after researching, I find this won't work without ticking the "No Direct access to Local Network" toggle.
Can anyone tell me the implications of doing this? Is it just the local interface network which can't be accessed while Global protect is running - or does this effectively make split tunneling useless by locking out anything except the tunnel?
I can't seem to find a definitive answer - it should just be what the wording says - lockout of the local LAN used to get internet access - but I've had situations where the logical interpretation of Palo Alto speak turns out to be not so logical before!
Thanks for any input
08-29-2021 11:17 PM
Hello
Can you please point out where you read the constraints of "No direct access to Local Networks" in relation with "Domains and Applications".
On our systems "No direct access to Local Networks" is NOT ticked, but access to domain based destinations is configured (and it seems to work fine).
08-29-2021 11:40 PM
The 'domains and apps' section in split tunnelling does require a license, but the access to local network does not need to be enabled
The latter option prevents access to resources on the client's local interface subnet (home printers/Nas device,...) But local internet breakout and tunneled subnets will still be accessible
08-30-2021 05:27 PM
It was a discussion or article I found on here (live community), from memory - I didn't save it, but if I can find it again, I will.
So if I simply add the domains I want into the domain based destinations, it should just work? Are the ports optional? or do I have to add them?
08-30-2021 05:34 PM
I do have the Global protect license on the firewall, so that's not an issue.
I guess I'll just add the domains into the configuration and see what happens. Do you know if the port are optional, or if I have to include them?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
