01-18-2021 06:36 AM
Hello. I have a server that I use as a "bridge" that I use to keep a persistent VPN connection active to a restricted network, to extract report data. We were previously using the openconnect client for the bridge, but recently, the secure network changed to use GlobalProtect. When I tried to replace openclient with the linux GP client, something odd starting happening. Typically, I ssh into the bridge server, and start up the vpn client, and then ping some of the restricted servers to make sure the vpn connection is running correctly. This worked fine with openclient. Now though, after establishing the ssh connection, and starting the GP client, my ssh session seems to become blocked, and any attempt to start a new ssh session also fails. I left a little script running on the bridge server to see if the connection is being established ok, and it looks like it is, so it would appear that starting the connection is somehow preventing inbound connectivity. Does the GP client enable/change inbound firewall rules or something? The only way I can get back into the bridge server is to reboot the server, or possibly wait for the vpn connection to disconnect. If it does start up some firewall rules, is there some way to allowlist specific subnets or something?
01-20-2021 08:01 AM
This depends entirely on how the folks running this secure network have configured GlobalProtect, and if it is in fact a secured network I would expect them to not allow local network access while the VPN is active. This is a pretty common configuration option, and I would expect that it's entirely intentional. That being said, it may be worth asking if it was intentional to see if they even realize that they checked that option. My guess is they know what they've done however.
01-20-2021 07:48 AM
Apparently, starting up the GP client changes the routing tables on the box, blocking inbound connections.
01-20-2021 08:01 AM
This depends entirely on how the folks running this secure network have configured GlobalProtect, and if it is in fact a secured network I would expect them to not allow local network access while the VPN is active. This is a pretty common configuration option, and I would expect that it's entirely intentional. That being said, it may be worth asking if it was intentional to see if they even realize that they checked that option. My guess is they know what they've done however.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
