How to disable access to local resources when using GlobalProtect
38633
Created On 04/13/20 22:22 PM - Last Modified 04/22/24 20:09 PM
Objective
This document discusses the necessary steps to disable client access to local networks while connected to GlobalProtect.
Environment
- PAN-OS 9.0 or greater
- Any Palo Alto Firewall.
- GlobalProtect Configured.
Procedure
- Navigate to Network > GlobalProtect > Gateways and select the appropriate Gateway from the list.
- Then navigate to Agent > Client Settings and select the appropriate client configuration profile from the list.
- Choose the "Split Tunnel" tab and then select the checkbox next to "No direct access to local network."
Note: Any split tunneling configuration (under the Exclude tabs) will override the 'No direct access to local network' feature therefore it is advised to remove the split tunnel configuration to avoid undesired behavior.
- Commit your changes and restart the Agent on the endpoint if this is an existing connection.
Note: If you do not restart the Agent, then all traffic will continue to be sent on the physical adapter and not the tunnel.
Via the CLI:
- Use the command "set global-protect global-protect-gateway <Gateway’s name> remote-user-tunnel-configs <Config name> no-direct-access-to-local-network yes" from config mode.
- Commit the changes
Additional Information
The GlobalProtect Administrator's Guide is available here.
For additional information regarding split tunneling, please refer to the following documentation listed here.