How to Disable Access to Local Resources when using GlobalProtect

How to Disable Access to Local Resources when using GlobalProtect

14815
Created On 04/13/20 22:22 PM - Last Modified 04/12/21 20:01 PM


Objective
This document discusses the necessary steps to disable client access to local networks while connected to GlobalProtect.

Environment
  • PAN-OS 9.0
  • Any Palo Alto Firewall.
  • GlobalProtect Configured.


Procedure
  1. Navigate to Network > GlobalProtect > Gateways and select the appropriate Gateway from the list.
Screenshot displaying list of configured Gateways in the Firewall GUI.

 
  1. Then navigate to Agent > Client Settings and select the appropriate client configuration profile from the list.
Screenshot displaying the list of client configurations within GlobalProtect.

 
  1. Choose the "Split Tunnel" tab and then select the checkbox next to "No direct access to local network."
Screenshot displaying the checkbox to disable direct access to local resources.

Note: Any split tunneling configuration (under the Exclude tabs) will override the 'No direct access to local network' feature therefore it is advised to remove the split tunnel configuration to avoid undesired behavior. 
 
Screenshot displaying the optional settings to either include or exclude certain network's traffic from using the tunnel.
 
  1. Commit your changes and restart the Agent on the endpoint if this is an existing connection.
Note: If you do not restart the Agent, then all traffic will continue to be sent on the physical adapter and not the tunnel.

 
Via the CLI:
  1. Use the command "set global-protect global-protect-gateway <Gateway’s name> remote-user-tunnel-configs <Config name> no-direct-access-to-local-network yes" from config mode.
     
  2. Commit the changes
Screenshot displaying how to disable access to local resources in the command line interface.
 
 
 
 


Additional Information
For full documentation on how to configure the GlobalProtect infrastructure for the 9.0 environment, please refer to the following documentation listed here.
For additional information regarding split tunneling, please refer to the following documentation listed here.


Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PPbACAW&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language