"No direct access to local network" configured with split tunnel
46266
Created On 04/01/21 21:54 PM - Last Modified 03/14/25 21:16 PM
Symptom
When configuring 'No direct access to local network'simultaneously with split tunnel, traffic for the excluded lists egresses the physical interface and not the GlobalProtect tunnel.
Environment
- Palo Alto Firewalls
- Supported PAN-OS
- GlobalProtect 5.0.2+
- Windows OS and MacOS
- Split tunnel configuration
Resolution
NOTE: In all the case scenarios demonstrated below, the physical adapter IP address is '172.16.0.11' and the GlobalProtect IP address is '192.168.1.3'.
- No direct access to local network' configured with excluded routes.
- The routing table shows the excluded routes pointing to the physical interface with a route metric '6' and due to the fact that excluded routes are specific routes, they have a higher priority than the default route hence traffic destined to these IP addresses will egress the physical adapter.
- Packet capture for both the physical and GlobalProtect virtual interface. Traffic destined to 216.58.213.14 is sourcing from the physical interface IP 172.16.0.11, which is expected behavior.
- 'No direct access to local network' configured with excluded domain and/or application process name.
- The routing table has a default route of metric '1' pointing to the GlobalProtect tunnel interface.
- The image below illustrates the DNS query and response for the excluded domain 'facebook.com'.
- PanGPS.log shows that 'facebook.com' matches the excluded domain list and therefore traffic destined to 31.13.88.35 is bound to the physical adapter 172.16.0.11.
(P1552-T4440)Dump ( 91): 04/01/21 08:13:26:672 Received DNS request for facebook.com with type 1
(P1552-T4440)Dump (1429): 04/01/21 08:13:26:672 Domain name facebook.com matches exclude wildcard domain
(P1552-T4440)Dump ( 793): 04/01/21 08:13:26:672 SP added an exclude ip 31.13.88.35, port 0, ttl 300 for domain facebook.com, original ttl=300, infinite ttl=no
(P1552-T4440)Dump ( 847): 04/01/21 08:13:26:672 call SPSetParameters to set 1 exclude IPs
(P1552-T4440)Dump ( 275): 04/01/21 08:13:26:672 iTimeOut=300
(P1552-T4440)Dump (1357): 04/01/21 08:13:26:672 ST,argc=6, remote-bind
(P1552-T4440)Dump (2694): 04/01/21 08:13:26:672 ST,shouldCacheCommand return false
(P1552-T4440)Dump (1938): 04/01/21 08:13:26:672 ST,remote ip address is 31.13.88.35, port=0, bind local address is 172.16.0.11
- The DNS query and response for the excluded application 'zoom.us'.
- Packet capture shows that traffic for application 'zoom.us' destined to 52.202.62.250 is sourcing from the physical interface.
Note that this is expected behavior, optimized split tunneling (i.e domain, application, video application-based split-tunneling) is based on filter driver which does not depend on the routing table therefore 'No direct access to local network' should have no effect on this feature.
Additional Information
- The 'No direct access to local network' feature in GlobalProtect is used to block outgoing connections originating from the endpoint to the local subnet using the physical network adapter when GlobalProtect tunnel connection has been established.
- GlobalProtect application does not block incoming connections.
- On Windows OS, when 'No direct access to local network' is enabled and domain/application split tunnel is not configured, the GlobalProtect client enables "weak-host-send" on the physical adapter (Windows feature), this allows the response packet for the incoming traffic to go through the tunnel and hence the connection cannot be established.
- MacOS does not have such a feature as Windows OS therefore incoming connections will work.
- If there is a requirement to block incoming connections, then the recommendation would be to use the native OS firewall on the endpoint or any other endpoint firewall product.
- Refer to the following link for more details about Traffic behavior based on whether you enable or disable direct access to local networks.