Configuration Steps to Mitigate Against Bypassing GlobalProtect Tunnels

The purpose of this document is to provide guidance on how to configure Palo Alto Networks Firewalls to mitigate attacks on GlobalProtect VPN tunnels while end users are on rogue Wi-Fi Networks. See Palo Alto Network Security Advisory: https://security.paloaltonetworks.com/PAN-SA-2023-0004

Configuration Steps for Mitigation:

Please use below mitigation steps on your GlobalProtect gateway for the LocalNet & Server IP attacks.
 

• These allow an attacker to take advantage of local network access features in multiple vendor VPN clients to access unencrypted traffic.
• Such attacks are completely mitigated by enabling the "No direct access to local network" feature in the Split Tunnel tab on the GlobalProtect gateway. 
• Configuration Path: Network -> GlobalProtect -> Gateways -> (Gateway-config) -> Agent -> (Agent-config) -> Client Settings -> (Configs) -> Split Tunnel -> Access Route

Note: Enabling "No direct access to local network" prevents end users from connecting to local LAN devices such as home printers, network storage, or streaming devices. 

• You can configure exceptions for specific users, operating systems, source addresses, destination domains, and applications by following the instructions provided in the below document:
  Configure a Split Tunnel Based on Access Route
• Here is an example of how you can allow access to a home printer (IP: 192.168.1.5) for a specific user group “Managers” while also preventing users from connecting to other local LAN devices.

• This attack allows an attacker to intercept traffic sent to a spoofed VPN gateway via DNS spoofing attacks on an attacker-controlled rogue Wi-Fi network.
• ServerIP attacks are completely mitigated by setting an IP address instead of an FQDN for the gateway configuration.
• Configuration Path:  Network -> GlobalProtect -> Portals -> (Portal-config) -> Agent -> (Agent-config) -> Client Settings

• Note: When you change Gateway address from FQDN to an IP address, Gateway certificates will also need to be updated to include the IP address as a Subject Alternate Name (SAN) or as a common name (CN). Otherwise you will see certificate errors when connecting to Gateway and the Gateway connection may fail.
• Since SAN or CN in an existing certificate cannot be modified, you will have to create a new certificate to include Gateway IP address as a Subject Alternate Name (SAN) or a CN. We recommend including Gateway IP address in SAN as shown below.
• Configuration Path: Device -> Certificate Management -> Certificates

• Replace the old Gateway certificate with the new Gateway certificate in the SSL/TLS certificate profile used for GlobalProtect Gateway.
• Configuration Path: Device-> Certificate Management -> SSL/TLS Service Profile