Main differences between 3 of GlobalProtect's features, for network traffic security.

Main differences between 3 of GlobalProtect's features, for network traffic security.

1615
Created On 07/25/25 17:41 PM - Last Modified 08/07/25 07:54 AM


Question


What are the key differences and their purpose, for GlobalProtect's features “Enforce GlobalProtect Connection for Network Access”, “No direct access to local network” and "Endpoint Traffic Policy Enforcement"?

Environment


  • Any Platform.
  • PAN-OS 8.0+
  • GP Versions:
    • Enforce GlobalProtect Connection for Network Access:
      • GP version 3.1+
    • No Direct Access to Local Network:
      • GP version 4.0+
    • Endpoint Traffic Policy Enforcement:
      • GP version 6.0+

Answer


The key differences between these three features reside mainly, in where and at what stage of the GP VPN connection process they are used: 

  • Enforce GlobalProtect Connection:

    • Ensures that the GP VPN must be on, by blocking ALL network access until GP VPN is connected.

    • After GP VPN is connected, Split-tunneling rules will apply.

    • Only active before GP VPN is connected.

  • No Direct Access to Local Network:

    • Once GP VPN is connected, this feature builds a wall by isolating the device from its local network. 

    • Only active after GP VPN is connected.

  • Endpoint Traffic Policy Enforcement:

    • This feature provides a higher level of assurance by policing the device itself to ensure that no "backdoors" are created to get around the wall and the mandatory GP VPN connection.

    • For example, it will block any changes to the endpoint's route table. 

    • Only active after GP VPN is connected.

Additional Information


Summary Table:

Feature:Primary Function:Scope:Key Use Case:Connection State:
Enforce GlobalProtect Connection for Network AccessBlocks all network traffic when the GP VPN is not connected.Broad, all-or-nothing control of network access.Ensuring corporate devices always use the GP VPN for any network activity.Pre GP-VPN Connection
No direct access to local networkOnce GP VPN is connected, it prevents the endpoint from communicating with any other devices on the local network.Split-tunneling rules will still apply.Mitigating risks associated with split-tunneling by isolating the endpoint.Post GP-VPN Connection
Endpoint Traffic Policy EnforcementPrevents applications and users from bypassing the VPN tunnel through advanced methods (i.e. routing table modification).Granular and robust control over all endpoint traffic flow.Isolating the endpoint from its local network, to ensure that all traffic goes through the GP VPN.Post GP-VPN Connection

 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA1Ki000000TNevKAG&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail