>
    Strata Copilot
    Configure GlobalProtect to Disable Direct Access to the Local Network
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma Access
    3. Prisma Access Administration
    4. Prisma Access Advanced Deployments
    5. Prisma Access Mobile Users—GlobalProtect Advanced Deployments
    6. Sinkhole IPv6 Traffic in Mobile Users—GlobalProtect Deployments
    7. Configure GlobalProtect to Disable Direct Access to the Local Network
    Download PDF
    Prisma Access

    Configure GlobalProtect to Disable Direct Access to the Local Network

    Table of Contents

    Configure GlobalProtect to Disable Direct Access to the Local Network

    Configure GlobalProtect to disable direct access to the local network.
    Where Can I Use This?What Do I Need?
    • Prisma Access (Managed by Panorama)
    • Prisma Access license
    • Supported on all macOS and Windows GlobalProtect endpoints. Supported on Linux endpoints beginning with GlobalProtect app version 6.0.0.
    To make sure that all mobile user traffic is sent to Prisma Access, you can completely disable outgoing connections, including local subnet traffic, from being sent to the local adapter. You can deactivate all outgoing connections to the local adapter by making configuration changes to the GlobalProtect gateway.
    You can perform these steps on Panorama or on an on-premises firewall that has been configured as a GlobalProtect gateway.
    Enable the No direct access to local network setting to reduce risks in untrusted networks such as rogue Wi-Fi access points.
    1. Select NetworkGlobalProtectGateways.
    2. Select an existing GlobalProtect gateway or Add a new one.
    3. Select AgentClient Settings.
    4. Select the DEFAULT configuration or Add a new one.
    5. Select Split Tunnel; then, select No direct access to local network.
      Disabling local network access causes all traffic, including IPv4 and IPv6 traffic, from being sent to the local adapter. In addition, you won't be able to access resources on your local subnet, such as printers. Split tunnel traffic based on access route, destination domain, and application still works as expected.
    6. (Panorama and Prisma Access deployments only) Commit your changes locally to make them active in Panorama.
      1. Select CommitCommit to Panorama.
      2. Make sure that your change is part of the Commit Scope.
      3. Click OK to save your changes to the push scope.
      4. Commit your changes.
    7. Commit and Push your changes to make them active in Prisma Access.

    © 2026 Palo Alto Networks, Inc. All rights reserved.