GlobalProtect
No Direct Access to Local Network Support for Linux
Table of Contents
No Direct Access to Local Network Support for Linux
Software Support: Starting with GlobalProtect™
app 6.0 and running PAN-OS 9.1.0 and later releases.
OS
Support: Linux (CentOS, Red Hat
Enterprise Linux (RHEL), and Ubuntu)
You can now enable or
disable local network access whenever end users are connected to
GlobalProtect for Linux endpoints. You can configure the access
route to define the specific destination IP subnet traffic that
is sent (or not sent) over the VPN tunnel for Linux endpoints. Local
routes take precedence over routes sent from the gateway. Therefore,
end users can reach proxies and local resources (such as local printers)
directly without sending any local subnet traffic through the VPN tunnel.
By configuring traffic by access routes, you can send latency sensitive
or high bandwidth consuming traffic outside of the VPN tunnel while
routing all other traffic through the VPN for inspection and policy
enforcement by the GlobalProtect gateway. By disabling the split
tunnel, you can force all traffic (including local subnet traffic)
to go through the VPN tunnel for inspection and policy enforcement.
The
following diagram illustrates the challenges of remote end users
unable to access proxies and local resources (such as local printers)
directly when all traffic is going through the VPN tunnel for inspection
and policy enforcement while connected to GlobalProtect.
You can consider the IPv4 and IPv6 traffic behavior based
on whether you enable or disable direct access to local networks.
- Before you begin:
- Launch the Web Interface.
- Configure a GlobalProtect gateway.
- Select to modify an existing gateway or add a new one.
- Enable a split tunnel.
- In the GlobalProtect Gateway Configuration dialog, select to enable Tunnel Mode.
- Configure the tunnel parameters for the GlobalProtect app.
- (Tunnel Mode only) Disable the split tunnel
to ensure that all traffic (including local subnet traffic) goes
through the VPN tunnel for inspection and policy enforcement.
- In the GlobalProtect Gateway Configuration dialog, select to select an existing client settings configuration or add a new one.
- Select and then enable
the No direct access to local network option.If you enable this option, direct access to local network is disabled and users cannot send traffic directly to proxies or local resources while connected to GlobalProtect. Split tunnel traffic based on access route, destination domain, and application still works as expected.
- (Tunnel Mode only) Configure split tunnel settings based
on the access route.You can route certain traffic to be included or excluded from the tunnel by specifying the destination subnets or address object (of type IP Netmask).
- In the GlobalProtect Gateway Configuration dialog, select to select an existing client settings configuration or add a new one.
- Configure any of the following access route-based Split
Tunnel settings ():
- In the Include area, Add the destination subnets or address object (of type IP Netmask) to route only certain traffic destined for your LAN to GlobalProtect. You can include IPv6 or IPv4 subnets.The firewall supports up to 100 include access routes in a split tunnel gateway configuration.
- In the Exclude area, Add the destination subnets or address object (of type IP Netmask) that you want the app to exclude. Excluded routes should be more specific than the included routes; otherwise, you may exclude more traffic than intended. You can exclude IPv6 or IPv4 subnets. The firewall supports up to 100 exclude access routes in a split tunnel gateway configuration.
- Click OK to save the split tunnel configuration.
- Save the gateway configuration.
- Click OK to save the settings.
- Commit the changes.
- Verify that the GlobalProtect app for Linux no longer
has access to the local network.To verify this, check the routing table and notice that the local route is shadowed as in the following example.
