No Direct Access to Local Network Support for Linux
Software Support: Starting with GlobalProtect™
app 6.0 and running PAN-OS 9.1.0 and later releases.
OS
Support: Linux (CentOS, Red Hat
Enterprise Linux (RHEL), and Ubuntu)
You can now enable or
disable local network access whenever end users are connected to
GlobalProtect for Linux endpoints. You can configure the access
route to define the specific destination IP subnet traffic that
is sent (or not sent) over the VPN tunnel for Linux endpoints. Local
routes take precedence over routes sent from the gateway. Therefore,
end users can reach proxies and local resources (such as local printers)
directly without sending any local subnet traffic through the VPN tunnel.
By configuring traffic by access routes, you can send latency sensitive
or high bandwidth consuming traffic outside of the VPN tunnel while
routing all other traffic through the VPN for inspection and policy
enforcement by the GlobalProtect gateway. By disabling the split
tunnel, you can force all traffic (including local subnet traffic)
to go through the VPN tunnel for inspection and policy enforcement.
The
following diagram illustrates the challenges of remote end users
unable to access proxies and local resources (such as local printers)
directly when all traffic is going through the VPN tunnel for inspection
and policy enforcement while connected to GlobalProtect.
You can consider the IPv4 and IPv6 traffic behavior based
on whether you enable or disable direct access to local networks.
(Tunnel Mode only) Disable the split tunnel
to ensure that all traffic (including local subnet traffic) goes
through the VPN tunnel for inspection and policy enforcement.
In the GlobalProtect Gateway Configuration dialog,
select AgentClient Settings<client-setting-config> to select
an existing client settings configuration or add a new one.
Select Split TunnelAccess Route and then enable
the No direct access to local network option.
If you enable this option, direct access to local
network is disabled and users cannot send traffic directly to proxies
or local resources while connected to GlobalProtect. Split tunnel
traffic based on access route, destination domain, and application
still works as expected.
(Tunnel Mode only) Configure split tunnel settings based
on the access route.
You can route certain traffic to be included or excluded
from the tunnel by specifying the destination subnets or address
object (of type IP Netmask).
In the GlobalProtect Gateway Configuration dialog,
select AgentClient Settings<client-setting-config> to select
an existing client settings configuration or add a new one.
Configure any of the following access route-based Split
Tunnel settings (Split TunnelAccess Route):
In the Include area, Add the
destination subnets or address object (of type IP Netmask)
to route only certain traffic destined for your LAN to GlobalProtect.
You can include IPv6 or IPv4 subnets.
The firewall supports
up to 100 include access routes in a split tunnel gateway configuration.
In the Exclude area, Add the
destination subnets or address object (of type IP Netmask)
that you want the app to exclude. Excluded routes should be more
specific than the included routes; otherwise, you may exclude more
traffic than intended. You can exclude IPv6 or IPv4 subnets. The
firewall supports up to 100 exclude access routes in a split tunnel
gateway configuration.
Click OK to save the split
tunnel configuration.
Save the gateway configuration.
Click OK to save
the settings.
Commit the changes.
Verify that the GlobalProtect app for Linux no longer
has access to the local network.
To verify this, check the routing table and notice that
the local route is shadowed as in the following example.