No Direct Access to Local Network Support for Linux
Focus
Focus
GlobalProtect

No Direct Access to Local Network Support for Linux

Table of Contents

No Direct Access to Local Network Support for Linux

Software Support: Starting with GlobalProtect™ app 6.0 and running PAN-OS 9.1.0 and later releases.
OS Support: Linux (CentOS, Red Hat Enterprise Linux (RHEL), and Ubuntu)
You can now enable or disable local network access whenever end users are connected to GlobalProtect for Linux endpoints. You can configure the access route to define the specific destination IP subnet traffic that is sent (or not sent) over the VPN tunnel for Linux endpoints. Local routes take precedence over routes sent from the gateway. Therefore, end users can reach proxies and local resources (such as local printers) directly without sending any local subnet traffic through the VPN tunnel. By configuring traffic by access routes, you can send latency sensitive or high bandwidth consuming traffic outside of the VPN tunnel while routing all other traffic through the VPN for inspection and policy enforcement by the GlobalProtect gateway. By disabling the split tunnel, you can force all traffic (including local subnet traffic) to go through the VPN tunnel for inspection and policy enforcement.
The following diagram illustrates the challenges of remote end users unable to access proxies and local resources (such as local printers) directly when all traffic is going through the VPN tunnel for inspection and policy enforcement while connected to GlobalProtect.
You can consider the IPv4 and IPv6 traffic behavior based on whether you enable or disable direct access to local networks.
  1. Before you begin:
    1. Launch the Web Interface.
    2. Configure a GlobalProtect gateway.
    3. Select NetworkGlobalProtectGateways <<gateway-config> to modify an existing gateway or add a new one.
  2. Enable a split tunnel.
    1. In the GlobalProtect Gateway Configuration dialog, select AgentTunnel Settings to enable Tunnel Mode.
    2. Configure the tunnel parameters for the GlobalProtect app.
  3. (Tunnel Mode only) Disable the split tunnel to ensure that all traffic (including local subnet traffic) goes through the VPN tunnel for inspection and policy enforcement.
    1. In the GlobalProtect Gateway Configuration dialog, select AgentClient Settings<client-setting-config> to select an existing client settings configuration or add a new one.
    2. Select Split TunnelAccess Route and then enable the No direct access to local network option.
      If you enable this option, direct access to local network is disabled and users cannot send traffic directly to proxies or local resources while connected to GlobalProtect. Split tunnel traffic based on access route, destination domain, and application still works as expected.
  4. (Tunnel Mode only) Configure split tunnel settings based on the access route.
    You can route certain traffic to be included or excluded from the tunnel by specifying the destination subnets or address object (of type IP Netmask).
    1. In the GlobalProtect Gateway Configuration dialog, select AgentClient Settings<client-setting-config> to select an existing client settings configuration or add a new one.
    2. Configure any of the following access route-based Split Tunnel settings (Split TunnelAccess Route):
      • In the Include area, Add the destination subnets or address object (of type IP Netmask) to route only certain traffic destined for your LAN to GlobalProtect. You can include IPv6 or IPv4 subnets.
        The firewall supports up to 100 include access routes in a split tunnel gateway configuration.
      • In the Exclude area, Add the destination subnets or address object (of type IP Netmask) that you want the app to exclude. Excluded routes should be more specific than the included routes; otherwise, you may exclude more traffic than intended. You can exclude IPv6 or IPv4 subnets. The firewall supports up to 100 exclude access routes in a split tunnel gateway configuration.
    3. Click OK to save the split tunnel configuration.
  5. Save the gateway configuration.
    1. Click OK to save the settings.
    2. Commit the changes.
  6. Verify that the GlobalProtect app for Linux no longer has access to the local network.
    To verify this, check the routing table and notice that the local route is shadowed as in the following example.