Endpoint Traffic Policy Enforcement
Focus
Focus
GlobalProtect

Endpoint Traffic Policy Enforcement

Table of Contents

Endpoint Traffic Policy Enforcement

Learn how to prevent users from bypassing GlobalProtect using the physical adapter.
Software Support: Starting with GlobalProtect™ app 6.0 with Content Release version 8450-6909 or later.
OS Support: Windows 10, ARM64-Based Windows 10, macOS 11 and later releases, and ARM-Based macOS 11 and later releases
With the Endpoint Traffic Policy Enforcement feature, GlobalProtect now provides added security to protect your remote workforce. By enforcing endpoint traffic policy on the GlobalProtect endpoint, you can now perform the following functions:
  • Block malicious inbound connections outside of the VPN tunnel to guard against data exfiltration.
  • Restrict any applications from bypassing the GlobalProtect tunnel by binding their connections directly to the physical adapter on the remote endpoint.
  • Prevent end users from tampering with the routing table to bypass the GlobalProtect tunnel.
The following diagram illustrates the scenarios for enforcing endpoint traffic policy to block malicious inbound connections and to prevent bypassing the IPSec or SSL tunnel that GlobalProtect builds to Prisma Access or to a gateway on the NGFW:
  • The attacker can attempt to have malicious inbound connections to the remote endpoint.
  • A malicious actor can attempt to perform an act within the same local network as the remote GlobalProtect endpoint.
  • An application can attempt to bind the connection directly to the physical adapter on the remote user's endpoint.

Configure Endpoint Traffic Enforcement

Configure endpoint traffic policy enforcement to block malicious inbound connections using the physical adapter on the remote endpoint and prevent users from accessing unauthorized applications or resources after the GlobalProtect tunnel is established.
  1. Enable Endpoint Traffic Policy Enforcement.
    1. Launch the Web Interface.
    2. Select NetworkGlobalProtectPortals<portal-config> Agent<agent-config> AppEndpoint Traffic Policy Enforcement.
    3. Select one of the following endpoint traffic policy enforcement options:
      OptionDescription
      No
      Specifies that the Endpoint Traffic Policy Enforcement feature is disabled and that this feature is not applied. This is the default option.
      TCP/UDP Traffic Based on Tunnel IP Address Type
      Enables endpoint traffic policy enforcement for TCP/UDP traffic. This feature is enabled for traffic based on the tunnel IP address type. If the tunnel is IPv4, this feature applies only to IPv4 traffic. If the tunnel is IPv6, this features applies only to IPv6 traffic.
      All TCP/UDP Traffic
      Enables endpoint traffic policy enforcement for all TCP/UDP traffic regardless of the tunnel IP address type. If the tunnel IP address type is IPv4, endpoint traffic policy enforcement applies to all TCP/UDP (IPv4 or IPv6) traffic. If the tunnel IP address type is IPv6, endpoint traffic policy enforcement applies to all TCP/UDP (IPv4 or IPv6) traffic.
      All Traffic
      Enables endpoint traffic policy enforcement for all TCP, UDP, ICMP, and all other protocols regardless of the tunnel IP address type.
  2. Save the configuration.
    1. Click OK twice.
    2. Commit the configuration.
  3. Verify the endpoint traffic policy enforcement configuration.
    You can verify the endpoint traffic policy enforcement option in the GlobalProtect service (PanGPS) log file.
    The following example shows the entry in the PanGPS log file:
    <traffic-enforcement>tcp-udp-with-tunnel-address-type</traffic-enforcement>
    To verify that the feature is working as expected generate a packet capture on both the physical adapter and the GlobalProtect adapter from the client machine while connected to GlobalProtect and then try to access any websites or resources to verify that the traffic is being enforced as expected based on your configuration.

Endpoint Traffic Enforcement with No Direct Access to Local Network

You can use Endpoint Traffic Policy Enforcement in conjunction with No Direct Access to Local Network Support to control access to the local network. The following table shows the traffic behavior and interaction between the features.
IPv4 and IPv6 Traffic
Endpoint Traffic Policy Enforcement Enabled
No Direct Access to Local Network is Disabled
Endpoint Traffic Policy Enforcement Enabled
No Direct Access to Local Network is Enabled
Before the tunnel is established
After the tunnel is established
Before the tunnel is established
After the tunnel is established
New Incoming Traffic
Traffic is allowed on the local subnet through the physical adapter.
Local subnet traffic is excluded. Return traffic from the local subnet will not be dropped on the non-tunnel interface.
Traffic is allowed on the local subnet through the physical adapter.
Return traffic is dropped on the physical adapter unless split tunneling is configured to exclude traffic based on the following conditions:
  • Access routes
  • (Windows Only) Applications
  • Exclude video streaming traffic
New Outgoing Traffic
Traffic is allowed on the local subnet through the physical adapter.
Traffic is sent through the VPN tunnel unless the destination IP address matches the following exclusions for split tunnel:
  • Access routes
  • Destination domains and applications
  • Exclude video streaming traffic
  • Destined for the local subnet that is retrieved at the time that the tunnel is established
Traffic is allowed on the local subnet through the physical adapter.
Traffic is sent through the VPN tunnel unless the destination IP address matches the following exclusions for split tunnel:
  • Access routes
  • Destination domains and applications
  • Exclude video streaming traffic
Existing Traffic
Traffic is allowed on the local subnet through the physical adapter.
Traffic is terminated unless the destination IP address matches the following exclusions for split tunnel:
  • Access routes
  • Destination domains 1
  • (Windows Only) Applications
  • Exclude video streaming traffic
  • Destined for the local subnet that is retrieved at the time that the tunnel is established.
Traffic is allowed on the local subnet through the physical adapter.
Traffic is terminated unless the destination IP address matches the following exclusions for split tunnel:
  • Access routes
  • Destination domains1
  • (Windows Only) Applications
  • Exclude video streaming traffic
1 The destination domains will not work for existing connections that started before establishing the GlobalProtect connection because GlobalProtect does not have visibility that is associated with the DNS. However, this traffic behavior will work for existing connections across GlobalProtect reconnections because GlobalProtect can monitor the DNS during the reconnect interval.

Endpoint Traffic Policy Enforcement Use Cases

Endpoint Traffic Policy Enforcement supports the following use cases:

Prevent All Traffic from Bypassing the Tunnel

No traffic can bypass the tunnel after establishing incoming or outgoing connections. When the No Direct Access to Local Networks feature is enabled in conjunction with the Endpoint Traffic Policy Enforcement feature being enabled, mobile users are unable to access proxies and local resources (such as local printers) directly when traffic is going through the VPN tunnel for inspection and policy enforcement while enabled on GlobalProtect.
  1. Enable No direct access to local network ( AgentClient Settings <client-setting-config>Split TunnelAccess Route).
  2. Set Endpoint Traffic Policy Enforcement to All Traffic.

Exclude High Bandwidth Consuming Domains While Preventing Local Subnet Traffic

By enabling the No Direct Access to Local Networks feature in conjunction with the Endpoint Traffic Policy Enforcement you can exclude high bandwidth consuming domains from the tunnel while blocking local subnet traffic. In this use case, mobile users cannot access proxies and local resources (such as local printers) directly when traffic is going through the VPN tunnel for inspection and policy enforcement while connected to GlobalProtect. By excluding split tunnel traffic based on the domain, all traffic for that specific domain is sent directly to the physical adapter on the endpoint without inspection.
  1. Enable No direct access to local network ( AgentClient Settings <client-setting-config>Split TunnelAccess Route).
  2. Configure split tunneling to exclude high-bandwidth traffic such as video from the tunnel.
  3. Set Endpoint Traffic Policy Enforcement to All Traffic.

Allow Local Traffic While Preventing Traffic on the Physical Adapter

Traffic is sent over the VPN tunnel and end users can access local resources (such as printers) directly. When the No Direct Access to Local Network Support feature is disabled in conjunction with the Endpoint Traffic Policy Enforcement feature being enabled, mobile users are able to access proxies and local resources (such as local printers) directly when all traffic is going through the VPN tunnel for inspection and policy enforcement while connected to GlobalProtect. If a malicious actor attempts to perform an act within the same local network as the remote GlobalProtect endpoint, malicious incoming connections can be sent directly to the physical adapter on the mobile user’s endpoint.
  1. Disable No direct access to local network ( AgentClient Settings <client-setting-config>Split TunnelAccess Route).
  2. Set Endpoint Traffic Policy Enforcement to All Traffic.

Exclude High Bandwidth Consuming Domains and Allow Access to Local Resources While Preventing Traffic on the Physical Adapter

High bandwidth consuming domains are excluded but end users can access local resources (such as local printers) directly and some traffic is sent through the VPN tunnel. When the No Direct Access to Local Network Support feature is disabled in conjunction with the Endpoint Traffic Policy Enforcement feature being either enabled or disabled, mobile users are able to access proxies and local resources (such as local printers) directly when traffic to the corporate network is going through the VPN tunnel for inspection and policy enforcement while enabled on GlobalProtect.
  1. Disable No direct access to local network ( AgentClient Settings <client-setting-config>Split TunnelAccess Route).
  2. Configure split tunneling to exclude high bandwidth consuming domains and applications, such as video.
  3. Set Endpoint Traffic Policy Enforcement to prevent All TCP/UDP Traffic, TCP/UDP Traffic Based on Tunnel IP Address Type, or All Traffic on the physical adapter.

Feature Limitations

The following limitations apply:
  • ICMP requests are not supported for domain- or app-based split tunneling or for enforcing endpoint traffic policy.
  • You cannot exclude split tunnel traffic based on server-side applications for incoming connections.
  • TCP handshake packets are bypassed. Some TCP ACK packets with no data might be seen in the packet capture (pcap) data.
  • Exclusions for destination domains might not work for new incoming connections without the DNS query or DNS response because GlobalProtect will not know the IP address of the destination domain.
  • (macOS only) Exclusions for applications will not work for new incoming connections and existing connections.
  • (macOS only) Traffic is allowed on TCP ports 53 and 5353.
  • (Windows only) DHCP traffic (UDP remote port 67) and DNS (UDP remote port 53) is allowed.
  • The feature cannot be used for bridge-mode networking or for Layer 2 controls. You can prohibit the use of bridge mode for Virtual Machine applications on your endpoints to workaround this limitation or use standard Layer 3 networking with NAT.