GlobalProtect
Endpoint Traffic Policy Enforcement
Table of Contents
Endpoint Traffic Policy Enforcement
Learn how to prevent users from bypassing GlobalProtect using the physical
adapter.
Software Support: Starting with GlobalProtect™
app 6.0 with Content Release version 8450-6909 or later.
OS
Support: Windows 10, ARM64-Based Windows 10, macOS 11 and later
releases, and ARM-Based macOS 11 and later releases
With the
Endpoint Traffic Policy Enforcement feature, GlobalProtect now provides
added security to protect your remote workforce. By enforcing endpoint traffic
policy on the GlobalProtect endpoint, you can now perform the following
functions:
- Block malicious inbound connections outside of the VPN tunnel to guard against data exfiltration.
- Restrict any applications from bypassing the GlobalProtect tunnel by binding their connections directly to the physical adapter on the remote endpoint.
- Prevent end users from tampering with the routing table to bypass the GlobalProtect tunnel.
The following diagram
illustrates the scenarios for enforcing endpoint traffic policy
to block malicious inbound connections and to prevent bypassing
the IPSec or SSL tunnel that GlobalProtect builds to Prisma Access
or to a gateway on the NGFW:
- The attacker can attempt to have malicious inbound connections to the remote endpoint.
- A malicious actor can attempt to perform an act within the same local network as the remote GlobalProtect endpoint.
- An application can attempt to bind the connection directly to the physical adapter on the remote user's endpoint.
Configure Endpoint Traffic Enforcement
Configure endpoint
traffic policy enforcement to block malicious inbound connections
using the physical adapter on the remote endpoint and prevent users
from accessing unauthorized applications or resources after the
GlobalProtect tunnel is established.
- Enable Endpoint Traffic
Policy Enforcement.
- Launch the Web Interface.
- Select .
- Select one of the following endpoint traffic policy
enforcement options:
Option Description No Specifies that the Endpoint Traffic Policy Enforcement feature is disabled and that this feature is not applied. This is the default option.TCP/UDP Traffic Based on Tunnel IP Address Type Enables endpoint traffic policy enforcement for TCP/UDP traffic. This feature is enabled for traffic based on the tunnel IP address type. If the tunnel is IPv4, this feature applies only to IPv4 traffic. If the tunnel is IPv6, this features applies only to IPv6 traffic.All TCP/UDP Traffic Enables endpoint traffic policy enforcement for all TCP/UDP traffic regardless of the tunnel IP address type. If the tunnel IP address type is IPv4, endpoint traffic policy enforcement applies to all TCP/UDP (IPv4 or IPv6) traffic. If the tunnel IP address type is IPv6, endpoint traffic policy enforcement applies to all TCP/UDP (IPv4 or IPv6) traffic.All Traffic Enables endpoint traffic policy enforcement for all TCP, UDP, ICMP, and all other protocols regardless of the tunnel IP address type.![]()
- Save the configuration.
- Click OK twice.
- Commit the configuration.
- Verify the endpoint traffic policy enforcement configuration.You can verify the endpoint traffic policy enforcement option in the GlobalProtect service (PanGPS) log file.The following example shows the entry in the PanGPS log file:<traffic-enforcement>tcp-udp-with-tunnel-address-type</traffic-enforcement>To verify that the feature is working as expected generate a packet capture on both the physical adapter and the GlobalProtect adapter from the client machine while connected to GlobalProtect and then try to access any websites or resources to verify that the traffic is being enforced as expected based on your configuration.
Endpoint Traffic Enforcement with No Direct Access to Local Network
You can use Endpoint
Traffic Policy Enforcement in conjunction with No Direct Access
to Local Network Support to control access to the local network.
The following table shows the traffic behavior and interaction between the
features.
IPv4 and IPv6 Traffic | Endpoint Traffic Policy Enforcement
Enabled No Direct Access to Local Network is Disabled | Endpoint Traffic Policy Enforcement
Enabled No Direct Access to Local Network is Enabled | ||
|---|---|---|---|---|
Before the tunnel is established | After the tunnel is established | Before the tunnel is established | After the tunnel is established | |
New Incoming Traffic | Traffic is allowed on the local subnet through
the physical adapter. | Local subnet traffic is excluded. Return
traffic from the local subnet will not be dropped on the non-tunnel interface. | Traffic is allowed on the local subnet through
the physical adapter. | Return traffic is dropped on the physical adapter
unless split tunneling is configured to exclude traffic based on
the following conditions:
|
New Outgoing Traffic | Traffic is allowed on the local subnet through
the physical adapter. | Traffic is sent through the VPN tunnel unless
the destination IP address matches the following exclusions for
split tunnel:
| Traffic is allowed on the local subnet through
the physical adapter. | Traffic is sent through the VPN tunnel unless the
destination IP address matches the following exclusions for split tunnel:
|
Existing Traffic | Traffic is allowed on the local subnet through
the physical adapter. | Traffic is terminated unless the destination
IP address matches the following exclusions for split tunnel:
| Traffic is allowed on the local subnet through
the physical adapter. | Traffic is terminated unless the destination
IP address matches the following exclusions for split tunnel:
|
1 The destination domains will not
work for existing connections that started before establishing the
GlobalProtect connection because GlobalProtect does not have visibility
that is associated with the DNS. However, this traffic behavior will
work for existing connections across GlobalProtect reconnections
because GlobalProtect can monitor the DNS during the reconnect interval.
Endpoint Traffic Policy Enforcement Use Cases
Endpoint Traffic
Policy Enforcement supports the following use cases:
Prevent All Traffic from Bypassing the Tunnel
No traffic can
bypass the tunnel after establishing incoming or outgoing connections.
When the No Direct Access to Local Networks feature is enabled in
conjunction with the Endpoint Traffic Policy Enforcement feature
being enabled, mobile users are unable to access proxies and local
resources (such as local printers) directly when traffic is going
through the VPN tunnel for inspection and policy enforcement while
enabled on GlobalProtect.
- Enable No direct access to local network ( ).
- Set Endpoint Traffic Policy Enforcement to All Traffic.
Exclude High Bandwidth Consuming Domains While Preventing Local Subnet Traffic
By enabling the
No Direct Access to Local Networks feature in conjunction with the
Endpoint Traffic Policy Enforcement you can exclude high bandwidth
consuming domains from the tunnel while blocking local subnet traffic.
In this use case, mobile users cannot access proxies and local resources
(such as local printers) directly when traffic is going through
the VPN tunnel for inspection and policy enforcement while connected
to GlobalProtect. By excluding split tunnel traffic based on the
domain, all traffic for that specific domain is sent directly to
the physical adapter on the endpoint without inspection.
- Enable No direct access to local network ( ).
- Configure split tunneling to exclude high-bandwidth traffic such as video from the tunnel.
- Set Endpoint Traffic Policy Enforcement to All Traffic.
Allow Local Traffic While Preventing Traffic on the Physical Adapter
Traffic is sent
over the VPN tunnel and end users can access local resources (such
as printers) directly. When the No Direct Access to Local Network
Support feature is disabled in conjunction with the Endpoint Traffic
Policy Enforcement feature being enabled, mobile users are able
to access proxies and local resources (such as local printers) directly
when all traffic is going through the VPN tunnel for inspection
and policy enforcement while connected to GlobalProtect. If a malicious
actor attempts to perform an act within the same local network as
the remote GlobalProtect endpoint, malicious incoming connections
can be sent directly to the physical adapter on the mobile user’s
endpoint.
- Disable No direct access to local network ( ).
- Set Endpoint Traffic Policy Enforcement to All Traffic.
Exclude High Bandwidth Consuming Domains and Allow Access to Local Resources While Preventing Traffic on the Physical Adapter
High bandwidth
consuming domains are excluded but end users can access local resources
(such as local printers) directly and some traffic is sent through
the VPN tunnel. When the No Direct Access to Local Network Support feature
is disabled in conjunction with the Endpoint Traffic Policy Enforcement
feature being either enabled or disabled, mobile users are able
to access proxies and local resources (such as local printers) directly
when traffic to the corporate network is going through the VPN tunnel
for inspection and policy enforcement while enabled on GlobalProtect.
- Disable No direct access to local network ( ).
- Configure split tunneling to exclude high bandwidth consuming domains and applications, such as video.
- Set Endpoint Traffic Policy Enforcement to prevent All TCP/UDP Traffic, TCP/UDP Traffic Based on Tunnel IP Address Type, or All Traffic on the physical adapter.
Feature Limitations
The following limitations
apply:
- ICMP requests are not supported for domain- or app-based split tunneling or for enforcing endpoint traffic policy.
- You cannot exclude split tunnel traffic based on server-side applications for incoming connections.
- TCP handshake packets are bypassed. Some TCP ACK packets with no data might be seen in the packet capture (pcap) data.
- Exclusions for destination domains might not work for new incoming connections without the DNS query or DNS response because GlobalProtect will not know the IP address of the destination domain.
- (macOS only) Exclusions for applications will not work for new incoming connections and existing connections.
- (macOS only) Traffic is allowed on TCP ports 53 and 5353.
- (Windows only) DHCP traffic (UDP remote port 67) and DNS (UDP remote port 53) is allowed.
- The feature cannot be used for bridge-mode networking or for Layer 2 controls. You can prohibit the use of bridge mode for Virtual Machine applications on your endpoints to workaround this limitation or use standard Layer 3 networking with NAT.