Hello all,
I had an argument a couple of days ago whether its actually worth tunneling all internet traffic to the firewall vs split-tunneling. I always thought that the traditional approach would be best until I was told that this could be easily changed by adding a static route to the host device.
So I have tested it. I have configured a PA device without split tunneling and verified that I get internet trhough the Palo Alto firewall. Then I put a static route on my end host bypassing the tunnel which worked!
I was aware that sometime in the past this could not have been achieavable. What changed? Is there any vpn client that does not allow route manipulation?
TLDR: By using GlobalProtect someone can bypass the firewall by adding static routes on their workstation. Can this be avoided?
No comments:
Post a Comment