I’ve seen a production incident where sensitive corporate traffic
started going directly to the internet — without anyone realizing.
Root cause?
Wrong Split Tunnel configuration in GlobalProtect.
In Palo Alto GlobalProtect, split tunnel decides:
Which traffic goes via VPN
Which traffic bypasses the firewall
The common mistake:
Only internal subnets were added to the include list.
Everything else — including SaaS, admin portals, and APIs —
went directly from user devices to the internet.
Why this is dangerous in production:
No security inspection (no IPS, URL, DLP)
Users bypass corporate policies
Data exfiltration becomes invisible
SOC loses full traffic visibility
How to fix / design it properly:
Use full tunnel for high-risk users (admins, SOC, finance)
If using split tunnel:
Define explicit exclude, not loose include
Always include SaaS, management, and cloud ranges
Validate using route print / netstat -rn on endpoints
Log GP traffic separately for monitoring
Architect takeaway:
Split tunnel is not a performance feature.
It’s a security design decision.
One checkbox. Massive blast radius.
No comments:
Post a Comment