0

One of my clients provides me with a VPN connection using Palo Alto Network's GlobalProtect.

It works reliably but blocks other network connections from my Windows client machine when it is active.

At first I thought it blocked everything including the LAN, but have since realised that it is selective. Some web sites still work, while others are blocked.

So I'm guessing it is placing me under the security filtering regime of the organisation while I am connected to it.

Can someone explain how this mechanism works on my client machine in terms of the network protocol stack, or point me some relevant materials?

In particular, what gives this VPN connection the authority to override my other connections, and what strategies might work to circumvent this intrusive behaviour?

No other client VPN I have ever encountered does this, and this disruption actually degrades the quality of support that I am able to provide them.

I am moving devops into a cloud virtual machine environment which I suspect will be effectively orphaned if I try to connect to this VPN from within.

stephen
  • 143
  • 3

1 Answers1

1

Your client is doing this to ensure that their network is secure while you're connected to it. You should take their security as seriously as they do. If this is having a material impact on your ability to perform work for them, then speak to their security team or to the person there that you report to.

If this is preventing you from accessing sites and services unrelated to the work you perform for them, then don't access those sites and services while you're connected to the VPN.

If you attempt to circumvent their security, and their network is breached as a result, you could find yourself legally and financially responsible, which is not a position I would put myself in.

joeqwerty
  • 109,901
  • 6
  • 81
  • 172
  • Hi joe, thanks for the advice, but I'm really seeking specific technical insights with this question. When I'm looking for a scolding, I can generally find that at home :) – stephen Nov 23 '21 at 02:57
  • My answer isn't "scolding". I'm merely saying that your client is doing this for a reason, and you should abide it. Circumventing it is putting your client and risk and is putting you in a position of potential legal and financial jeopardy. Circumventing it wouldn't be something I would undertake. – joeqwerty Nov 23 '21 at 03:36
  • Again, thank you. But I am seeking technical advice here on what is possible, not legal advice on what is prudent. When I fully understand the technical mechanisms and their security ramifications, I will be able to make my own informed judgement. Can you assist with the technical aspects? – stephen Nov 23 '21 at 04:36
  • Technical advice about what? About how to circumvent their security? We don't do that here. My apologies if my answer isn't helpful. Good luck in your endeavor. – joeqwerty Nov 23 '21 at 12:50
  • Technical advice about the precise mechanisms of the network protocol stack which allow a new VPN connection to decide what other connections a device is allowed to maintain. I had thought this type of information was precisely what server fault is about, but if you are sure that you speak for everyone here, then perhaps I am mistaken. – stephen Nov 23 '21 at 22:02