cancel
Showing results for 
Search instead for 
Did you mean: 

Default Gateway

Highlighted
New Contributor

Default Gateway

Hi I am looking for a soluiton of realtime issue

.

My internet bandwidth is getting highly utilzed by unnecessary traffic initialted by clinet..

 

Will it be possible to have a routing policy configured on IVE to send it client which enforces only specific routes.

 

I.e only intrested traffic should flow through tunnel and rest should get dropped at the machine level.

7 REPLIES 7
Highlighted
Frequent Contributor

Re: Default Gateway

Hi RajTilak,

Probably what you need to activate split tunneling.

Check http://kb.pulsesecure.net/KB3054

Regards,


Highlighted
Frequent Contributor

Re: Default Gateway

If I'm not wrong... or you have split tunneling or you don't have. If you have, you specify what routes you want your users connect to and all other traffic goes by the default.

If you disable split tunneling, all traffic goes throw the tunnel, and then in access control you can deny or allow the traffic. If you deny traffic, only UDP could be a problem, because in TCP if there isn't the 3 way handshake, there is no traffic.

I don't think you can drop the traffic in the user machine, except if you make use of scripts.

Highlighted
Contributor

Re: Default Gateway

If split tunneling is enabled than the default route should not be through the IVE.  From the manual:

From the admin guide:



Split Tunneling options are:
• Enable—Adds or modifies routes for specific subnets to go to the tunnel, allowing
access to the protected subnets. Subnets are defined in the Users > Resource Policies
> VPN Tunneling > Split-tunneling Networks window. In the case of subnet overlap
(the specified split-tunnel subnet conflicts with an existing endpoint route), the Route
Precedence option is used. For example, 2.2.2.0/24 goes through the tunnel. 10.10.0.0/24
is both a split-tunnel subnet and an indirectly-connected subnet. The Routing Table,
defined below, defines how 10.10.0.0/24 is handled.
• Disable—Modifies the default route to go through the tunnel, allowing access to the
protected network. For example, 0.0.0.0 now goes through the tunnel.


However, because you do not have any ALLOW rules in your split tunneling resource policy, this is occuring:


From the admin guide in the "Defining Split Tunneling Network Policies" section:



NOTE: If split tunneling is enabled and there are no include routes configured to be sent to the client, VPN tunneling adds a default route to send traffic through the tunnel.


This is why all your traffic is still going through the tunnel, which in turn is causing your internet connection to be used at the remote site.  You don't have any allow rules in split tunneling which effectively puts you in the situation where there is no split tunneling.  You may as well diable split tunneling based on this current configuration. You could simply use VPN Tunneling Access Control if you don't want actual split tunneling where the default gateway of the remote user remains their local gateway.

If you want to reduce your bandwidth on the remote network internet connection, you need to add allow rules to your split tunneling policy.  This will cause the default route for the remote user to remain their local router, and only traffic you actually want going across the tunnel will go across the tunnel.  

The situation you are havingi is a top reason why someone might use split tunneling, to offload use of the remote internet connection. 

As far as security concerns, this could be considered more risky. Here's one example:




  • If split tunneling is configured so that the local user is using their local internet connection then you can't inspect their internet traffic (unless you have software doing this at the client level).  This means that the user can potentially get mailicious software while VPN connected, and that software could potentially traverse the VPN towel.




  • However, if you allow users to use their local comptuers without being VPN connected in the first place, the exact same situation can occur.  Users starts with no tunnel connected, simply using their computer without access to work resources.  They browse the internet and get malicious sfotware.  Later, they connect to the VPN tunnel and that malicious software can potentially traverse the VPN tunnel.  If you never let remote users use their computers without the VPN tunnel connected, than this scenario wouldn't occur.



Now, the above example depends entirely on how you are inspecting internet traffic that goes over the remote users local connection and internet traffic at the site where the IVE is.  If you're not doing any inspection on the IVE site internet connection, then having them use their local internet connection isn't much different.  



Highlighted
Contributor

Re: Default Gateway



@RajTilak wrote:

Hello

Thanks but exactly speaking i want to control the traffic on split tunneling as well.

I want the user to browse only requested sites i.e through VPN tunnel or other adaptor. All the other traffic should get dropped at his machine locally.

I am looking for a scenariou where if default route can be removed on clients and static routes can be formed.





When you enable split tunneling, you define what subnets/IP's would go through the tunnel.  Anything not defined in that split tunnel list would go out tthe users local internet connection.    You would setup you split tunnel subnets/IP's for whatever internal resources the user needs across the tunnel, and that's the only traffic that would go through the tunnel.

 I'm a little unclear how necessary traffic is coming across the VPN and then going out to your firewall to the internet?  That would seem to imply you are not using split tunneling.

Highlighted
New Contributor

Re: Default Gateway

Hello

Thanks but exactly speaking i want to control the traffic on split tunneling as well.

I want the user to browse only requested sites i.e through VPN tunnel or other adaptor. All the other traffic should get dropped at his machine locally.

I am looking for a scenariou where if default route can be removed on clients and static routes can be formed.

Highlighted
New Contributor

Re: Default Gateway

Hello

Thanks , my challenge is to reduce my internet utilization, i observed  necessary traffic from vpn is reaching my cluster and droping at firewall.

I do not want to change the default gateway to users adaptor as he will be able to access every thing.

I

Highlighted
New Contributor

Re: Default Gateway

Hi

I have enabled split tunneling but as per the requirement i gave only one policy that is to deny traffic through tunnel for an IP. So the default route is still pointed to IVE cluster.

Just wanted to make it clear my firewall is after VPN box and presently all the traffic generated by client is consuming my internet bandwidth and getting denied on firewall.

Only answer i could see is having a policy for allowing required ip through tunnel, this would probably take the default route to users gateway. But i am not sure about the security issue if arrises..