For years we’ve battled with GlobalProtect being many magnitudes of order slower for internet access when using full tunneling, for remote mobile workers. We do this to enable URL filtering on remote clients. We get very slow performance on the tunneled internet traffic. I know this is a deep topic with many pitfalls, but I have a simple question…
Back in the old’n days we used Websense and it had a mode by which the firewall would simply ask the Websense server, via WCCP, if a URL was allowed or not. Later in Life, Websense recommended to go to a full proxy server and abandon the WCCP method. However, WCCP had the advantage of being fast, because the web traffic didn’t actually go through the firewall or Websense server. Once a URL was approved, the client and server talked directly. I know there are some disadvantages to this, as the web traffic itself can’t be seen and inspected by the firewall.
Is there anything like this with GlobalProtect? Can GlobalProtect do client URL filtering? Is there any way to get the intelligence of Palo Alto’s URL filtering and security decentralized to the GlobalProtect client entirely? Bouncing this traffic through our datacenter has proven problematic and too slow over the years we’ve done it. It is also horribly stupid and wasteful as far as traffic utilization goes…