What are the different gateways used for?
Split tunnel is the default gateway and will be used unless the user specifically chooses a different option in the Gateway menu. It directs any traffic meant for systems and services on campus through GlobalProtect to the destination using a campus private IP address. However, traffic meant for sites off-campus will not use GlobalProtect and will work the same as if the remote access service was not active. Some often used campus services are hosted off-site, if you find you are unable to access something using Split Tunnel try the Library Tunnel option before opening a support ticket.
Example of systems that are not accessible through Split Tunnel include:
- San Diego Super Computer Disaster Recovery Site (SDSC)
- Google (mail, hangouts, drive, etc)
- Amazon Web Services
- Microsoft Azure
The Library option (listed as “Library Access and Full Tunnel”) directs all traffic, regardless of the destination, through the GlobalProtect client and is routed through the campus network to its destination. The most common use case for this option is when you are trying to access a resource that is licensed for the campus, such as journals licensed through the library for campus users. Traffic to any destination will appear to originate from a UCB IP address, and so is subject to the Campus Computer Use Policy: https://security.berkeley.edu/computer-use-policy. Depending on the amount of traffic, and its destination, it may also prove to be slower than the use of the split tunnel.
The Restricted Tunnel directs all traffic, regardless of the destination, through the GlobalProtect client in the same way as with the library tunnel option. The restricted tunnel performs additional actions to ensure data protection and is a future service that will be limited to people and systems needing access to sensitive data. It will have increased monitoring, and will utilize many of the advanced security features of the Palo Alto firewalls. Please open a ticket with Information Security and Policy if you believe your department has need of the restricted tunnel.