When you configure Mobile VPN for your remote users, you must choose whether you want their general Internet traffic to go through the VPN tunnel, or to bypass the VPN tunnel. Your choice can affect your network security because Internet traffic that does not go through the tunnel is not filtered or encrypted. In your configuration, you specify your choice with the tunnel route you select: default-route VPN or split tunnel VPN.
The most secure option is to require that all remote user Internet traffic is routed through the VPN tunnel to the XTM device. From the XTM device, the traffic is then sent back out to the Internet. With this configuration (known as default-route VPN), the XTM device is able to examine all traffic and provide increased security, although the XTM device uses more processing power and bandwidth.
For more information about dynamic NAT, see Add Network Dynamic NAT Rules.
Another configuration option is to enable split tunneling. This configuration allows users to browse the Internet normally. Split tunneling decreases security because XTM device policies are not applied to the Internet traffic, but performance is increased. If you use split tunneling, your client computers should have a software firewall.