topic Re: GPVPN Split tunnel issue in GlobalProtect Discussions

GPVPN Split tunnel issue

tamilvanan — Thu, 22 Apr 2021 10:27:12 GMT

Hi We had recently configured split tunneling on our firewall and had allowed certain subnets via access routes and domains on include domain list.

For security purpose changing the domain names:

We had added *.google.com on our domain include list to allow access of sites under that domain.

When the end user connects to GPVPN and accesses the google.com it is going through GP-VPN-->F/W-->ISP

If we try to access subdomains like admin-dashboard.google.com the traffic is routed through the end user Local ISP.

We had configured Internal IP address on Agent DNS IP Setting.

Here the DNS Query to admin-dashboard.google.com is send to tunnel but the HTTPS traffic to admin-dashboard.google.com is going through end user local ISP

Re: GPVPN Split tunnel issue

Mick_Ball — Thu, 22 Apr 2021 05:05:32 GMT

First issue...

The wildcard is working as expected. It means anything before .google.com so this will not include google.com so just add both to the split domains.

Second issue.

nslookup and similar apps will not use the same engine as your browser so the split domain settings will not work for them.

I usually add to browser and wireshark on port 53 to test DNS resolution.

Re: GPVPN Split tunnel issue

tamilvanan — Thu, 22 Apr 2021 10:23:37 GMT

Hi @Mick_Ball Thanks for your reply.

Issue 1: we had added both google.com and admin-dashobard.google.com to the include domain in the split tunnel but still the traffic is going via end user local nw for the admin-dashboard.google.com site.

Do we need to uninstall and reinstall the GP Client for the settings to get reflected at endpoints.

Issue 2: We had configured an internal DNS for querying of GP users. Had checked with Wireshark by doing packet capture of GP tunnel could see DNS traffic is successfully send via GP Tunnel but the traffic for admin-dashobard.google.com is still going through local ethernet.

All the GP client are Mac OS.

Any thoughts on this on how to proceed further.

Re: GPVPN Split tunnel issue

Mick_Ball — Thu, 22 Apr 2021 14:03:25 GMT

can you send screen dump of both split tunnel access route and split tunnel domain and application

Re: GPVPN Split tunnel issue

tamilvanan — Thu, 29 Apr 2021 06:14:38 GMT

Hi @Mick_Ball I would not be able to share the screenshot of the access routes and domain/application tab as it contains sensitive datas. But now the traffic to that particular sub-domain is passing thru split tunnel but after some time it is being routed thru end-user network. The subdomain is having dynamic IP and it is deployed in AWS. The DNS name resolution is done using internal private DNS server.