https://live.paloaltonetworks.com/t5/globalprotect-discussions/split-tunnel-and-full-tunnel/m-p/429090#M1654 <P>Hi</P><P>&nbsp;</P><P>Split tunneling means you route only the desired subnet into the tunnel. For example the office subnet is 192.168.1.0/24 and this is routed inside. The firewall can scan this traffic and you can apply rules as such.</P><P>The problem here is all other traffic, like general web browsing, is egressing from the endpoint to the ISP and not through the NGFW.</P><P>Simple put the endpoint has 2 connections - 1 for the office and the other for everything else.</P><P>&nbsp;</P><P>Full tunneling means you route EVERYTHING into the NGFW, via security rules and scanning profiles, just like if the endpoint would be inside the corporate network. Security wise this is the best option.This also means increased traffic through the firewall because ALL browsing from GP connected endpoints passes through the firewall.</P><P>&nbsp;</P><P>Hope this helps,</P><P>Shai</P> Wed, 25 Aug 2021 11:55:23 GMT ShaiW 2021-08-25T11:55:23Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/split-tunnel-and-full-tunnel/m-p/428801#M1650 <P>Hey guys can anyone tell me the proper definition of split tunnel and full tunnel in Global protect. within proper life example, please.</P> Tue, 24 Aug 2021 15:53:42 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/split-tunnel-and-full-tunnel/m-p/428801#M1650 FarhanKoujalgi 2021-08-24T15:53:42Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/split-tunnel-and-full-tunnel/m-p/429090#M1654 <P>Hi</P><P>&nbsp;</P><P>Split tunneling means you route only the desired subnet into the tunnel. For example the office subnet is 192.168.1.0/24 and this is routed inside. The firewall can scan this traffic and you can apply rules as such.</P><P>The problem here is all other traffic, like general web browsing, is egressing from the endpoint to the ISP and not through the NGFW.</P><P>Simple put the endpoint has 2 connections - 1 for the office and the other for everything else.</P><P>&nbsp;</P><P>Full tunneling means you route EVERYTHING into the NGFW, via security rules and scanning profiles, just like if the endpoint would be inside the corporate network. Security wise this is the best option.This also means increased traffic through the firewall because ALL browsing from GP connected endpoints passes through the firewall.</P><P>&nbsp;</P><P>Hope this helps,</P><P>Shai</P> Wed, 25 Aug 2021 11:55:23 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/split-tunnel-and-full-tunnel/m-p/429090#M1654 ShaiW 2021-08-25T11:55:23Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/split-tunnel-and-full-tunnel/m-p/429922#M1663 <P>Exactly as per&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/36075">@ShaiW</a>&nbsp;.</P><P>but we have all traffic, office based and internet base tunnelled via GP and only split tunnel local traffic for teams and outlook. &nbsp;Those 2 applications account for approx 80% of user bandwidth so helps to prevent gateway isp links from melting...&nbsp;</P> Sat, 28 Aug 2021 11:26:15 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/split-tunnel-and-full-tunnel/m-p/429922#M1663 Mick_Ball 2021-08-28T11:26:15Z