topic Re: Global Protect Split Tunnelling on Domains - client version issue? in GlobalProtect Discussions

Global Protect Split Tunnelling on Domains - client version issue?

darren_g — Wed, 28 Oct 2020 23:24:45 GMT

Hey folks.

We're planning in implementing MFA for Office 365, and as part of that I want to add the Microsoft office domains into our Global protect split tunnels - since almost everyone is working from home, I want to whitelist our "corporate" IP addresses and have people who are connected from company PC's on the VPN not be bothered by MFA requests.

This is relatively easy in the configuration, but I've come across an issue which is perplexing me.

I run my personal machine on a fairly recent VPN client to check for issues before pushing it out to the main portal for users to upgrade - and when I implemented this split tunnel on the portal, it didn't work.

A colleague who is running the "production" release I have on the portal. So I downgraded tot hat version - and the split tunnelled domains work.

Does anyone know if there's something extra in the later clients which needs to be done to make this work?

Working client version - 5.0.8

Failed client version - 5.2.2

Thanks

Re: Global Protect Split Tunnelling on Domains - client version issue?

MP18 — Thu, 25 Feb 2021 03:38:03 GMT

@darren_g

I am running GP version 5.2.4 and split tunnel is working fine.

We have configured all Microsoft domains and IP to bypass the tunnel.

Try to upgrade to 5.2.4.

Regards

Re: Global Protect Split Tunnelling on Domains - client version issue?

sebastianvd — Thu, 25 Feb 2021 08:20:52 GMT

I've just typed a lot at LIVEcommunity - Global Protect Office 365 Split Tunnel - LIVEcommunity - 387607 (paloaltonetworks.com)

We had it all working on 5.1.8 / 8.1.X

Since moving to virtual Azure appliances 5.2.X/9.1.6 we've had all kinds of issues.

There's a setting for GP to do split only for network or for both network & dns.

Not sure if that will solve things as we are in the middle of investigating with TAC

Re: Global Protect Split Tunnelling on Domains - client version issue?

MP18 — Tue, 02 Mar 2021 02:16:42 GMT

@sebastianvd

If you want to use split tunnel based on network then it is good practice to also use split tunnel based on DNS.

That way GP agent will not contact the configured GP DNS server.

You should use the split tunnel based on the DNS.

Regards

Re: Global Protect Split Tunnelling on Domains - client version issue?

darren_g — Tue, 13 Apr 2021 23:23:27 GMT

@sebastianvd wrote:
I've just typed a lot at LIVEcommunity - Global Protect Office 365 Split Tunnel - LIVEcommunity - 387607 (paloaltonetworks.com)

We had it all working on 5.1.8 / 8.1.X
Since moving to virtual Azure appliances 5.2.X/9.1.6 we've had all kinds of issues.

There's a setting for GP to do split only for network or for both network & dns.
Not sure if that will solve things as we are in the middle of investigating with TAC

I wasn't able to get it working on DNS-based names,but fortunately, Microsoft has a list of IP's you need to add into the tunnel, so I just added a whole bunch of route/groups and made it work.

It's a pity, because it'd be such a great feature - for anything "xx.microsoft.com", send the traffic over the tunnel - but instead it's all based on IP ranges now.

Made it work, but it wasn;t as easy as it should have been.

Re: Global Protect Split Tunnelling on Domains - client version issue?

rajjair — Tue, 26 Oct 2021 01:03:20 GMT

Not sure if you are aware but to use DNS based split tunnelling you have to have a gateway subscription on your firewall also

About GlobalProtect Licenses (paloaltonetworks.com)