topic Re: Globalprotect split tunneling in GlobalProtect Discussions

Globalprotect split tunneling

wazaka — Thu, 17 Aug 2023 16:14:59 GMT

Hello,

I got a question regarding GlobalProtect and DNS. We currently have a setup where the users have an always-on-vpn. We also have some split tunneling enabled, so 10.10.10.0/24 does not enter the tunnel when the users are on-prem (when they are 'on the read', everything is tunneled). The split tunneling is working fine, when visiting a website, connecting to a NAS that lives in this subnet from an onprem workstation, the traffic does not enter the tunnel. However, our DNS server is also in this 10.10.10.0/24 range. We still see the traffic going into the tunnel. Is that expected behaviour? I see there is a form of split dns tunneling: https://docs.paloaltonetworks.com/globalprotect/5-2/globalprotect-app-new-features/new-features-released-in-gp-app/split-dns but it uses split tunneling based on domains if I see that correctly... We use only 'access route' split tunneling right now.

I would imagine if we want to have all the DNS queries outside of the tunnel, I would write a 'domain based split tunnel' rule for the 'on-premise users', to include all domains, so: *

But this also has effect on http(s) traffic etc if I understand correctly...

So, long story short, is there a way to route DNS traffic also outside the tunnel when on-premise?

cheers!

Re: Globalprotect split tunneling

Mick_Ball — Fri, 18 Aug 2023 15:31:54 GMT

Hi Wazaka... quick question, by what method do you determine split tunnel or full tunnel, is it via different gateways or gateway configs??

We have a similar setup for our users and we just use forwarders on our local DNS to external DNSwhich works fine as not much overhead in a DNS request...

Re: Globalprotect split tunneling

wazaka — Mon, 21 Aug 2023 06:24:18 GMT

In the GW, under agent, client settings; we do a check on what hide NAT address the user has to determine if they are onprem or at home.

For our usecase the internal DNS should be used in all cases. But it would make sense to me to not send the DNS queries/replies through the tunnel when onprem, as the DNS servers are also onprem...

Re: Globalprotect split tunneling

Mick_Ball — Mon, 21 Aug 2023 11:34:05 GMT

Yes but by design the GP client adds your DNS as a /32 to the routing table, as below I added a /32 exclusion from the tunnel but the GP modifies the metric to force DNS via the tunnel..

So i added 10.250.1.41/32 to be excluded from the tunnel, it has been added to the routing table but with a metric of 36 so the metric of 1 will be used for your requests.

Re: Globalprotect split tunneling

wazaka — Mon, 21 Aug 2023 11:41:58 GMT

So specifying an 'exclude /32 route' for the DNS, does the trick?

I wonder why it is nowhere mentioned? I mean, if Palo forces the DNS to always go through the tunnel even why excluding the larger block, isn't this then a bad idea to mess with the split tunneling for DNS by adding that /32 route?

Re: Globalprotect split tunneling

Mick_Ball — Mon, 21 Aug 2023 15:04:43 GMT

no sorry it doesn't work that way... GP client sets a lower metric so traffic still goes via tunnel

Re: Globalprotect split tunneling

Mick_Ball — Mon, 21 Aug 2023 16:30:19 GMT

The only way I can get this to remain outside of the tunnel is by modifying the windows routing table.

route delete 10.10.10.<DNS Server> mask 255.255.255.255

can be done via a gp post script but see no harm in tunneling such requests via the tunnel so may not be worth bothering.

pretty sure you could also use an alias ip routed address and nat to real server as it traverses the Palo.

But at least we know that the reason it remains within the tunnel is because GlobalProtect adds it as a host address to the routing table which because of the metric... overides your split tunnel rules.

Re: Globalprotect split tunneling

wazaka — Mon, 21 Aug 2023 17:01:48 GMT

Hello there, thank you for helping on this, I really appreciate it. If it is not possible easily then that’s the answer I guess! Thanks!