topic Global protect domain based local breakout in General Topics

Global protect domain based local breakout

Steven_Liefferinckx — Wed, 07 Feb 2018 10:06:19 GMT

Hi,

I have a question regarding Global protect and partial split tunnelling.

Does GP have an option to only allow specific domains via local breakout, all other traffic should be forwarded into the tunnel.

I'm asking this question regarding 0365, all domains should pass our company security checks only O365 traffic should be allowed to use end-user local breakout. This to speed-up O365 connectivity.

Regards,

Steven.

Re: Global protect domain based local breakout

Mick_Ball — Wed, 07 Feb 2018 11:22:09 GMT

this would be easy if O365 had just one IP address...

you could add this to the exclude list of the split tunnel.

or ... perhaps there is a known list of IP's but I have only seen URL's for this, not IP's and they probably change on a daily basis.

I can only see the option to add IP's/IP subnets to the exclusion so I think not.

Re: Global protect domain based local breakout

Remo — Wed, 14 Feb 2018 20:09:25 GMT

The list with office 365 IP adresses is here (but ther are quite afew entries in that list):

https://support.content.office.net/en-us/static/O365IPAddresses.xml

With that you could exclude these IP addresses in your gateway config. Or if there are too many entries your next possibility is with a script that gets executed on the client when it is connected to globalprotect. This script then manipulates the local route table and adds entries for these o365 IP ranges that connections to them will be routed directly instead of into the tunnel.

Re: Global protect domain based local breakout

Steven_Liefferinckx — Mon, 19 Feb 2018 07:52:19 GMT

Hi,

Thanks fort his reply but not really manageable, we currently have +12K users.

So I guess these is almost no other option than enable split tunnelling, which I don’t like.

Regards,

Steven.

Re: Global protect domain based local breakout

Remo — Mon, 19 Feb 2018 08:17:38 GMT

Hi @Steven_Liefferinckx

So I assume the users computers are not managed by your company?

Re: Global protect domain based local breakout

Steven_Liefferinckx — Mon, 19 Feb 2018 08:57:30 GMT

Hi,

They are manaed by our company. Updating list is omsething we need to avoid.

Based on domain would be easier, it's not only for 0365 (just used as example). We would like to have similar setup for skype/teams and other known/trusted cloud applications.

Regards,

Steven.

Re: Global protect domain based local breakout

Remo — Mon, 19 Feb 2018 09:10:57 GMT

Hi @Steven_Liefferinckx

Then it would be a one time setup task. A little help you can find here: https://www.paloaltonetworks.com/documentation/80/globalprotect/globalprotect-admin-guide/globalprotect-clients/deploy-agent-settings-transparently/deploy-agent-settings-to-windows-clients/windows-os-batch-script-examples#id917d79e2-32af-456a-82bc-aecfa187fa11

With this base configuration you could write a script that automatically pulls the IP addresslist from microsoft and then adds direct routes for all these IP addresses/ranges. I know it's not as easy as configuring domain based exceptions but there is at least a way to achieve what you are asking.

Regards,

Remo