https://live.paloaltonetworks.com/t5/general-topics/global-protect-include-a-specific-url/m-p/211217#M61636 <P>If you can get a list of the IPs used by Okta, you can set that up in PAN-OS 7.1.15 with your split tunnel mechanism. <A href="https://www.paloaltonetworks.com/products/secure-the-network/subscriptions/minemeld" target="_blank">Minemeld</A> may have something for that as well.</P><P>&nbsp;</P><P>If that is not practical or even not possible at all, tunnel splitting by app is new in 8.1 and cannot be set in 8.0 and older.&nbsp;</P> Fri, 20 Apr 2018 22:21:21 GMT gwesson 2018-04-20T22:21:21Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-include-a-specific-url/m-p/211185#M61627 <P>Hey folks,</P><P>&nbsp;</P><P>This is a follow up question from one of my other posts.&nbsp; We are using PAN-OS 7.1.15 and GP client 4.1.</P><P><A href="https://live.paloaltonetworks.com/t5/General-Topics/GlobalProtect-and-general-Internet-access/td-p/207888" target="_blank">https://live.paloaltonetworks.com/t5/General-Topics/GlobalProtect-and-general-Internet-access/td-p/207888</A></P><P>&nbsp;</P><P>We are moving to Okta as our IDP for our applications.&nbsp; When logging into Okta it recognizes your client public IP and we have policy based on that.&nbsp; When we connect to Global Protect first and then log into Okta the traffic goes outside of our VPN tunnel (because we have internal network entries in the access routes - split tunneling).&nbsp; I believe I understand that.</P><P>&nbsp;</P><P>We need all Okta.com traffic to traverse through our VPN tunnel and use our specific static public IP (when connected to VPN).</P><P>It appears to me that this function is only available after upgrade to 8.1?</P><P><A href="https://www.paloaltonetworks.com/documentation/41/globalprotect/globalprotect-app-new-features/new-features-released-in-gp-agent-4_1/split-tunnel-for-public-applications" target="_blank">https://www.paloaltonetworks.com/documentation/41/globalprotect/globalprotect-app-new-features/new-features-released-in-gp-agent-4_1/split-tunnel-for-public-applications</A></P><P>&nbsp;</P><P>Could anyone agree or confirm?</P> Fri, 20 Apr 2018 16:00:14 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-include-a-specific-url/m-p/211185#M61627 OMatlock 2018-04-20T16:00:14Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-include-a-specific-url/m-p/211217#M61636 <P>If you can get a list of the IPs used by Okta, you can set that up in PAN-OS 7.1.15 with your split tunnel mechanism. <A href="https://www.paloaltonetworks.com/products/secure-the-network/subscriptions/minemeld" target="_blank">Minemeld</A> may have something for that as well.</P><P>&nbsp;</P><P>If that is not practical or even not possible at all, tunnel splitting by app is new in 8.1 and cannot be set in 8.0 and older.&nbsp;</P> Fri, 20 Apr 2018 22:21:21 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-include-a-specific-url/m-p/211217#M61636 gwesson 2018-04-20T22:21:21Z https://live.paloaltonetworks.com/t5/general-topics/global-protect-include-a-specific-url/m-p/211230#M61641 <P>Okta IP adresses you can find here:&nbsp;<A href="https://support.okta.com/help/Documentation/Knowledge_Article/Configuring-Firewall-Whitelisting-89944588" target="_blank">https://support.okta.com/help/Documentation/Knowledge_Article/Configuring-Firewall-Whitelisting-89944588</A></P><P>&nbsp;</P><P>Quite a few, but it could work to configure all of them as global protect routes</P> Sat, 21 Apr 2018 16:30:37 GMT https://live.paloaltonetworks.com/t5/general-topics/global-protect-include-a-specific-url/m-p/211230#M61641 Remo 2018-04-21T16:30:37Z