topic Re: Global protect split tunnel setup in General Topics

Global protect split tunnel setup

Alex_Samad — Fri, 20 Mar 2020 14:13:33 GMT

I have 8.1.5 on the pa and 4.1.11-9 client

I have setup the gateway for video traffic exclusion, and selected

youtube-streaming

netflix-streaming

But a simple test shows utube still come over the tunnel address

I want to allow MS Teams to by pass the tunnel, so I goto agent / client setting select my config and split tunnel

domain and application

but the app runs from

{userprofile}\AppData\Local\Microsoft\Teams\current\Teams.exe

how can i enter that into the config

Re: Global protect split tunnel setup

BPry — Fri, 03 May 2019 18:52:46 GMT

@Alex_Samad,

You can use the userprofile environmental variable like so:

%userprofile%\AppData\Local\Microsoft\Teams\current\Teams.exe

The only thing I can think with the exclusion is that you should add youtube-base and netflix-base and see if that works. I haven't tried including just the streaming app-ids to see how well that works.

Re: Global protect split tunnel setup

Alex_Samad — Fri, 03 May 2019 22:11:50 GMT

Cool, I will try that with teams. I presume it runs under the current user so the env variable will point to the right place.

Now - do I want to include - does that mean by pass the vpn or exclude ??

Yeah , not getting utube to work. watching now and its still in vpn

So I turn on video traffic exclude

and selected utube and netflix

but its not working

Re: Global protect split tunnel setup

Alex_Samad — Tue, 14 May 2019 23:55:21 GMT

So i have found my answer.

You need a license for the video split tunnel .... sigh

Re: Global protect split tunnel setup

BPry — Wed, 15 May 2019 03:26:29 GMT

@Alex_Samad,

That you do; this is not included within the "base" functionality of GlobalProtect included with the device. If I would have to guess I would assume that the "free" version of GlobalProtect will essentially stay at where it is currently, and all the new exciting things will be included in the license.

Re: Global protect split tunnel setup

OtakarKlier — Wed, 15 May 2019 19:21:45 GMT

Hello,

While I understand why you want to do a split tunnel, its not best practice and will fail most major compliance requirements.

Regards,

Re: Global protect split tunnel setup

Alex_Samad — Thu, 16 May 2019 00:58:59 GMT

Yes understand but, we haved started to use MS teams video chat - and well hair pin turning a video stream 1/2 way around the world is a pain. So we are looking at allowing just MS teams to have direct access out to just O365 ip's

Re: Global protect split tunnel setup

CoreyKinder — Fri, 07 Feb 2020 16:23:14 GMT

Anyone else try this out?

From real-world testing I found it did work with exceptions by adding the path %userprofile\AppData\Local\Microsoft\Teams\current\Teams.exe

The exception being that the ability to join meetings is completely broken. That traffic somehow ends up coming back across the tunnel while keeping the main teams application on the local network which causes the attempt to join to fail.

Upon investigation of the processes that are created while joining a meeting in Teams it seems Teams temporarily stages another Teams.exe at this location

%userprofile\AppData\Local\Microsoft\Teams\stage\Teams.exe

However, adding this to the Split Tunnel config still did not work.

Not sure what I am missing, but the fact that Palo Alto does not support the ability to Split Tunnel based on external IP blocks is ridiculous as this would have been much easier and working now.

Re: Global protect split tunnel setup

Retired Member — Thu, 27 Feb 2020 19:36:37 GMT

%userprofile% not %userprofile

Re: Global protect split tunnel setup

wiresharky — Thu, 12 Mar 2020 09:00:36 GMT

I've added 52.112.0.0/14 to the split tunnel config because all teams traffic seems to go there.

This worked for a bit, but i still see traffic to this subnet comming trought the vpn altough traceroutes and manual request do go the correct way.

to counter this i've blocked this traffic on the palo so the client has to take the direct route via local internet, but this raises some strange issues for users.

Does ms teams override the routing table ? very strange.

Re: Global protect split tunnel setup

bspilde — Thu, 19 Mar 2020 01:34:49 GMT

Exclude by using the "Access Route" Exclude list.

Use 13.107.64.0/18 and 52.112.0.0/14 as the excluded networks. There may be more but that's what I tested with and it works. The latest releases of supported PAN-OS do not appear to work with %userprofile% variables as an option in the path.

Re: Global protect split tunnel setup

wiresharky — Thu, 19 Mar 2020 05:52:00 GMT

thanks for replying

I did that (and added a few more over the last days).

so you didn't notice any traffic of those ranges still going through the vpn tunnel?

Re: Global protect split tunnel setup

bspilde — Thu, 19 Mar 2020 16:30:53 GMT

I don't believe I'm seeing anything there. With my testing anyway it showed correctly disappearing traffic while in a Teams meeting. I have not double checked later on yet.

I have created a list for Zoom and that works well also.

I'm struggling with anything EXE based but it might be due to the multiple possible folders Outlook might be installed into based on 32bit vs. 64bit O365 vs stand alone install. I did successfully split MS AppStore as a test and that worked flawlessly all the time.

Palo needs to support %userprofile% and %appdata% in the config!

Re: Global protect split tunnel setup

yannogrodowicz — Fri, 20 Mar 2020 10:00:39 GMT

Hi @CoreyKinder ,

I have observed the same behavior as the one you described.

We are running v9.0.4 on the Gateway and 5.0.7-2 on the GP Clients.

We configured split tunneling for the process %userprofile\AppData\Local\Microsoft\Teams\current\Teams.exe

Works pretty well but in some cases, joining a Teams Meeting online is not working. Several users reported this issue, while I personally never faced it.

My first analysis shows that traffic to the following FQDN is always going through the Tunnel and will not break out locally: api.flightproxy.teams.microsoft.com

Unfortunately this FQDN returns random IP addresses from different subnets.

I am also not sure whether or not this is the cause of the issue. I tried collecting GlobalProtect debug logs, MS Teams debug logs, but did not find anything so far

Did anyone manage to make this work?

Re: Global protect split tunnel setup

Alex_Samad — Fri, 20 Mar 2020 11:13:21 GMT

I have gone the cheaper or route the license for GP is $$$ so i use split tunnel routes

https://docs.microsoft.com/en-us/office365/enterprise/office-365-ip-web-service offical ip ranges used by MS for services - pick the skype ones it covers MS teams from my under standing

i run this script to produce something I can cut and paste into panorama

#!/bin/bash

#
# guid
# https://www.guidgenerator.com/online-guid-generator.aspx
#
guid=<generate one>

tp="/tmp/$guid"

#
# https://docs.microsoft.com/en-us/office365/enterprise/office-365-ip-web-service
#

wget -O "$tp" -q 'https://endpoints.office.com/endpoints/WorldWide?ClientRequestId=<getyourown>&AllVersions=false&Format=CSV&NoIPv6=true&TenantName=yieldbroker&ServiceAreas=Skype'

#
theips="prefix other ips"

for x in $( cat "$tp" | sed -e 's/^[^,]*,[^,]*,"[^"]*",//;s/"[^"]*",//;s/^,.*$//;/^id,.*$/d;/^$/d;s/^"$[^"]*$".*$/\1/;s/,/ /g')
do
#echo $x
theips="$theips $x"
done

echo "# this is for the <agent name1> people on the gateway"
echo "set template Active_Passive config vsys vsys1 global-protect global-protect-gateway alcpa-vpn-gateway remote-user-tunnel-configs <agent name1> split-tunneling exclude-access-route [ $theips ]"

echo "# this is for the non singapore people on the gateway"
echo "set template Active_Passive config vsys vsys1 global-protect global-protect-gateway alcpa-vpn-gateway remote-user-tunnel-configs <agent name2> split-tunneling exclude-access-route [ $theips ]"

echo "# this is for all on the gateway"
echo "set template ybopa config vsys vsys1 global-protect global-protect-gateway ybopa-vpn-gateway-external remote-user-tunnel-configs <agent name3> split-tunneling exclude-access-route [ $theips ]"

echo

Re: Global protect split tunnel setup

wiresharky — Wed, 25 Mar 2020 07:03:36 GMT

nice!

i have minemeld running and will use that as a source.

Do any of your users have issues with teams joining meetings or sharing their desktop?

I've got mixed results.

Re: Global protect split tunnel setup

Alex_Samad — Tue, 31 Mar 2020 00:29:01 GMT

Seem like the nice people at PA have opened up trial license for 3-6 months for GP. which will allow me to use all these nice features.

So instead of having to do it by ip address I should be able to do it by app / process ..

Re: Global protect split tunnel setup

Alex_Samad — Fri, 03 Apr 2020 05:11:28 GMT

Moved to trying

%userprofile%\AppData\Local\Microsoft\Teams\current\Teams.exe

turned it on and MS Teams stop working for some and still working for others 😞

Re: Global protect split tunnel setup

RLJFRY — Tue, 07 Apr 2020 15:34:32 GMT

Hi all,

Am I reading this right in that PanOS doesn't seem to support environment %Variables% in the path name of the executable you're trying to add to the "Include/Exclude Client Application Process Name" fields, be it with or without a GP license!? That's big oversight if that's the case. Has anyone got this confirmed by PA support?

If it makes a difference to the PanOS, we're at 8.1.x and have a GP license.

I'm basically also looking to add Teams and Zoom to the exclusion list by executable, but it's pretty pointless if neither will work? Or is Zoom working using the .exe path name in conjunction with the IP exclusions for it's IP blocks?

Also, are you guys seeing the new GP config changes apply after reconnecting / disconnecting and then reconnecting the GP client again? - I asked PA support when the GP configs get applied and they weren't sure, and advised me that's it's best to uninstall the GP client and clear a registry key and remove the GP services following a config change, and referred me to the following article: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClJDCA0

This seems rather drastic!

Thanks,

John

Re: Global protect split tunnel setup

Alex_Samad — Tue, 07 Apr 2020 20:49:20 GMT

Wow support don't know !

I find it strange you have to remove the client.

when i make changes to the split tunnel withe routes they seems to show up after a disconnect reconnect.

if they don't support %Variables%, then you can't really do teams can you ? Wow