https://live.paloaltonetworks.com/t5/general-topics/split-tunnel-or-tunnel-all/m-p/325346#M82975 <P>Hello,</P><P>That is only used for site to site vpn tunnels. You will need a NAT policy for the traffic.</P><P>&nbsp;</P><P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFbCAK" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFbCAK</A></P><P>&nbsp;</P><P>Regards,</P> Wed, 29 Apr 2020 14:06:18 GMT OtakarKlier 2020-04-29T14:06:18Z https://live.paloaltonetworks.com/t5/general-topics/split-tunnel-or-tunnel-all/m-p/324938#M82904 <P>Hi,</P><P>Which one is best split tunnel or tunnel all , If tunnel all how to do in PA .</P><P>What are the pros and cons&nbsp;</P><P>Thanks</P><P>&nbsp;</P> Sun, 26 Apr 2020 18:36:18 GMT https://live.paloaltonetworks.com/t5/general-topics/split-tunnel-or-tunnel-all/m-p/324938#M82904 simsim 2020-04-26T18:36:18Z https://live.paloaltonetworks.com/t5/general-topics/split-tunnel-or-tunnel-all/m-p/324957#M82910 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/59972">@simsim</a>,</P><P>This depends solely on your requirements and what you are looking to accomplish. One option is not necessarily "better" than the other if you aren't looking at the full picture. I'm going to assume that you are talking about GlobalProtect and not an IPSec tunnel.</P><P>&nbsp;</P><P>1)&nbsp;<STRONG>Full Tunnel</STRONG></P><P>The benefit of a full tunnel GlobalProtect configuration is that you can inspect all traffic from a connected endpoint, tied together with always-on and pre-logon and it's similar to having the device sitting in your office. All of the traffic will be inspected by the firewall and the endpoint is effectively never not connected to your network. This is actually how GlobalProtect configures by default, if you leave your 'Split Tunnel' configuration empty or include 0.0.0.0/0 in your include list it'll tunnel everything through GlobalProtect.</P><P>&nbsp;</P><P>2)&nbsp;<STRONG>Split Tunnel</STRONG></P><P>The benefit of split-tunnel is that you don't have to process all of the endpoints network traffic, which can save you bandwidth if you don't have a connection capable of processing all of the traffic. This is extremely common in a lot of businesses where you have a BYOD VPN tunnel to allow someone to, for example, remote onto their desktop at work.&nbsp;</P><P>This is actually a common practice that I use for customers who simply want a way for someone to RDP back to their desktop at work. The configuration will simply allow for RDP traffic back to the access VLANs and ensure that the connected desktop passes a number of HIP checks to ensure that the client itself is up-to-date and has a supported antivirus solution. In this type of setup, I don't want to process all of the endpoints traffic, just the RDP traffic.&nbsp;</P><P>Under the Split Tunnel configuration you simply need to include whatever subnets you need to traverse the VPN in the include list.</P><P>&nbsp;</P><P>What solution you pick is really going to depend on your requirements and the business and regulatory needs. Banks for example that I've worked with don't allow any non-issued device to connect to their VPN and all traffic is processed through the VPN tunnel. SMB customers might not have the bandwidth to support all of that traffic and just want to allow RDP traffic as I mentioned before while performing a few HIP checks. Completely dependent on what your needs are.&nbsp;</P> Mon, 27 Apr 2020 03:19:38 GMT https://live.paloaltonetworks.com/t5/general-topics/split-tunnel-or-tunnel-all/m-p/324957#M82910 BPry 2020-04-27T03:19:38Z https://live.paloaltonetworks.com/t5/general-topics/split-tunnel-or-tunnel-all/m-p/325212#M82959 <P>Hello,</P><P>I say tunnel all. You have a fantastic security appliance, Palo Alto, why not use it to inspect all the traffic?</P><P>&nbsp;</P><P>Just my thoughts.</P> Tue, 28 Apr 2020 19:20:18 GMT https://live.paloaltonetworks.com/t5/general-topics/split-tunnel-or-tunnel-all/m-p/325212#M82959 OtakarKlier 2020-04-28T19:20:18Z https://live.paloaltonetworks.com/t5/general-topics/split-tunnel-or-tunnel-all/m-p/325241#M82964 <P>Hi,</P><P>My concern is bandwidth&nbsp; if it is full tunnel . and does it require NAT-T ?&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>Thanks</P> Wed, 29 Apr 2020 10:34:17 GMT https://live.paloaltonetworks.com/t5/general-topics/split-tunnel-or-tunnel-all/m-p/325241#M82964 simsim 2020-04-29T10:34:17Z https://live.paloaltonetworks.com/t5/general-topics/split-tunnel-or-tunnel-all/m-p/325346#M82975 <P>Hello,</P><P>That is only used for site to site vpn tunnels. You will need a NAT policy for the traffic.</P><P>&nbsp;</P><P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFbCAK" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFbCAK</A></P><P>&nbsp;</P><P>Regards,</P> Wed, 29 Apr 2020 14:06:18 GMT https://live.paloaltonetworks.com/t5/general-topics/split-tunnel-or-tunnel-all/m-p/325346#M82975 OtakarKlier 2020-04-29T14:06:18Z https://live.paloaltonetworks.com/t5/general-topics/split-tunnel-or-tunnel-all/m-p/597562#M118854 <P>My question if I may, split tunneling. I would like to place a policy/rule in order to route streaming to VPN Users own ISP.</P> <P>&nbsp;</P> <P>I also agree overall its a great appliance, why not take advantage and we're not hurting most days for bandwidth.</P> Wed, 11 Sep 2024 16:09:22 GMT https://live.paloaltonetworks.com/t5/general-topics/split-tunnel-or-tunnel-all/m-p/597562#M118854 J.Hansen688028 2024-09-11T16:09:22Z