Global Protect Access routes for Office 356

Reply
Highlighted
L4 Transporter

Global Protect Access routes for Office 356

Hi Guys,

 

I am struggling to find a solution for one request that I have from customer. We have VM-300 with PanOS-7.1.6 and customer wants to enable Global Protect for remote access users. The tricky part is that for the split-tunneling configuration he wants all Office 365 traffic to go via the tunnel. He was provide me with a list of hosts and networks for "Office 365 Auth & Exchange Online" and they are more then 150. Adding the 10 private networks in turns we need to configure around 200 routes.

 

According to this artical the limitation for PanOS-7.1.x is 100, unfortunately upgrade is not an option at this stage...

 

I was hoping for more elegant solution, but I am not capable of finding any at this moment.

 

If you guys have any other suggestion besids upgrade and disabling split-tunneling, I will be more than gratefull.

L7 Applicator

Re: Global Protect Access routes for Office 356

@AlexanderAstardzhiev,

The only solution is upgrading or disabling split-tunneling. Sadly I don't know of any way that you are going to get around this limitation, hence the feature request being available in later releases. 

L7 Applicator

Re: Global Protect Access routes for Office 356

Hi @alexander.Astardzhiev

I have to say that I did not test or implement this by myself, so there's no guarantee ...

But I think there could be a solution ... you just have to think a little outside of the box (the PAN firewall) ;)
---->Post VPN Connection script<----
With a post vpn connection script you could modify the routing table with the script. With that script there are multiple ways to do it. First you could statically add the routes of office 365 into that script. Second way is to pull the xml from microsoft with the script and you allways have the current office 365 networls routed to the global protect vpn tunnel. And the third way would be to host a list of networks on an internal server in your or your customers network. This way you could control what will be routed into the tunnel by editing a simple texrfile somewhere. Of course the post vpn connection script would also need to pull that list to make this work.

At least worth a try...

Regards,
Remo
L4 Transporter

Re: Global Protect Access routes for Office 356

Hi @vsys_remo

 

Interesting solution, but if I understand correctly basically your suggestion is to add the routes via script instead of the firewall sending. My concerns is that if we add the routes with the script what should we configure on the PA FW for routing? And more speficially if we add routes via script to send traffic via the tunnel, but in the firewall configuration we don't add these routes, wil firewall accept it? I have see with other vendors that "access routes" (the routes for split tunneling) are configured under VPN encryption domain and firewall will drop packet destine to address that is received by the tunnel, but not configured in the encryption domain.

 

@BPryUnfortunatelly it seems you are right...I was really hoping for more flexibal solution as I have seen this (RA VPN + Office365)  couple of times and when customer requst split-tunnel with this it is insane...

 

We have communicate this with the customer and the temporal solution will be to convert to full tunne, for permanent we will upgrade.

 

Thank you both for the feedback!

L7 Applicator

Re: Global Protect Access routes for Office 356

Hi @AlexanderAstardzhiev

 

I don't know exactly if this way would make problems with the encryption domain. But you could go the other way. Add 0.0.0.0/0 to the firewallconfiguration (or remove the entries completely to get full-tunnel configuration) and implement a script that adds routes for networks that need to communicate directly.

In your case you probably need to rebuild the routing table completely because you want most of the traffic to go directly.

So your script could add routes for Office365 and your internal networks to the tunnel and change the default route to go direct.

 

An example was already made by PAN here: https://www.paloaltonetworks.com/documentation/scripts/windows-exclude-traffic-from-tunnel.html

 

Regards,

Remo

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!