I am struggling to find a solution for one request that I have from customer. We have VM-300 with PanOS-7.1.6 and customer wants to enable Global Protect for remote access users. The tricky part is that for the split-tunneling configuration he wants all Office 365 traffic to go via the tunnel. He was provide me with a list of hosts and networks for "Office 365 Auth & Exchange Online" and they are more then 150. Adding the 10 private networks in turns we need to configure around 200 routes.
According to this artical the limitation for PanOS-7.1.x is 100, unfortunately upgrade is not an option at this stage...
I was hoping for more elegant solution, but I am not capable of finding any at this moment.
If you guys have any other suggestion besids upgrade and disabling split-tunneling, I will be more than gratefull.
Solved! Go to Solution.
The only solution is upgrading or disabling split-tunneling. Sadly I don't know of any way that you are going to get around this limitation, hence the feature request being available in later releases.
Interesting solution, but if I understand correctly basically your suggestion is to add the routes via script instead of the firewall sending. My concerns is that if we add the routes with the script what should we configure on the PA FW for routing? And more speficially if we add routes via script to send traffic via the tunnel, but in the firewall configuration we don't add these routes, wil firewall accept it? I have see with other vendors that "access routes" (the routes for split tunneling) are configured under VPN encryption domain and firewall will drop packet destine to address that is received by the tunnel, but not configured in the encryption domain.
@BPryUnfortunatelly it seems you are right...I was really hoping for more flexibal solution as I have seen this (RA VPN + Office365) couple of times and when customer requst split-tunnel with this it is insane...
We have communicate this with the customer and the temporal solution will be to convert to full tunne, for permanent we will upgrade.
Thank you both for the feedback!
I don't know exactly if this way would make problems with the encryption domain. But you could go the other way. Add 0.0.0.0/0 to the firewallconfiguration (or remove the entries completely to get full-tunnel configuration) and implement a script that adds routes for networks that need to communicate directly.
In your case you probably need to rebuild the routing table completely because you want most of the traffic to go directly.
So your script could add routes for Office365 and your internal networks to the tunnel and change the default route to go direct.
An example was already made by PAN here: https://www.paloaltonetworks.com/documentation/scripts/windows-exclude-traffic-from-tunnel.html
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!