Global protect domain based local breakout

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Global protect domain based local breakout

Hi,

 

I have a question regarding Global protect and partial split tunnelling.

 

Does GP have an option to only allow specific domains via local breakout, all other traffic should be forwarded into the tunnel.

 

I'm asking this question regarding 0365, all domains should pass our company security checks only O365 traffic should be allowed to use end-user local breakout. This to speed-up O365 connectivity.

 

Regards,

Steven.

1 accepted solution

Accepted Solutions

Hi @Steven_Liefferinckx

 

Then it would be a one time setup task. A little help you can find here: https://www.paloaltonetworks.com/documentation/80/globalprotect/globalprotect-admin-guide/globalprot...

 

With this base configuration you could write a script that automatically pulls the IP addresslist from microsoft and then adds direct routes for all these IP addresses/ranges. I know it's not as easy as configuring domain based exceptions but there is at least a way to achieve what you are asking.

 

Regards,

Remo

View solution in original post

6 REPLIES 6

L7 Applicator

this would be easy if O365 had just one IP address...

 

you could add this to the exclude list of the split tunnel.

 

or ... perhaps there is a known list of IP's but I have only seen URL's for this, not IP's and they probably change on a daily basis.

 

I can only see the option to add IP's/IP subnets to the exclusion so I think not.

 

 

 

 

 

 

The list with office 365 IP adresses is here (but ther are quite afew entries in that list):

https://support.content.office.net/en-us/static/O365IPAddresses.xml

 

With that you could exclude these IP addresses in your gateway config. Or if there are too many entries your next possibility is with a script that gets executed on the client when it is connected to globalprotect. This script then manipulates the local route table and adds entries for these o365 IP ranges that connections to them will be routed directly instead of into the tunnel.

Hi,

 

Thanks fort his reply but not really manageable, we currently have +12K users.

 

So I guess these is almost no other option than enable split tunnelling, which I don’t like.

 

Regards,

Steven.

Hi @Steven_Liefferinckx

 

So I assume the users computers are not managed by your company?

Hi,

 

They are manaed by our company. Updating list is omsething we need to avoid.

Based on domain would be easier, it's not only for 0365 (just used as example). We would like to have similar setup for skype/teams and other known/trusted cloud applications.

 

Regards,

Steven.

Hi @Steven_Liefferinckx

 

Then it would be a one time setup task. A little help you can find here: https://www.paloaltonetworks.com/documentation/80/globalprotect/globalprotect-admin-guide/globalprot...

 

With this base configuration you could write a script that automatically pulls the IP addresslist from microsoft and then adds direct routes for all these IP addresses/ranges. I know it's not as easy as configuring domain based exceptions but there is at least a way to achieve what you are asking.

 

Regards,

Remo

  • 1 accepted solution
  • 3693 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!