Global protect domain based local breakout

Global protect domain based local breakout

Hi,

 

I have a question regarding Global protect and partial split tunnelling.

 

Does GP have an option to only allow specific domains via local breakout, all other traffic should be forwarded into the tunnel.

 

I'm asking this question regarding 0365, all domains should pass our company security checks only O365 traffic should be allowed to use end-user local breakout. This to speed-up O365 connectivity.

 

Regards,

Steven.

L6 Presenter

Re: Global protect domain based local breakout

this would be easy if O365 had just one IP address...

 

you could add this to the exclude list of the split tunnel.

 

or ... perhaps there is a known list of IP's but I have only seen URL's for this, not IP's and they probably change on a daily basis.

 

I can only see the option to add IP's/IP subnets to the exclusion so I think not.

 

 

 

 

 

 

L7 Applicator

Re: Global protect domain based local breakout

The list with office 365 IP adresses is here (but ther are quite afew entries in that list):

https://support.content.office.net/en-us/static/O365IPAddresses.xml

 

With that you could exclude these IP addresses in your gateway config. Or if there are too many entries your next possibility is with a script that gets executed on the client when it is connected to globalprotect. This script then manipulates the local route table and adds entries for these o365 IP ranges that connections to them will be routed directly instead of into the tunnel.

Re: Global protect domain based local breakout

Hi,

 

Thanks fort his reply but not really manageable, we currently have +12K users.

 

So I guess these is almost no other option than enable split tunnelling, which I don’t like.

 

Regards,

Steven.

L7 Applicator

Re: Global protect domain based local breakout

Hi @Steven_Liefferinckx

 

So I assume the users computers are not managed by your company?

Re: Global protect domain based local breakout

Hi,

 

They are manaed by our company. Updating list is omsething we need to avoid.

Based on domain would be easier, it's not only for 0365 (just used as example). We would like to have similar setup for skype/teams and other known/trusted cloud applications.

 

Regards,

Steven.

L7 Applicator

Re: Global protect domain based local breakout

Hi @Steven_Liefferinckx

 

Then it would be a one time setup task. A little help you can find here: https://www.paloaltonetworks.com/documentation/80/globalprotect/globalprotect-admin-guide/globalprot...

 

With this base configuration you could write a script that automatically pulls the IP addresslist from microsoft and then adds direct routes for all these IP addresses/ranges. I know it's not as easy as configuring domain based exceptions but there is at least a way to achieve what you are asking.

 

Regards,

Remo

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!