GlobalProtect: Implement Split Tunnel Domain and Applications

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Audit
Last Reviewed: 07-12-2023 02:06 PM
Audited By: JayGolf
L4 Transporter
No ratings

GlobalProtect: Implement Split Tunnel Domain, Applications,
Exclude Video Traffic Configuration

 

 

Background:

Enterprises may require the majority of their employees or contractors to work remotely or from home due to certain unavoidable situations such as pandemic or during natural calamity. GlobalProtect with Prisma Access or with on-premise firewall is utilized by employees to securely connect to their enterprise environment and access their corporate applications.

 

NOTE: Split-tunnel traffic is not inspected by next-generation firewall and, therefore, does not have the threat-protection offered by Palo Alto Networks. Hence, customers are advised to carefully review before enabling this feature and then decide whether the split tunnel meets their environment needs.

 

Objective:

GlobalProtect supports Split Domain & Applications and Exclude Video Traffic features. The objective of this document is to provide enterprise administrators with information about these features and configurations. The document specifically focuses on implementing these features to exclude certain bandwidth clogging applications and domains to help enterprises with business continuity and prioritizing business application traffic during the high Work From Home (WFH) season.

 

The solution described in this document is specifically targeted for Windows and macOS. To achieve split tunnel for iOS, Android and Windows UWP users can utilize app level VPN configured via MDM. For information on that refer here.

 

Prerequisite:

  • Prisma Access Or
  • GlobalProtect Subscription for NGFW customers
    • PAN OS version 8.1 & onwards
    • Recommended GlobalProtect app 5.0.x & onwards. Supported with GlobalProtect app 4.1.x
    • GlobalProtect License. More information for license and activation can be found here.

 

Platform Supported:

  • Windows 7 Service Pack 2 & later
  • macOS 10.10 & later

 

Split Domain & Application:

  • GlobalProtect supports split domain and application feature. This feature can be configured to exclude or include traffic for certain domains or applications. This in turn can help reduce the load on the network during high Work From Home (WFH) season.
  • Once configured all traffic for that application or traffic destined to the specific domains is either sent through the tunnel for inspection and policy enforcement or sent outside the tunnel directly to the physical adapter on the endpoint without inspection.

 

Configuration:

      1. To configure exclude domains and applications on the firewall, navigate to:
        Network > GlobalProtect > Gateway > Agent > Client Settings > Client-Config > Split Tunnel > Domain and Application
        GlobalProtect Config Split TunnelsGlobalProtect Config Split Tunnels

         

         

      2. Specify the domains for which you want to exclude the traffic outside of your VPN tunnel under EXCLUDE DOMAIN option. In the configuration snapshot above, we have excluded traffic for following domains from VPN tunnel:
        1. *.ringcentral.com
        2.  
      3. Similarly specify the complete path of the application process for which you would like to exclude the traffic outside your VPN tunnel under ‘EXCLUDE CLIENT APPLICATION PROCESS NAME’. In the configuration snapshot above, we have excluded traffic for ‘ringcentral’ application from VPN tunnel for both Windows and Mac:
        1. %AppData%\Local\RingCentral\SoftPhoneApp\Softphone.exe
        2. %AppData%\Local\RingCentral\SoftPhoneApp\SoftPhoneMapiBridge.exe
        3. /Applications/RingCentral for Mac.app/Contents/MacOS/Softphone
      4. Once configured click ‘OK’ and commit the configuration on the firewall. Above configuration is pushed on the GlobalProtect once it is connected to the gateway.

 

Exclude Video Traffic:

    • GlobalProtect supports exclude video traffic features for Windows and macOS. Once configured, video traffic to that domain will be excluded from the VPN tunnel and allowed to go directly from the physical interfaces on the endpoint. The App-ID functionality on the firewall identifies the video stream before traffic can be split tunneled.
    • Video streaming applications normally consume high bandwidth. Hence during high Work From Home (WFH) and business continuity situations these traffic can be excluded from the tunnel to decrease bandwidth consumption on the gateway.
    • It is essential to correctly identify the content to be video and exclude. If there is a media file, like mp3, swf etc downloaded then that should not be split tunneled and must go through the tunnel and inspected as these could be threat vehicles.
    • It is essential to have ssl-decryption enabled on the gateway to exclude the streams which are utilizing https. More information on the same can be found here.

 

Configuration:

      1. To configure exclude video traffic from the tunnel (Windows and macOS only), navigate to:
        Network > GlobalProtect > Gateway > Agent > Video Traffic
        GlobalProtect Gateway ConfigurationGlobalProtect Gateway Configuration

         

      2. Here, check ‘Exclude video traffic from the tunnel (Windows and macOS only)’. Then under ‘APPLICATIONS’ add the applications for which you want to exclude video traffic from your VPN tunnel. In the configuration snapshot above, following applications are excluded:
        1. hulu-base
        2. netflix-streaming
        3. youtube-streaming
      3. If administrators enable this option but do not exclude specific video-streaming applications from the VPN tunnel, all video-streaming traffic is excluded.
      4. Once configured click ‘OK’ and commit the configuration on the firewall
Rate this article:
(3)
Comments
L2 Linker

Is there log file or way to validate the application process id is being split tunnel by gp client

L2 Linker

@rajjair 

 

In Windows, we will need DebugView from Microsoft SysInternals Suite - In the capture options, enable Verbose and Kernel logging. 

We can also use CurrPorts by NirSoft, which lists Connections in NETSTAT format along with the Process that owns the session. CurrPorts allows you to filter by application. It is best to use Source-Ports of connections as the search term while reading DebugView logs.

 

In macOS, the latest versions of GP has PanNExt.log (Network Extension Logs), which shows the information you are looking for.

 

-- Praveen

L2 Linker

These added domains, include or exclude, *.ringcentral.com, how does the client machine identifies it as to exit locally or go through the tunnel ?

L0 Member

With the domain *.he.net. when browsing to bgp.he.net the traffic is not successful. Almost like the traffic is being black-holed. I see the dns and ssl traffic go out but nothing is coming back. I am doing no access routes and only excluding the *.he.net domain. 

 

-jw

  • 60604 Views
  • 4 comments
  • 12 Likes
Register or Sign-in
Contributors
Article Dashboard
Version history
Last Updated:
‎07-11-2022 11:39 PM
Updated by: