Buy or Renew

Nominated Discussion: Configure Split Tunneling by Domain

General Articles

2 min read

This Nominated Discussion Article is based on the post "Configure Split tunneling by domain" by @BigPalo and responded to by @Raido_Rattameister and @BPry Read on to see the discussion and solution!

Hi,

I just configured split tunneling by domain using this domain test: *.portal.microsoft.com (port 443)

But i can not see this traffic going into the tunnel. how can I troubleshoot this?

Note: If you configure split tunneling for a domain then you effectively configure this domain not to be routed into the tunnel but directly towards Internet.

Some considerations:

Do you have a GlobalProtect license so that you can actually utilize this functionality?
Have you verified for sure that the traffic isn't attempting to utilize QUIC? This functionality only works with TCP traffic and if your browser is using QUIC (which is UDP) it won't function properly.
What agent version are you using.

As far as troubleshooting goes you'll want to set your client logging to debug and look in the logs for the domain in question and look for an entry in PanGPS.log that looks like what is denoted below:

(P6668-T26348)Dump (2039): 07/04/25 03:02:58:982 Domain name wxt-general-ingressgateway.acmhwxt-prd-1.prod.infra.webex.com matches exclude wildcard domain

This will tell you whether it's matching your rules or not.