04-13-2018 12:18 PM
Hi. In the Palo Alto firewall, I've created a new Address object with the type set to FQDN and with a valid DNS record. Saved and committed the change. Then I try to add this newly created address object to the access route list in the GlobalProtect's split tunnel list (we using split tunnel for the VPN connection). However, I am not seeing the new address object that I've created showing in the access route list. It looks the address object with the type set to FQDN do not supported as an entry in the access route. Can someone please confirm if this is true?
Thank you.
04-13-2018 12:58 PM - edited 04-13-2018 01:00 PM
Hi @UXPSystems
No, what you are trying to configure is not possible. With PAN-OS 8.1 and GlobalProtect 4.1 you will have a lot more options about split tunneling but still not exactly this what you are asking in this topic.
More informations about the new features you cand find here: https://www.paloaltonetworks.com/documentation/41/globalprotect/globalprotect-app-new-features/new-f...
Edit: @BPry and once again I was a few seconds too late
04-13-2018 12:58 PM
It actually let you include an FQDN object in the Access Route configuration.... It isn't supposed to even allow you to do that. FQDN address objects are not supported within the Access Route configuration within the Agent settings, not sure why it even let you include one.
04-13-2018 12:58 PM - edited 04-13-2018 01:00 PM
Hi @UXPSystems
No, what you are trying to configure is not possible. With PAN-OS 8.1 and GlobalProtect 4.1 you will have a lot more options about split tunneling but still not exactly this what you are asking in this topic.
More informations about the new features you cand find here: https://www.paloaltonetworks.com/documentation/41/globalprotect/globalprotect-app-new-features/new-f...
Edit: @BPry and once again I was a few seconds too late
04-13-2018 01:08 PM
Great. Thank you all for the input.
It looks like PANOS 8.1 and GlobalProtect 4.1 might provide a solution for me.
Basically I can set the whole SaaS domain to pass through the VPN tunnel; but is not do-able on my PA right now (PA software version is still at 7.1.x).
04-13-2018 01:15 PM - edited 04-13-2018 01:29 PM
Just as a friendly FYI PAN-OS 8.1 includes a lot of helpful features that people are looking for, but is not currently recommended for production deployments. Please don't install it on your production firewall and not expect to run into issues.....please!
04-13-2018 01:24 PM
... and in case you haven't already a GlobalProtect subscription ... you will need one for this new split tunneling feature
04-13-2018 01:27 PM
See I always said that Palo didn't give GlobalProtect enough love, and that AnyConnect was superior in UI and featureset. Now that it's finally getting on par with other vendors they start hiding all the good stuff behind this subscription. It's like it costs money to make a good product or something 😉
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
