Global protect excluded networks


ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Not applicable

Global protect excluded networks

Hi all,

there is a method on global protect to send all my traffic into the tunnel, but exclude the subnet range of the customer to remain connected with the office network and browse the web protected from office infrastructure, but with the possibility to work on all customer network and not only on the same lan?


L4 Transporter


Do you want to remain connectd to the local LAN and have only the traffic intended for the remote office tunneled? If so, you'd want to configure split tunneling on the PAN FW  such that the Global Protect Clients access the remote Office LAN via the tunnel and all other traffic (to the Internet and local LAN) via their own ISP and local connection.

However, you cannot configure this on the Global Prorect Client itself - Access Routes (split tunneling) are configured on the PAN FW.

If your requirement is different from what is explained here, please explain further.


Not applicable

Thats not exactly what i said... i want all traffic from my pc when i'm from a customer goes by tunnel to my office, included my internet connection, and exclude from the tunnell only the subnet who i have to the customer.

EX all Pa-500 to office...(all traffic internet included) Network customer excluded from tunnel.

So i can reach all that i want inside my customer network without disconnect vpn connection.

The vpn split as i see on PA i can specify the network to tunnel but i can't exclude a specific network, but is a things possible on small router with cisco vpn integrated isn't possible on Paloalto FW?

L6 Presenter


Your requirement looks like it is not currently supported by the available GP configuration options. I would suggest talking to your sales team to have them file a feature request for this use case.

As a workaround you could defined all networks in the access routes with the exclusion of the subnet. This should work as a short term band-aid for your use case.


Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!