I am trying to exclude some domain from coming through the gateway to improve user experience so they are not hair-pinning through our DC's
at the moment I have no access route entered so I am running 0.0.0.0/0 out of our DC's - there are are certain domains for Microsoft updates, teams and hosted business services
when I add them to exclude domain it seems to work correctly - for example if I add www.bbc.co.uk this will browse local as expected but all other websites are stop working
I was hoping when I add excluded domains to browse local, what remains continues to hairpin via the DC;s
I have been trying to find a wildcard I could enter in the include domain to continue to get the internet working but this does not seems to work
are there some examples there people are using to I can see what I am doing wrong? I have been through the admin documents but maybe I am missing something
is there something I an doing wrong here or am I expecting more than is possible?
Do all other websites stop working? If yes, what website(s) did you test it with? Did you do a route print to see routes configured on the adapter(s)?
Do you have a valid GlobalProtect lincense (subscription) installed on your firewall(s)?
As soon as you were able to exclude traffic by configuring domain based split-tunneling, I do not think that it is the case. But, it would be worth to check your GlobalProtect license, because of split tunneling based on destination domain, client process, and video streaming application is required valid subscription. See more details here.
What is a version of PAN OS you use?
Could you please share a part of your GlobalProtect configuration related to split-tunneling?
What is an output of the command 'route print' on a PC connected to VPN gateway?
As a good example of split domain and application feature configuration you can use the document here.
If I understood correct, you could access www.bbc.co.uk via your ethernet/wireless adapter AND also all of the RFC 1918 or interested traffic is traversing your local adapter as opposed to go across the tunnel?
If this is the case, did you try adding adding RF1918 to access route Include tab and non-interested traffic to exclude tab?
Alternatively, you could just add the domains or app-id's under Domain and Application to specific's you need.
Hope this helps.
thank you for the replies
I think I have a mixture of problems here - I look to have the split-tunnel working in out test environment just when I move to production I hit issues so its defiantly my issue to resolve - and most likely related to out HIP/browsing rules we have in place so I need to dig this out now
the new question I have now is if something is blocked by a policy, is that ignored if the exclusion is in? - I have not tested this yet so thought it might be easier to ask
for example - we block Netflix
if I was to exclude *netflix.com
and also add it to the exclude video traffic from the tunnel as Netflix-base, Netflix-streaming
would it then be allowed to VPN users? and would it be logged anywhere if allowed or denied?
PanOS - 8.1.4
GP - 4.1.11
PA - 3020
Is there any reason why you're still running 4.1.x? Take a look here to check out EOL summary: https://www.paloaltonetworks.com/services/support/end-of-life-announcements/end-of-life-summary
Once you've excluded that video traffic and excluded domain traffic, it will be routed using physical adapter and not via GP adapter.
yep I have been made aware of the EOL the problem I have is a have roughly 5000 users across multiple gateways all working from home due to COVID-19
our remote machines do not have admin rights granted and also do not have a local admin account direct on the machine so if we have any problems during upgrading these clients we could possibly disable remote working for multiple users as out support teams cannot install without the machine being directly on the domain for the correct rights
so at the moment it is not a risk is way to high to consider
I will be testing my exclusions tonight - the best tests I can do it with whatismyip.com to see if the IP changes to the local breakout rather than a DCs
is there a better way to test?
I can start packet tracing but it seems a bit too far to proof it is working
Please go through this document to troubleshoot split tunnel (domain) and exclude video traffic. Hope this helps
download and run currports.
it can display running processes and show the source address. this will determine if tunnelled or split.
screen shot below .. PS I have just added teams as a filter but you can see all or add whatever you like.
the 192.168 is my wifi and 172.17 GP address.
also... anything local will not be affected by your firewall policies. if you need to block it then don't split it.
also2... lots of bugs in domain split tunnelling below 5.0.7...
I will try that now
also how are the excusing teams? but application directory or the URLs they publish on the MS website?
are you able to share a screenshot?
the company want to start doing weekly announcements not to everyone via a live stream and looks like teams will be the preferred method - so its a new thing I need to now try and split
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!