Global Protect Gateway - Split-Tunnel Exluded Domains

Showing results for 
Search instead for 
Did you mean: 

Global Protect Gateway - Split-Tunnel Exluded Domains

L1 Bithead



I am trying to exclude some domain from coming through the gateway to improve user experience so they are not hair-pinning through our DC's


at the moment I have no access route entered so I am running out of our DC's - there are are certain domains for Microsoft updates, teams and hosted business services


when I add them to exclude domain it seems to work correctly - for example if I add this will browse local as expected but all other websites are stop working

I was hoping when I add excluded domains to browse local, what remains continues to hairpin via the DC;s


I have been trying to find a wildcard I could enter in the include domain to continue to get the internet working but this does not seems to work


are there some examples there people are using to I can see what I am doing wrong? I have been through the admin documents but maybe I am missing something

is there something I an doing wrong here or am I expecting more than is possible?


L4 Transporter



Do all other websites stop working? If yes, what website(s) did you test it with? Did you do a route print to see routes configured on the adapter(s)?




L2 Linker

Hello Jake,


Do you have a valid GlobalProtect lincense (subscription) installed on your firewall(s)?
As soon as you were able to exclude traffic by configuring domain based split-tunneling, I do not think that it is the case. But, it would be worth to check your GlobalProtect license, because of split tunneling based on destination domain, client process, and video streaming application is required valid subscription. See more details here.


What is a version of PAN OS you use?

Could you please share a part of your GlobalProtect configuration related to split-tunneling?

What is an output of the command 'route print' on a PC connected to VPN gateway?


As a good example of split domain and application feature configuration you can use the document here.


Best regards,


L2 Linker



If I understood correct, you could access via your ethernet/wireless adapter AND also all of the RFC 1918 or interested traffic is traversing your local adapter as opposed to go across the tunnel?


If this is the case, did you try adding adding RF1918 to access route Include tab and non-interested traffic to exclude tab?


Alternatively, you could just add the domains or app-id's under Domain and Application to specific's you need.


Hope this helps. 


L1 Bithead



thank you for the replies


I think I have a mixture of problems here - I look to have the split-tunnel working in out test environment just when I move to production I hit issues so its defiantly my issue to resolve - and most likely related to out HIP/browsing rules we have in place so I need to dig this out now


the new question I have now is if something is blocked by a policy, is that ignored if the exclusion is in? - I have not tested this yet so thought it might be easier to ask

for example - we block Netflix 

if I was to exclude *

and also add it to the exclude video traffic from the tunnel as Netflix-base, Netflix-streaming

would it then be allowed to VPN users? and would it be logged anywhere if allowed or denied?


PanOS - 8.1.4

GP - 4.1.11

PA - 3020




Hi Jake,


Is there any reason why you're still running 4.1.x? Take a look here to check out EOL summary:


Once you've excluded that video traffic and excluded domain traffic, it will be routed using physical adapter and not via GP adapter.




thank you, 

yep I have been made aware of the EOL the problem I have is a have roughly 5000 users across multiple gateways all working from home due to COVID-19


our remote machines do not have admin rights granted and also do not have a local admin account direct on the machine so if we have any problems during upgrading these clients we could possibly disable remote working for multiple users as out support teams cannot install without the machine being directly on the domain for the correct rights


so at the moment it is not a risk is way to high to consider


I will be testing my exclusions tonight - the best tests I can do it with to see if the IP changes to the local breakout rather than a DCs

is there a better way to test?

I can start packet tracing but it seems a bit too far to proof it is working

Hi Jake,


Please go through this document to troubleshoot split tunnel (domain) and exclude video traffic. Hope this helps 🙂




download and run currports.


it can display running processes and show the source address.  this will determine if tunnelled or split.


screen shot below   ..  PS I have just added teams as a filter but you can see all or add whatever you like.

the 192.168 is my wifi and 172.17 GP address.


also...   anything local will not be affected by your firewall policies.  if you need to block it then don't split it.

also2...   lots of bugs in domain split tunnelling below 5.0.7... 







thanks Mike


I will try that now

also how are the excusing teams? but application directory or the URLs they publish on the MS website?

are you able to share a screenshot?


the company want to start doing weekly announcements not to everyone via a live stream and looks like teams will be the preferred method - so its a new thing I need to now try and split


Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!