Global Protect Gateway - Split-Tunnel Exluded Domains

Reply
MickBall
L7 Applicator

we have tried all...

application directory was unreliable as this is installed under the users profile, also...  the use of "%LOCALAPPDATA%\Microsoft\Teams\Teams.exe" is not currently supported by Palo.

 

Domain Split Tunnel was also unreliable as we have a few thousand users under version 5.01.

 

so we now use IP addresses.  

 

you can make your own choice about which ones to use from here.

 

https://docs.microsoft.com/en-gb/office365/enterprise/urls-and-ip-address-ranges#skype-for-business-...

DanilaKh
L2 Linker

Hello @Jake.Ryan 

 

I found the example of split-tunneling configuration based on IPs for Office 365 apps here.

 

Based on information in the section # 4 we can use IPs for the next few months:

"Per the information provided by Microsoft team, the current intent is to hold these subnets/IP addresses static for the next few months in order to allow for quick customer deployments related to the COVID-19 situation. In long term, customers would need to either build automation to keep this configuration up to date, or follow the suggestions and subscribe to update notifications at: https://docs.microsoft.com/en-us/office365/enterprise/office-365-ip-web-service#update-notifications".

 

Please note we could not add Address Group as an Exclude Access Route to the firewall that is running PAN-OS 8.1. It looks like this feature is available in 9.x only. We just added Addresses.

DanilaKh
L2 Linker

Hello @Jake.Ryan 

 

I found the example of how to configure split-tunneling for Office 365 apps using IPs here. Based on info in the section #4 of the instruction, Microsoft is going to use the same IPs during next few months.

Please note we could not to add Address Groups as Exclude Access Routes on the firewall that is running PAN-OS 8.1. It looks like this feature is available in 9.x version only.

luigid
L0 Member

I ran into this issue once SIP was issued on March 15th and most employees started to work from home. Although we had domains such as *.zoom.us, youtube.com, 8x8 etc defined in GP to NOT use the tunnel, traffic kept accessing via the tunnel even though configuration was correct . We are on Pan0S 9.0.5. I spent several days with support. When we switched from using domain names to IP address ranges the issue went away.  This issue was not DNS related as internally we use the same DNS servers VPN clients use and internally we had no issues resolving DNS. Fix was to use IP addresses in the split-tunnel config until PAN figures out the bug.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!