Global protect split tunnel setup

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Global protect split tunnel setup

L4 Transporter

Hi

 

I have 8.1.5 on the pa and 4.1.11-9 client

 

I have setup the gateway for video traffic exclusion, and selected 

youtube-streaming

netflix-streaming 

 

But a simple test shows utube still come over the tunnel address

 

I want to allow MS Teams to by pass the tunnel, so I goto agent / client setting select my config and split tunnel 

domain and application 

 

but the app runs from 

{userprofile}\AppData\Local\Microsoft\Teams\current\Teams.exe

 

how can i enter that into the config 

45 REPLIES 45

Cyber Elite
Cyber Elite

@Alex_Samad,

You can use the userprofile environmental variable like so:

%userprofile%\AppData\Local\Microsoft\Teams\current\Teams.exe

 

The only thing I can think with the exclusion is that you should add youtube-base and netflix-base and see if that works. I haven't tried including just the streaming app-ids to see how well that works. 

 

 

Cool, I will try that with teams. I presume it runs under the current user so the env variable will point to the right place.

 

Now - do I want to include - does that mean by pass the vpn or exclude ??

 

 

 

Yeah , not getting utube to work. watching now and its still in vpn

 

So I turn on video traffic exclude

and selected utube and netflix

but its not working

 

So i have found my answer. 

 

You need a license for the video split tunnel .... sigh

@Alex_Samad,

That you do; this is not included within the "base" functionality of GlobalProtect included with the device. If I would have to guess I would assume that the "free" version of GlobalProtect will essentially stay at where it is currently, and all the new exciting things will be included in the license. 

Hello,

While I understand why you want to do a split tunnel, its not best practice and will fail most major compliance requirements.

 

Regards,

Yes understand but, we haved started to use MS teams video chat - and well hair pin turning a video stream 1/2 way around the world is a pain.  So we are looking at allowing just MS teams to have direct access out to just O365 ip's

L0 Member

Anyone else try this out?

From real-world testing I found it did work with exceptions by adding the path %userprofile\AppData\Local\Microsoft\Teams\current\Teams.exe

 

The exception being that the ability to join meetings is completely broken. That traffic somehow ends up coming back across the tunnel while keeping the main teams application on the local network which causes the attempt to join to fail.

Upon investigation of the processes that are created while joining a meeting in Teams it seems Teams temporarily stages another Teams.exe at this location 

%userprofile\AppData\Local\Microsoft\Teams\stage\Teams.exe

However, adding this to the Split Tunnel config still did not work.

Not sure what I am missing, but the fact that Palo Alto does not support the ability to Split Tunnel based on external IP blocks is ridiculous as this would have been much easier and working now.

%userprofile% not %userprofile

L1 Bithead

I've added 52.112.0.0/14 to the split tunnel config because all teams traffic seems to go there.

This worked for a bit, but i still see traffic to this subnet comming trought the vpn altough traceroutes and manual request do go the correct way.

to counter this i've blocked this traffic on the palo so the client has to take the direct route via local internet, but this raises some strange issues for users.

 

Does ms teams override the routing table ? very strange.

Exclude by using the  "Access Route" Exclude list.

 

Use 13.107.64.0/18 and 52.112.0.0/14 as the excluded networks. There may be more but that's what I tested with and it works. The latest releases of supported PAN-OS do not appear to work with %userprofile% variables as an option in the path.

thanks for replying

 

I did that (and added a few more over the last days).

so you didn't notice any traffic of those ranges still going through the vpn tunnel?

 

I don't believe I'm seeing anything there. With my testing anyway it showed correctly disappearing traffic while in a Teams meeting. I have not double checked later on yet.

 

I have created a list for Zoom and that works well also.

 

I'm struggling with anything EXE based but it might be due to the multiple possible folders Outlook might be installed into based on 32bit vs. 64bit O365 vs stand alone install. I did successfully split MS AppStore as a test and that worked flawlessly all the time.

 

Palo needs to support %userprofile% and %appdata% in the config!

Hi @CoreyKinder ,

 

I have observed the same behavior as the one you described.

We are running v9.0.4 on the Gateway and 5.0.7-2 on the GP Clients.

We configured split tunneling for the process %userprofile\AppData\Local\Microsoft\Teams\current\Teams.exe

Works pretty well but in some cases, joining a Teams Meeting online is not working. Several users reported this issue, while I personally never faced it.

My first analysis shows that traffic to the following FQDN is always going through the Tunnel and will not break out locally: api.flightproxy.teams.microsoft.com

Unfortunately this FQDN returns random IP addresses from different subnets.

I am also not sure whether or not this is the cause of the issue. I tried collecting GlobalProtect debug logs, MS Teams debug logs, but did not find anything so far

 

Did anyone manage to make this work?

 

 

I have gone the cheaper or route the license for GP is $$$ so i use split tunnel routes

 

https://docs.microsoft.com/en-us/office365/enterprise/office-365-ip-web-service offical ip ranges used by MS for services - pick the skype ones it covers MS teams from my under standing 

 

i run this script to produce something I can cut and paste into panorama

 

#!/bin/bash

#
# guid
# https://www.guidgenerator.com/online-guid-generator.aspx
#
guid=<generate one>


tp="/tmp/$guid"

#
# https://docs.microsoft.com/en-us/office365/enterprise/office-365-ip-web-service
#

wget -O "$tp" -q 'https://endpoints.office.com/endpoints/WorldWide?ClientRequestId=<getyourown>&AllVersions=false&Form...'


#
theips="prefix other ips"

for x in $( cat "$tp" | sed -e 's/^[^,]*,[^,]*,"[^"]*",//;s/"[^"]*",//;s/^,.*$//;/^id,.*$/d;/^$/d;s/^"\([^"]*\)".*$/\1/;s/,/ /g')
do
#echo $x
theips="$theips $x"
done

echo "# this is for the <agent name1> people on the gateway"
echo "set template Active_Passive config vsys vsys1 global-protect global-protect-gateway alcpa-vpn-gateway remote-user-tunnel-configs <agent name1> split-tunneling exclude-access-route [ $theips ]"

echo "# this is for the non singapore people on the gateway"
echo "set template Active_Passive config vsys vsys1 global-protect global-protect-gateway alcpa-vpn-gateway remote-user-tunnel-configs <agent name2> split-tunneling exclude-access-route [ $theips ]"

echo "# this is for all on the gateway"
echo "set template ybopa config vsys vsys1 global-protect global-protect-gateway ybopa-vpn-gateway-external remote-user-tunnel-configs <agent name3> split-tunneling exclude-access-route [ $theips ]"

echo

  • 36748 Views
  • 45 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!