I have 8.1.5 on the pa and 4.1.11-9 client
I have setup the gateway for video traffic exclusion, and selected
But a simple test shows utube still come over the tunnel address
I want to allow MS Teams to by pass the tunnel, so I goto agent / client setting select my config and split tunnel
domain and application
but the app runs from
how can i enter that into the config
Exclude by using the "Access Route" Exclude list.
Use 18.104.22.168/18 and 22.214.171.124/14 as the excluded networks. There may be more but that's what I tested with and it works. The latest releases of supported PAN-OS do not appear to work with %userprofile% variables as an option in the path.
I don't believe I'm seeing anything there. With my testing anyway it showed correctly disappearing traffic while in a Teams meeting. I have not double checked later on yet.
I have created a list for Zoom and that works well also.
I'm struggling with anything EXE based but it might be due to the multiple possible folders Outlook might be installed into based on 32bit vs. 64bit O365 vs stand alone install. I did successfully split MS AppStore as a test and that worked flawlessly all the time.
Palo needs to support %userprofile% and %appdata% in the config!
Hi @CoreyKinder ,
I have observed the same behavior as the one you described.
We are running v9.0.4 on the Gateway and 5.0.7-2 on the GP Clients.
We configured split tunneling for the process %userprofile\AppData\Local\Microsoft\Teams\current\Teams.exe
Works pretty well but in some cases, joining a Teams Meeting online is not working. Several users reported this issue, while I personally never faced it.
My first analysis shows that traffic to the following FQDN is always going through the Tunnel and will not break out locally: api.flightproxy.teams.microsoft.com
Unfortunately this FQDN returns random IP addresses from different subnets.
I am also not sure whether or not this is the cause of the issue. I tried collecting GlobalProtect debug logs, MS Teams debug logs, but did not find anything so far
Did anyone manage to make this work?
I have gone the cheaper or route the license for GP is $$$ so i use split tunnel routes
https://docs.microsoft.com/en-us/office365/enterprise/office-365-ip-web-service offical ip ranges used by MS for services - pick the skype ones it covers MS teams from my under standing
i run this script to produce something I can cut and paste into panorama
theips="prefix other ips"
for x in $( cat "$tp" | sed -e 's/^[^,]*,[^,]*,"[^"]*",//;s/"[^"]*",//;s/^,.*$//;/^id,.*$/d;/^$/d;s/^"\([^"]*\)".*$/\1/;s/,/ /g')
echo "# this is for the <agent name1> people on the gateway"
echo "set template Active_Passive config vsys vsys1 global-protect global-protect-gateway alcpa-vpn-gateway remote-user-tunnel-configs <agent name1> split-tunneling exclude-access-route [ $theips ]"
echo "# this is for the non singapore people on the gateway"
echo "set template Active_Passive config vsys vsys1 global-protect global-protect-gateway alcpa-vpn-gateway remote-user-tunnel-configs <agent name2> split-tunneling exclude-access-route [ $theips ]"
echo "# this is for all on the gateway"
echo "set template ybopa config vsys vsys1 global-protect global-protect-gateway ybopa-vpn-gateway-external remote-user-tunnel-configs <agent name3> split-tunneling exclude-access-route [ $theips ]"
Am I reading this right in that PanOS doesn't seem to support environment %Variables% in the path name of the executable you're trying to add to the "Include/Exclude Client Application Process Name" fields, be it with or without a GP license!? That's big oversight if that's the case. Has anyone got this confirmed by PA support?
If it makes a difference to the PanOS, we're at 8.1.x and have a GP license.
I'm basically also looking to add Teams and Zoom to the exclusion list by executable, but it's pretty pointless if neither will work? Or is Zoom working using the .exe path name in conjunction with the IP exclusions for it's IP blocks?
Also, are you guys seeing the new GP config changes apply after reconnecting / disconnecting and then reconnecting the GP client again? - I asked PA support when the GP configs get applied and they weren't sure, and advised me that's it's best to uninstall the GP client and clear a registry key and remove the GP services following a config change, and referred me to the following article: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClJDCA0
This seems rather drastic!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!