Global protect split tunnel setup

Reply
Highlighted
L4 Transporter

Re: Global protect split tunnel setup

Exclude by using the  "Access Route" Exclude list.

 

Use 13.107.64.0/18 and 52.112.0.0/14 as the excluded networks. There may be more but that's what I tested with and it works. The latest releases of supported PAN-OS do not appear to work with %userprofile% variables as an option in the path.

Highlighted
L1 Bithead

Re: Global protect split tunnel setup

thanks for replying

 

I did that (and added a few more over the last days).

so you didn't notice any traffic of those ranges still going through the vpn tunnel?

 

Highlighted
L4 Transporter

Re: Global protect split tunnel setup

I don't believe I'm seeing anything there. With my testing anyway it showed correctly disappearing traffic while in a Teams meeting. I have not double checked later on yet.

 

I have created a list for Zoom and that works well also.

 

I'm struggling with anything EXE based but it might be due to the multiple possible folders Outlook might be installed into based on 32bit vs. 64bit O365 vs stand alone install. I did successfully split MS AppStore as a test and that worked flawlessly all the time.

 

Palo needs to support %userprofile% and %appdata% in the config!

Highlighted
L1 Bithead

Re: Global protect split tunnel setup

Hi @CoreyKinder ,

 

I have observed the same behavior as the one you described.

We are running v9.0.4 on the Gateway and 5.0.7-2 on the GP Clients.

We configured split tunneling for the process %userprofile\AppData\Local\Microsoft\Teams\current\Teams.exe

Works pretty well but in some cases, joining a Teams Meeting online is not working. Several users reported this issue, while I personally never faced it.

My first analysis shows that traffic to the following FQDN is always going through the Tunnel and will not break out locally: api.flightproxy.teams.microsoft.com

Unfortunately this FQDN returns random IP addresses from different subnets.

I am also not sure whether or not this is the cause of the issue. I tried collecting GlobalProtect debug logs, MS Teams debug logs, but did not find anything so far

 

Did anyone manage to make this work?

 

 

Highlighted
L4 Transporter

Re: Global protect split tunnel setup

I have gone the cheaper or route the license for GP is $$$ so i use split tunnel routes

 

https://docs.microsoft.com/en-us/office365/enterprise/office-365-ip-web-service offical ip ranges used by MS for services - pick the skype ones it covers MS teams from my under standing 

 

i run this script to produce something I can cut and paste into panorama

 

#!/bin/bash

#
# guid
# https://www.guidgenerator.com/online-guid-generator.aspx
#
guid=<generate one>


tp="/tmp/$guid"

#
# https://docs.microsoft.com/en-us/office365/enterprise/office-365-ip-web-service
#

wget -O "$tp" -q 'https://endpoints.office.com/endpoints/WorldWide?ClientRequestId=<getyourown>&AllVersions=false&Form...'


#
theips="prefix other ips"

for x in $( cat "$tp" | sed -e 's/^[^,]*,[^,]*,"[^"]*",//;s/"[^"]*",//;s/^,.*$//;/^id,.*$/d;/^$/d;s/^"\([^"]*\)".*$/\1/;s/,/ /g')
do
#echo $x
theips="$theips $x"
done

echo "# this is for the <agent name1> people on the gateway"
echo "set template Active_Passive config vsys vsys1 global-protect global-protect-gateway alcpa-vpn-gateway remote-user-tunnel-configs <agent name1> split-tunneling exclude-access-route [ $theips ]"

echo "# this is for the non singapore people on the gateway"
echo "set template Active_Passive config vsys vsys1 global-protect global-protect-gateway alcpa-vpn-gateway remote-user-tunnel-configs <agent name2> split-tunneling exclude-access-route [ $theips ]"

echo "# this is for all on the gateway"
echo "set template ybopa config vsys vsys1 global-protect global-protect-gateway ybopa-vpn-gateway-external remote-user-tunnel-configs <agent name3> split-tunneling exclude-access-route [ $theips ]"

echo

Highlighted
L1 Bithead

Re: Global protect split tunnel setup

nice!

i have minemeld running and will use that as a source.

 

Do any of your users have issues with teams joining meetings or sharing their desktop?

I've got mixed results.

Highlighted
L4 Transporter

Re: Global protect split tunnel setup

Seem like the nice people at PA have opened up trial license for 3-6 months for GP.  which will allow me to use all these nice features.

So instead of having to do it by ip address I should be able to do it by app / process ..

Highlighted
L4 Transporter

Re: Global protect split tunnel setup

Moved to trying 

%userprofile%\AppData\Local\Microsoft\Teams\current\Teams.exe

 

turned it on and MS Teams stop working for some and still working for others

 

Tags (1)
Highlighted
L1 Bithead

Re: Global protect split tunnel setup

Hi all, 

 

Am I reading this right in that PanOS doesn't seem to support environment %Variables% in the path name of the executable you're trying to add to the "Include/Exclude Client Application Process Name" fields, be it with or without a GP license!? That's big oversight if that's the case. Has anyone got this confirmed by PA support?

 

If it makes a difference to the PanOS, we're at 8.1.x and have a GP license.

 

I'm basically also looking to add Teams and Zoom to the exclusion list by executable, but it's pretty pointless if neither will work? Or is Zoom working using the .exe path name in conjunction with the IP exclusions for it's IP blocks?

 

Also, are you guys seeing the new GP config changes apply after reconnecting / disconnecting and then reconnecting the GP client again? - I asked PA support when the GP configs get applied and they weren't sure, and advised me that's it's best to uninstall the GP client and clear a registry key and remove the GP services following a config change, and referred me to the following article: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClJDCA0

 

This seems rather drastic!

 

Thanks,

 

John

Highlighted
L4 Transporter

Re: Global protect split tunnel setup

 Wow support don't know !

I find it strange you have to remove the client. 

 

when i make changes to the split tunnel withe routes they seems to show up after a disconnect reconnect.

 

if they don't support %Variables%, then you can't really do teams can you ?  Wow 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!