- Get Started
- News & Events
- Collaboration
- Education Services
- Technologies
- Next-Generation Firewall
- GlobalProtect
- Threat Prevention Services
- Endpoint Protection
- SSL Decryption
- App-ID
- Content-ID
- User-ID
- 5G
- IoT Security
- Cloud Identity Engine
- Panorama
- AIOps for NGFW
Network Security
- Prisma Access
- Prisma Cloud
- Prisma SD-WAN
- Cloud NGFW for AWS
- CN-Series
- VM-Series:
- Private Cloud
- OCI
- Alibaba
- AWS
- GCP
- Azure
Cloud Security
- Cortex XDR
- Cortex XSOAR
- Cortex Data Lake
- Cortex Xpanse
Security Operations
- Resources
- COVID-19 Response Center
Global protect split tunnel setup
- LIVEcommunity
- Collaboration
- Discussions
- General Topics
- Global protect split tunnel setup
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
Global protect split tunnel setup
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
05-02-2019
10:47 PM
- last edited on
03-20-2020
07:13 AM
by
arsimon
Hi
I have 8.1.5 on the pa and 4.1.11-9 client
I have setup the gateway for video traffic exclusion, and selected
youtube-streaming
netflix-streaming
But a simple test shows utube still come over the tunnel address
I want to allow MS Teams to by pass the tunnel, so I goto agent / client setting select my config and split tunnel
domain and application
but the app runs from
{userprofile}\AppData\Local\Microsoft\Teams\current\Teams.exe
how can i enter that into the config
- Labels:
-
GlobalProtect-COVID19
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
05-03-2019 11:52 AM
You can use the userprofile environmental variable like so:
%userprofile%\AppData\Local\Microsoft\Teams\current\Teams.exe
The only thing I can think with the exclusion is that you should add youtube-base and netflix-base and see if that works. I haven't tried including just the streaming app-ids to see how well that works.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
05-03-2019 02:37 PM - edited 05-03-2019 03:11 PM
Cool, I will try that with teams. I presume it runs under the current user so the env variable will point to the right place.
Now - do I want to include - does that mean by pass the vpn or exclude ??
Yeah , not getting utube to work. watching now and its still in vpn
So I turn on video traffic exclude
and selected utube and netflix
but its not working
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
05-14-2019 04:55 PM
So i have found my answer.
You need a license for the video split tunnel .... sigh
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
05-14-2019 08:26 PM
That you do; this is not included within the "base" functionality of GlobalProtect included with the device. If I would have to guess I would assume that the "free" version of GlobalProtect will essentially stay at where it is currently, and all the new exciting things will be included in the license.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
05-15-2019 12:21 PM
Hello,
While I understand why you want to do a split tunnel, its not best practice and will fail most major compliance requirements.
Regards,
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
05-15-2019 05:58 PM
Yes understand but, we haved started to use MS teams video chat - and well hair pin turning a video stream 1/2 way around the world is a pain. So we are looking at allowing just MS teams to have direct access out to just O365 ip's
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
02-07-2020 08:23 AM
Anyone else try this out?
From real-world testing I found it did work with exceptions by adding the path %userprofile\AppData\Local\Microsoft\Teams\current\Teams.exe
The exception being that the ability to join meetings is completely broken. That traffic somehow ends up coming back across the tunnel while keeping the main teams application on the local network which causes the attempt to join to fail.
Upon investigation of the processes that are created while joining a meeting in Teams it seems Teams temporarily stages another Teams.exe at this location
%userprofile\AppData\Local\Microsoft\Teams\stage\Teams.exe
However, adding this to the Split Tunnel config still did not work.
Not sure what I am missing, but the fact that Palo Alto does not support the ability to Split Tunnel based on external IP blocks is ridiculous as this would have been much easier and working now.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
02-27-2020 11:36 AM
%userprofile% not %userprofile
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
03-12-2020 02:00 AM
I've added 52.112.0.0/14 to the split tunnel config because all teams traffic seems to go there.
This worked for a bit, but i still see traffic to this subnet comming trought the vpn altough traceroutes and manual request do go the correct way.
to counter this i've blocked this traffic on the palo so the client has to take the direct route via local internet, but this raises some strange issues for users.
Does ms teams override the routing table ? very strange.
- Issue passing traffic with Global Protect client 5.2.9 or later in GlobalProtect Discussions
- Global Protect Azure MFA SAML FIDO Key in GlobalProtect Discussions
- Can Cortex XDR proactively log Global Protect client debug? in Cortex XDR Discussions
- Global Protect in Abu Dhabi in GlobalProtect Discussions
- Global protect enforcer and public wifi captive portal in General Topics
Show your appreciation!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
