cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Global protect split tunnel setup

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Reply
Highlighted
Alex_Samad
L4 Transporter
‎05-02-2019 10:47 PM
‎05-02-2019 10:47 PM

Global protect split tunnel setup

Hi

 

I have 8.1.5 on the pa and 4.1.11-9 client

 

I have setup the gateway for video traffic exclusion, and selected 

youtube-streaming

netflix-streaming 

 

But a simple test shows utube still come over the tunnel address

 

I want to allow MS Teams to by pass the tunnel, so I goto agent / client setting select my config and split tunnel 

domain and application 

 

but the app runs from 

{userprofile}\AppData\Local\Microsoft\Teams\current\Teams.exe

 

how can i enter that into the config 

Labels:
0 Likes
Reply
Highlighted
BPry
Cyber Elite
Cyber Elite
‎05-03-2019 11:52 AM
‎05-03-2019 11:52 AM

@Alex_Samad,

You can use the userprofile environmental variable like so:

%userprofile%\AppData\Local\Microsoft\Teams\current\Teams.exe

 

The only thing I can think with the exclusion is that you should add youtube-base and netflix-base and see if that works. I haven't tried including just the streaming app-ids to see how well that works. 

 

 

0 Likes
Reply
Highlighted
Alex_Samad
L4 Transporter
‎05-03-2019 02:37 PM
‎05-03-2019 02:37 PM

Cool, I will try that with teams. I presume it runs under the current user so the env variable will point to the right place.

 

Now - do I want to include - does that mean by pass the vpn or exclude ??

 

 

 

Yeah , not getting utube to work. watching now and its still in vpn

 

So I turn on video traffic exclude

and selected utube and netflix

but its not working

 

0 Likes
Reply
Highlighted
Alex_Samad
L4 Transporter
‎05-14-2019 04:55 PM
‎05-14-2019 04:55 PM

So i have found my answer. 

 

You need a license for the video split tunnel .... sigh

Reply
Highlighted
BPry
Cyber Elite
Cyber Elite
‎05-14-2019 08:26 PM
‎05-14-2019 08:26 PM

@Alex_Samad,

That you do; this is not included within the "base" functionality of GlobalProtect included with the device. If I would have to guess I would assume that the "free" version of GlobalProtect will essentially stay at where it is currently, and all the new exciting things will be included in the license. 

0 Likes
Reply
Highlighted
OtakarKlier
Cyber Elite
Cyber Elite
‎05-15-2019 12:21 PM
‎05-15-2019 12:21 PM

Hello,

While I understand why you want to do a split tunnel, its not best practice and will fail most major compliance requirements.

 

Regards,

0 Likes
Reply
Highlighted
Alex_Samad
L4 Transporter
‎05-15-2019 05:58 PM
‎05-15-2019 05:58 PM

Yes understand but, we haved started to use MS teams video chat - and well hair pin turning a video stream 1/2 way around the world is a pain.  So we are looking at allowing just MS teams to have direct access out to just O365 ip's

0 Likes
Reply
Highlighted
CoreyKinder
L0 Member
‎02-07-2020 08:23 AM
‎02-07-2020 08:23 AM

Anyone else try this out?

From real-world testing I found it did work with exceptions by adding the path %userprofile\AppData\Local\Microsoft\Teams\current\Teams.exe

 

The exception being that the ability to join meetings is completely broken. That traffic somehow ends up coming back across the tunnel while keeping the main teams application on the local network which causes the attempt to join to fail.

Upon investigation of the processes that are created while joining a meeting in Teams it seems Teams temporarily stages another Teams.exe at this location 

%userprofile\AppData\Local\Microsoft\Teams\stage\Teams.exe

However, adding this to the Split Tunnel config still did not work.

Not sure what I am missing, but the fact that Palo Alto does not support the ability to Split Tunnel based on external IP blocks is ridiculous as this would have been much easier and working now.

0 Likes
Reply
Highlighted
BillyeMoore
L1 Bithead
‎02-27-2020 11:36 AM
‎02-27-2020 11:36 AM

%userprofile% not %userprofile

0 Likes
Reply
Highlighted
wiresharky
L1 Bithead
‎03-12-2020 02:00 AM
‎03-12-2020 02:00 AM

I've added 52.112.0.0/14 to the split tunnel config because all teams traffic seems to go there.

This worked for a bit, but i still see traffic to this subnet comming trought the vpn altough traceroutes and manual request do go the correct way.

to counter this i've blocked this traffic on the palo so the client has to take the direct route via local internet, but this raises some strange issues for users.

 

Does ms teams override the routing table ? very strange.

0 Likes
Reply
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!

Latest Blogs
Latest Posts
Privacy Policy Terms of Use
Copyright 2007 - 2020 - Palo Alto Networks