Global protect split tunnel setup

thanks for replying

I did that (and added a few more over the last days).

so you didn't notice any traffic of those ranges still going through the vpn tunnel?

I don't believe I'm seeing anything there. With my testing anyway it showed correctly disappearing traffic while in a Teams meeting. I have not double checked later on yet.

I have created a list for Zoom and that works well also.

I'm struggling with anything EXE based but it might be due to the multiple possible folders Outlook might be installed into based on 32bit vs. 64bit O365 vs stand alone install. I did successfully split MS AppStore as a test and that worked flawlessly all the time.

Palo needs to support %userprofile% and %appdata% in the config!

Hi @CoreyKinder ,

I have observed the same behavior as the one you described.

We are running v9.0.4 on the Gateway and 5.0.7-2 on the GP Clients.

We configured split tunneling for the process %userprofile\AppData\Local\Microsoft\Teams\current\Teams.exe

Works pretty well but in some cases, joining a Teams Meeting online is not working. Several users reported this issue, while I personally never faced it.

My first analysis shows that traffic to the following FQDN is always going through the Tunnel and will not break out locally: api.flightproxy.teams.microsoft.com

Unfortunately this FQDN returns random IP addresses from different subnets.

I am also not sure whether or not this is the cause of the issue. I tried collecting GlobalProtect debug logs, MS Teams debug logs, but did not find anything so far

Did anyone manage to make this work?

I have gone the cheaper or route the license for GP is $$$ so i use split tunnel routes

https://docs.microsoft.com/en-us/office365/enterprise/office-365-ip-web-service offical ip ranges used by MS for services - pick the skype ones it covers MS teams from my under standing 

i run this script to produce something I can cut and paste into panorama

#!/bin/bash

#
# guid
# https://www.guidgenerator.com/online-guid-generator.aspx
#
guid=<generate one>

tp="/tmp/$guid"

#
# https://docs.microsoft.com/en-us/office365/enterprise/office-365-ip-web-service
#

wget -O "$tp" -q 'https://endpoints.office.com/endpoints/WorldWide?ClientRequestId=<getyourown>&AllVersions=false&Form...'

#
theips="prefix other ips"

for x in $( cat "$tp" | sed -e 's/^[^,]*,[^,]*,"[^"]*",//;s/"[^"]*",//;s/^,.*$//;/^id,.*$/d;/^$/d;s/^"\([^"]*\)".*$/\1/;s/,/ /g')
do
#echo $x
theips="$theips $x"
done

echo "# this is for the <agent name1> people on the gateway"
echo "set template Active_Passive config vsys vsys1 global-protect global-protect-gateway alcpa-vpn-gateway remote-user-tunnel-configs <agent name1> split-tunneling exclude-access-route [ $theips ]"

echo "# this is for the non singapore people on the gateway"
echo "set template Active_Passive config vsys vsys1 global-protect global-protect-gateway alcpa-vpn-gateway remote-user-tunnel-configs <agent name2> split-tunneling exclude-access-route [ $theips ]"

echo "# this is for all on the gateway"
echo "set template ybopa config vsys vsys1 global-protect global-protect-gateway ybopa-vpn-gateway-external remote-user-tunnel-configs <agent name3> split-tunneling exclude-access-route [ $theips ]"

echo

nice!

i have minemeld running and will use that as a source.

Do any of your users have issues with teams joining meetings or sharing their desktop?

I've got mixed results.

Seem like the nice people at PA have opened up trial license for 3-6 months for GP.  which will allow me to use all these nice features.

So instead of having to do it by ip address I should be able to do it by app / process ..

Moved to trying 

%userprofile%\AppData\Local\Microsoft\Teams\current\Teams.exe

turned it on and MS Teams stop working for some and still working for others 😞

Hi all, 

Am I reading this right in that PanOS doesn't seem to support environment %Variables% in the path name of the executable you're trying to add to the "Include/Exclude Client Application Process Name" fields, be it with or without a GP license!? That's big oversight if that's the case. Has anyone got this confirmed by PA support?

If it makes a difference to the PanOS, we're at 8.1.x and have a GP license.

I'm basically also looking to add Teams and Zoom to the exclusion list by executable, but it's pretty pointless if neither will work? Or is Zoom working using the .exe path name in conjunction with the IP exclusions for it's IP blocks?

Also, are you guys seeing the new GP config changes apply after reconnecting / disconnecting and then reconnecting the GP client again? - I asked PA support when the GP configs get applied and they weren't sure, and advised me that's it's best to uninstall the GP client and clear a registry key and remove the GP services following a config change, and referred me to the following article: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClJDCA0

This seems rather drastic!

Thanks,

John

 Wow support don't know !

I find it strange you have to remove the client. 

when i make changes to the split tunnel withe routes they seems to show up after a disconnect reconnect.

if they don't support %Variables%, then you can't really do teams can you ?  Wow