split tunnel or tunnel all

Showing results for 
Search instead for 
Did you mean: 

split tunnel or tunnel all

L4 Transporter


Which one is best split tunnel or tunnel all , If tunnel all how to do in PA .

What are the pros and cons 




Cyber Elite
Cyber Elite


This depends solely on your requirements and what you are looking to accomplish. One option is not necessarily "better" than the other if you aren't looking at the full picture. I'm going to assume that you are talking about GlobalProtect and not an IPSec tunnel.


1) Full Tunnel

The benefit of a full tunnel GlobalProtect configuration is that you can inspect all traffic from a connected endpoint, tied together with always-on and pre-logon and it's similar to having the device sitting in your office. All of the traffic will be inspected by the firewall and the endpoint is effectively never not connected to your network. This is actually how GlobalProtect configures by default, if you leave your 'Split Tunnel' configuration empty or include in your include list it'll tunnel everything through GlobalProtect.


2) Split Tunnel

The benefit of split-tunnel is that you don't have to process all of the endpoints network traffic, which can save you bandwidth if you don't have a connection capable of processing all of the traffic. This is extremely common in a lot of businesses where you have a BYOD VPN tunnel to allow someone to, for example, remote onto their desktop at work. 

This is actually a common practice that I use for customers who simply want a way for someone to RDP back to their desktop at work. The configuration will simply allow for RDP traffic back to the access VLANs and ensure that the connected desktop passes a number of HIP checks to ensure that the client itself is up-to-date and has a supported antivirus solution. In this type of setup, I don't want to process all of the endpoints traffic, just the RDP traffic. 

Under the Split Tunnel configuration you simply need to include whatever subnets you need to traverse the VPN in the include list.


What solution you pick is really going to depend on your requirements and the business and regulatory needs. Banks for example that I've worked with don't allow any non-issued device to connect to their VPN and all traffic is processed through the VPN tunnel. SMB customers might not have the bandwidth to support all of that traffic and just want to allow RDP traffic as I mentioned before while performing a few HIP checks. Completely dependent on what your needs are. 


I say tunnel all. You have a fantastic security appliance, Palo Alto, why not use it to inspect all the traffic?


Just my thoughts.


My concern is bandwidth  if it is full tunnel . and does it require NAT-T ? 






That is only used for site to site vpn tunnels. You will need a NAT policy for the traffic.





Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!