Split Tunnel Routing Config Help

cancel
Showing results for 
Search instead for 
Did you mean: 

Split Tunnel Routing Config Help

L1 Bithead

Looking for some help on split tunneling.

We are on PAN os 9.1.9 GP client 5.26, for our LAN we also use Cisco Umbrella to block sites.

What I want to do is when GlobalProtect connects I want all LAN traffic going through the VPN traffic, and all Internet traffic from the client going through their end, not the VPN

When I try and configure split tunneling on my gateway I follow the steps in the Split Tunneling doc, I include all my local LAN subnets in X.X.X.X/24 notation. In the Exclude I put 0.0.0.0/0

However when I connect and test with a known blocked site, I still get a blocked message. Looks like internet requests are still going through the GP client and our local LAN internet connection.

I am not sure what I am doing wrong here. Any one have any ideas?

Thank you in advance.

 

21 REPLIES 21

yes that's what normally happens, so this means default traffic will go via the tunnel interface.  you need to check palo GP logs to ensure you are getting the correct agent config from the gateway and then check those split tunnel settings again.  perhaps restart pangps service locally to scrub any previous settings...  also add anothe split tunnel route.. 1.2.3.0/24 just to see if you pick it up in route print.

 

 

Agent config is fine, I am thinking it is DNS, because no matter what I put in the split tunneling it still pulls up Cisco Umbrella. We have the virtual machine set up for Umbrella and all our DNS goes through them. we also have a DNS Proxy that points to the Umbrella servers. I think I am going to have to set up an internal DNS and External DNS. Per this article https://knowledgebase.paloaltonetworks.com/kCSArticleDetail?id=kA10g000000ClHf 

I also read somewhere that we will need all GP clients on 5.2.X clients, which we currently are not. So I think I have a lot more work to do

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!