Split Tunnel Routing Config Help

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Split Tunnel Routing Config Help

L1 Bithead

Looking for some help on split tunneling.

We are on PAN os 9.1.9 GP client 5.26, for our LAN we also use Cisco Umbrella to block sites.

What I want to do is when GlobalProtect connects I want all LAN traffic going through the VPN traffic, and all Internet traffic from the client going through their end, not the VPN

When I try and configure split tunneling on my gateway I follow the steps in the Split Tunneling doc, I include all my local LAN subnets in X.X.X.X/24 notation. In the Exclude I put 0.0.0.0/0

However when I connect and test with a known blocked site, I still get a blocked message. Looks like internet requests are still going through the GP client and our local LAN internet connection.

I am not sure what I am doing wrong here. Any one have any ideas?

Thank you in advance.

 

21 REPLIES 21

apologies  @Gareth.Doyle . the access to local network does need to be allowed when using windows.  Not needed though for IOS.

 

@Dan_Swartz 

still works fine for me on windows.  screen dump below with firefox filter shows BBC traffic going via local adapter and works admin server via PAngp.

 

MickBall_0-1623482221172.jpeg

 

also.... you seem to have a few default routes, have you added manually to local Nic's.

you have 3 default routes and the GP tunnel has the lowest metric of 1. 

here is what I get...

 

MickBall_1-1623482784677.png

 

L1 Bithead

I think the extra default routes are from AnyDesk. I use that to remote into that machine outside our corporate network so I can test the VPN

you need to see what is adding this route with metric 1 as this will cause default route via GP as a higher priority.

 

MickBall_0-1623657532077.png

 

L1 Bithead

Odd, that is the IP address the Palo Alto Assigns me when I connect to the VPN

yes that's what normally happens, so this means default traffic will go via the tunnel interface.  you need to check palo GP logs to ensure you are getting the correct agent config from the gateway and then check those split tunnel settings again.  perhaps restart pangps service locally to scrub any previous settings...  also add anothe split tunnel route.. 1.2.3.0/24 just to see if you pick it up in route print.

 

 

Agent config is fine, I am thinking it is DNS, because no matter what I put in the split tunneling it still pulls up Cisco Umbrella. We have the virtual machine set up for Umbrella and all our DNS goes through them. we also have a DNS Proxy that points to the Umbrella servers. I think I am going to have to set up an internal DNS and External DNS. Per this article https://knowledgebase.paloaltonetworks.com/kCSArticleDetail?id=kA10g000000ClHf 

I also read somewhere that we will need all GP clients on 5.2.X clients, which we currently are not. So I think I have a lot more work to do

 

  • 9370 Views
  • 21 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!