- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
06-11-2021 08:23 AM
Looking for some help on split tunneling.
We are on PAN os 9.1.9 GP client 5.26, for our LAN we also use Cisco Umbrella to block sites.
What I want to do is when GlobalProtect connects I want all LAN traffic going through the VPN traffic, and all Internet traffic from the client going through their end, not the VPN
When I try and configure split tunneling on my gateway I follow the steps in the Split Tunneling doc, I include all my local LAN subnets in X.X.X.X/24 notation. In the Exclude I put 0.0.0.0/0
However when I connect and test with a known blocked site, I still get a blocked message. Looks like internet requests are still going through the GP client and our local LAN internet connection.
I am not sure what I am doing wrong here. Any one have any ideas?
Thank you in advance.
06-12-2021 12:17 AM
apologies @Gareth.Doyle . the access to local network does need to be allowed when using windows. Not needed though for IOS.
still works fine for me on windows. screen dump below with firefox filter shows BBC traffic going via local adapter and works admin server via PAngp.
06-12-2021 12:26 AM
also.... you seem to have a few default routes, have you added manually to local Nic's.
you have 3 default routes and the GP tunnel has the lowest metric of 1.
here is what I get...
06-12-2021 09:29 AM
I think the extra default routes are from AnyDesk. I use that to remote into that machine outside our corporate network so I can test the VPN
06-14-2021 12:59 AM
you need to see what is adding this route with metric 1 as this will cause default route via GP as a higher priority.
06-14-2021 07:17 AM
Odd, that is the IP address the Palo Alto Assigns me when I connect to the VPN
06-14-2021 08:21 AM
yes that's what normally happens, so this means default traffic will go via the tunnel interface. you need to check palo GP logs to ensure you are getting the correct agent config from the gateway and then check those split tunnel settings again. perhaps restart pangps service locally to scrub any previous settings... also add anothe split tunnel route.. 1.2.3.0/24 just to see if you pick it up in route print.
06-15-2021 06:43 AM
Agent config is fine, I am thinking it is DNS, because no matter what I put in the split tunneling it still pulls up Cisco Umbrella. We have the virtual machine set up for Umbrella and all our DNS goes through them. we also have a DNS Proxy that points to the Umbrella servers. I think I am going to have to set up an internal DNS and External DNS. Per this article https://knowledgebase.paloaltonetworks.com/kCSArticleDetail?id=kA10g000000ClHf
I also read somewhere that we will need all GP clients on 5.2.X clients, which we currently are not. So I think I have a lot more work to do
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!