on 03-31-2020 12:51 PM - edited on 07-11-2022 11:35 PM by jennaqualls
Due to the COVID-19 pandemic, enterprises require their employees and contractors to work remotely. Customers can deploy GlobalProtect with on-premise firewall to securely enable remote work from home, including access to their corporate Microsoft Office 365 applications.
Microsoft has made two recommendation to customers using Office 365 applications to optimize user experience during the COVID-19 pandemic:
The document is written to provide guidance to Palo Alto Networks customers on how these recommendations from Microsoft on Office 365 access can be implemented using our the GlobalProtect application in next-generation firewalls.
The objective of this document is to provide guidance to customers for optimizing their Office 365 user traffic.
While Palo Alto Networks next-generation firewall supports multiple split tunneling options using Access Route, Domain and Application, and dynamically split tunneling video traffic. This document specifically focuses on implementing split tunneling exclude using access route feature based on Microsoft recommendations for the following Office 365 Applications:
This helps enterprises with business continuity, and if the enterprise network infrastructure is overwhelmed with an increased traffic load during COVID-19, customers can chose to split tunnel high bandwidth consumption apps in office 365 to ensure business continuity.
PS C:\> $ips |Sort-Object -Unique 220.127.116.11/17 2603:1096:a00::/39 18.104.22.168/17 22.214.171.124/22 2603:1096:c00::/40 126.96.36.199/13 188.8.131.52/22 2603:10a6:200::/40 184.108.40.206/14 220.127.116.11/31 2603:10a6:400::/40 18.104.22.168/14 22.214.171.124/31 2603:10a6:600::/40 126.96.36.199/14 188.8.131.52/18 2603:10a6:800::/40 184.108.40.206/14 220.127.116.11/32 2603:10d6:200::/40 18.104.22.168/16 2620:1ec:4::152/128 22.214.171.124/22 2620:1ec:4::153/128 126.96.36.199/22 2620:1ec:8f0::/46 188.8.131.52/22 2620:1ec:8f8::/46 184.108.40.206/32 2620:1ec:900::/46 220.127.116.11/20 2620:1ec:908::/46 2603:1006::/40 2620:1ec:a92::152/128 2603:1016::/36 2620:1ec:a92::153/128 2603:1026::/36 2620:1ec:c::10/128 2603:1036::/36 2620:1ec:c::11/128 2603:1046::/36 2620:1ec:d::10/128 2603:1056::/36 2620:1ec:d::11/128 2603:1096::/38 2a01:111:f400::/48 2603:1096:400::/40 2a01:111:f402::/48 2603:1096:600::/40 18.104.22.168/15 PS C:> $urls Outlook.office.com Outlook.office365.com *.sharepoint.com
<exclude-access-routes> <member>22.214.171.124/14</member> <member>126.96.36.199/18</member> <member>188.8.131.52/14</member> </exclude-access-routes>
Just to confirm, I take it that the "No direct access to local network" is not an option in this scenario. I have a requirement to prevent the local network from being accessed or accessing the PC/Mac in question.
@steveomitchell I know you posted your comment a couple of months ago but just ran across it. You should be able to still do the "No direct access to local network" and do exclusions. The No direct access just adds a route in the client route table for the local subnet and points it to the tunnel with a lower metric. The exclusions also add a route in the table but points it to the local interface. We are using both so you should be fine.
Hi all Panorama Users,
Important to know is, that address groups are not valid in the exlcude section without a trick for devices managed by panorama.
The issue is related to the usage of the address group in the exclude list. The exclude list is not one of the areas where Panorama considers the address group to be used. Therefore, it is expected for the push to fail if this group is not referenced elsewhere.
When the option "Share Unused Address and Service Objects with Devices" under panorama settings is unselected, then the shared objects/group will not be sent to the device. As a result, the commit on the device will fail.
To resolve this issue, you have two options:
1- Configure the Subnets directly on the exclude list.-> not prefered, because maintaining could be worse if you have multiple settings with that IPs
2- Configure the individual address objects on the exclude list.
- If push fails, enable/check the "Share Unused Address and Service Objects with Devices”, then commit and push.
Panorama > Setup > Management > Panorama Settings -> Depends on the box limit of Object count, if you can use this solution
3-prefered in my eyes:
- Configure a dummy security rule in panorama to the bottom of the policy, where it will never be used, and add to this rule the address group. -> This forced the panorama to push the address group to the firewall
- Commit and push. Only to the device group which is desired to use this address group in splittunneling. (Edit selection and choose the target device group, then push).
- Check firewall and make sure the dummy rule is added successfully to the security policies.
- Add the address group on GP gateway, in the Exclude area.
- Commit to the panorama, then Commit and push, to the target template Stack.