Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
10-28-2020 04:24 PM
Hey folks.
We're planning in implementing MFA for Office 365, and as part of that I want to add the Microsoft office domains into our Global protect split tunnels - since almost everyone is working from home, I want to whitelist our "corporate" IP addresses and have people who are connected from company PC's on the VPN not be bothered by MFA requests.
This is relatively easy in the configuration, but I've come across an issue which is perplexing me.
I run my personal machine on a fairly recent VPN client to check for issues before pushing it out to the main portal for users to upgrade - and when I implemented this split tunnel on the portal, it didn't work.
A colleague who is running the "production" release I have on the portal. So I downgraded tot hat version - and the split tunnelled domains work.
Does anyone know if there's something extra in the later clients which needs to be done to make this work?
Working client version - 5.0.8
Failed client version - 5.2.2
Thanks
02-24-2021 07:38 PM
I am running GP version 5.2.4 and split tunnel is working fine.
We have configured all Microsoft domains and IP to bypass the tunnel.
Try to upgrade to 5.2.4.
Regards
02-25-2021 12:20 AM
I've just typed a lot at LIVEcommunity - Global Protect Office 365 Split Tunnel - LIVEcommunity - 387607 (paloaltonetworks.co...
We had it all working on 5.1.8 / 8.1.X
Since moving to virtual Azure appliances 5.2.X/9.1.6 we've had all kinds of issues.
There's a setting for GP to do split only for network or for both network & dns.
Not sure if that will solve things as we are in the middle of investigating with TAC
03-01-2021 06:16 PM
If you want to use split tunnel based on network then it is good practice to also use split tunnel based on DNS.
That way GP agent will not contact the configured GP DNS server.
You should use the split tunnel based on the DNS.
Regards
04-13-2021 04:23 PM
@sebastianvd wrote:I've just typed a lot at LIVEcommunity - Global Protect Office 365 Split Tunnel - LIVEcommunity - 387607 (paloaltonetworks.co...
We had it all working on 5.1.8 / 8.1.X
Since moving to virtual Azure appliances 5.2.X/9.1.6 we've had all kinds of issues.
There's a setting for GP to do split only for network or for both network & dns.
Not sure if that will solve things as we are in the middle of investigating with TAC
I wasn't able to get it working on DNS-based names,but fortunately, Microsoft has a list of IP's you need to add into the tunnel, so I just added a whole bunch of route/groups and made it work.
It's a pity, because it'd be such a great feature - for anything "xx.microsoft.com", send the traffic over the tunnel - but instead it's all based on IP ranges now.
Made it work, but it wasn;t as easy as it should have been.
10-25-2021 06:03 PM
Not sure if you are aware but to use DNS based split tunnelling you have to have a gateway subscription on your firewall also
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
