GPVPN Split tunnel issue

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

GPVPN Split tunnel issue

L3 Networker

Hi We had recently configured split tunneling on our firewall and had allowed certain subnets via access routes and domains on include domain list.

 

For security purpose changing the domain names:

 

We had added *.google.com on our domain include list to allow access of sites under that domain.

 

When the end user connects to GPVPN and accesses the google.com it is going through GP-VPN-->F/W-->ISP

 

If we try to access subdomains like admin-dashboard.google.com the traffic is routed through the end user Local ISP.

 

We had configured Internal IP address on Agent DNS IP Setting.

 

Here the DNS Query to admin-dashboard.google.com is send to tunnel but the HTTPS traffic to admin-dashboard.google.com is going through end user local ISP

 

Global VPN GlobalProtect: Implement Split Tunnel Domain and Applications DNS issue over Global Protect split tunnel 

4 REPLIES 4

L7 Applicator

First issue...

The wildcard is working as expected.  It means anything before .google.com so this will not include google.com so just add both to the split domains.

 

Second issue.

nslookup and similar apps will not use the same engine as your browser so the split domain settings will not work for them.  

 

I usually add to browser and wireshark on port 53 to test DNS resolution.

Hi @Mick_Ball  Thanks for your reply.

 

Issue 1: we had added both google.com and admin-dashobard.google.com to the include domain in the split tunnel but still the traffic is going via end user local nw for the admin-dashboard.google.com site.

 

Do we need to uninstall and reinstall the GP Client for the settings to get reflected at endpoints.

 

Issue 2: We had configured an internal DNS for querying of GP users. Had checked with Wireshark by doing packet capture of GP tunnel could see DNS traffic is successfully send via GP Tunnel but the traffic for admin-dashobard.google.com is still going through local ethernet.

 

All the GP client are Mac OS.

 

Any thoughts on this on how to proceed further.

L7 Applicator

can you send screen dump of both split tunnel access route and split tunnel domain and application

Hi @Mick_Ball I would not be able to share the screenshot of the access routes and domain/application tab as it contains sensitive datas. But now the traffic to that particular sub-domain is passing thru split tunnel but after some time it is being routed thru end-user network.  The subdomain is having dynamic IP and it is deployed in AWS. The DNS name resolution is done using internal private DNS server.

  • 4186 Views
  • 4 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!