Split tunneling based on the domain is not working.

Reply
Highlighted

Split tunneling based on the domain is not working.

Split tunneling based on the domain is not working. We need to monitor our user's web traffic while they are on roaming. While users need to connect GlobalProtect and Cisco Any connects simultaneously, some traffic should go via Cisco Any connects and rest of them via GlobalProtect. I tried split tunneling based on the domain but no luck. Is there any solution for this.

 

PAN-OS - 8.1.7

GlobalProtect- 5.0.2

Highlighted
L2 Linker

Hi,

 

Without mode information, it will be difficult to troubleshooting your problem, maybe a support ticket will be the best thing to do here.

However, just in case of, the split tunneling per domain requires a GP subscription license on the Firewall. May be the cause of your problem.

Highlighted

I have exactly the same problem. Panorama on 9.0.3 level, firewalls on 8.1.8H5. Information on included and excluded networks in split tunneling is visible on Panorama but not on firewalls. There is no relevant issue in commit warnings. 

Did you resolved that problem?

Tags (1)
Highlighted
L7 Applicator

@NavigantNetworkteam Hi,

 

Did you ever resolve this issue.

The only solution is to upgrade firewalls to 9.x version. No other way.

Tags (1)
Highlighted
L7 Applicator

@Miroslaw_Iwanowski 

 

Many thanks for your response.

Highlighted
L2 Linker

I have configured split tunneling on version 9.0.4 in order to offload Office365 from the tunnel. I have added 163 entries in excluded domains. That works fine so far. I don't understand the purpose of included domain list. I even notice that my vpn is not working when I add a list on PA-820. It is working on PA-3200. Which list has a precedence in case of conflicting entries? I can't find this documented on PA.

Tags (1)
Highlighted

One comment. For domain based split tunneling you need a global portal license. Do you have it on both devices?

Highlighted
L2 Linker

Sorry, my bad. The firewall type 820 was running 8.1.11. After upgrade to 9.0.5 it is all working good. No Global Protect license is needed for split-tunnel based on domain. I also notice that included domains are required for Office 365 to function properly. That because we use SSO and Microsoft is expecting to see logins coming from registered public addresses. For that I include domains from option 56 as on next Microsoft page:

https://docs.microsoft.com/en-us/office365/enterprise/urls-and-ip-address-ranges

The rest I add to excluded list. In order to configure I use set cli like in next example:

 

excl:

set global-protect global-protect-gateway GATEWAY_NAME remote-user-tunnel-configs CONFIG_NAME split-tunneling exclude-domains list *.microsoft.com

 

incl:

set global-protect global-protect-gateway GATEWAY_NAME remote-user-tunnel-configs CONFIG_NAME split-tunneling include-domains list login.microsoft.com

 

From this lists is visible why included list is needed.

 

On the portal I use option not to use tunnel for all DNS queries. That way the clients use local ISP for resolving Microsoft addresses, in order to connect to the nearest pod. 

 

Let me know if you need complete list of Office 365. I had to tweak it in order to have less than 200 entries.

Highlighted
L0 Member

I am having the same issue but we are trying to exclude WebEx and Blackboard Collaborate and I cannot get this to work via domain names...the traffic just comes through the VPN.  

 

Any suggestions?

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!