Split tunneling based on the domain is not working.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Split tunneling based on the domain is not working.

Split tunneling based on the domain is not working. We need to monitor our user's web traffic while they are on roaming. While users need to connect GlobalProtect and Cisco Any connects simultaneously, some traffic should go via Cisco Any connects and rest of them via GlobalProtect. I tried split tunneling based on the domain but no luck. Is there any solution for this.

 

PAN-OS - 8.1.7

GlobalProtect- 5.0.2

26 REPLIES 26

Hi MickBall

 

That is what I had and observed also, in the palo traffic logs i could see ms-teams app coming for VPN users. Before I found this forum I had also opened a ticket with support on this issue as wanted a way to confirm traffic for sure is being split or not. What they informed me applications sitting in user context is not supported at this time. I would prefer to use Process ID then IPs as IPs can change and keep config up to date without any automation and checking for changes

 

 

---- Here is what the TAC mentioned to me ----

"

The full path of the application to be included from the tunnel is currently only resolvable in PanGPS context for windows it is system service context.
While for Mac, it is root context in prelogon and user context after user logon.

Currently you have the following path
%USERPROFILE%\AppData\Local\Microsoft\Teams\current\Teams.exe

In order for PanGPS to resolve the path you will need to shift the path to a system service context as opposed to a user context as shown in the example below,
"%ProgramFiles(x86)%\Google\Chrome\Application\chrome.exe"


Other customer requested us to improve this path issue and submitted it as a feature request.
But it has not been implemented yet.
So we suggest to avoid this issue by routing.
Add routes to exclude from the VPN tunnel. These routes are sent through the physical adapter on endpoints rather than through the virtual adapter (the tunnel).

 

"

Hi Rajjair, Mickball,

 

I don't have Global Protect license, and therefor can't use split tunnel based on application/service. 

As I mentioned in previous comment, version 9.0.x seems to support destination domain, even with no license. 

 

We use MS Flow as described in next link, in order to get alerted on any changes of IP ranges or domains.

 

https://techcommunity.microsoft.com/t5/office-365-networking/use-microsoft-flow-to-receive-an-email-...

 

 

 

 

yes static routes are working well...   do you know the cli for this...

 

I have started with "set network tunnel global-protect-gateway"  I can add the gateway name but cannot see how to add the client config name.

 

the documentation sends me here set network tunnel global-protect-site-to-site <name> client split-tunneling access-route [ <access-route1>

 

but not working on 8.1.9

 

I am going to create a new post for this.

Hi,

 

Here is what I use for O365 (optimized option):

 

set global-protect global-protect-gateway GATEWAY-NAME remote-user-tunnel-configs CONFIG-NAME split-tunneling exclude-access-route [ 13.107.18.10/31 13.107.6.152/31 13.107.64.0/18 13.107.128.0/22 13.107.136.0/22 23.103.160.0/20 40.96.0.0/13 40.104.0.0/15 40.108.128.0/17 52.96.0.0/14 52.104.0.0/14 52.112.0.0/14 104.146.128.0/17 131.253.33.215/32 132.245.0.0/16 150.171.32.0/22 150.171.40.0/22 191.234.140.0/22 204.79.197.215/32 ]

L2 Linker

Hey All

 

If the application process is located in the user profile directory and would like the ability to use that application for exclude and include then please have your SE vote for this feature request  FR#11579

 

Currently GP client does not support the ability to white-list process id located in the user profile directory. Example application is Microsoft teams

 

Thanks

RJ

@goran.katava  Yes that worked for me. Do you know the similar command for domain exclusion. Also when yo use the show gateway command it does not include domain exclusion.

 

thanks for your help.

@Mick_Ball 

 

You can use '?' in order to see available commands. When in set config mode try next :

 

set global-protect global-protect-gateway GATEWAY-NAME remote-user-tunnel-configs ?

 

Thus for domain exclusion it is:

 

set global-protect global-protect-gateway GATEWAY-NAME remote-user-tunnel-configs CONFIG-NAME split-tunneling exclude-domains list DOMAIN-ENTRY

@goran.katava 

Thanks again for your help, I was not in the configure mode when using "?" so I could not find the commands.

 

 

L1 Bithead

I have the same issue trying to split O365 traffic. I have two VM-300 in HA running 9.1.2 and any domain I put into the exclude list is ignored.  I have to use Access Route exclusions for it to work, which is cumbersome.

 

If I add b-0004.b-msedge.net, or *.b-msedge.net as a domain exclusion, my system will connect via the VPN tunnel. IfI add its IP (13.107.6.156) to the Access Route exclusion, it work.

 

How Can I fix this?

 

 

Hi, it should be working. You do need license for that.

 

 

 

Yeah, I got the GP Gateway license, that's the strange thing. Might have to contact support.

L4 Transporter

@NavigantNetworkteam 

Please refer the following document for determining the precedence order while using split-tunnel rules.

 

https://docs.paloaltonetworks.com/globalprotect/10-0/globalprotect-admin/globalprotect-gateways/spli...

 

Regards,

Varun

  • 24975 Views
  • 26 replies
  • 2 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!