05-22-2019 12:50 AM - edited 05-22-2019 12:59 AM
Split tunneling based on the domain is not working. We need to monitor our user's web traffic while they are on roaming. While users need to connect GlobalProtect and Cisco Any connects simultaneously, some traffic should go via Cisco Any connects and rest of them via GlobalProtect. I tried split tunneling based on the domain but no luck. Is there any solution for this.
PAN-OS - 8.1.7
GlobalProtect- 5.0.2
06-04-2019 05:52 AM
Hi,
Without mode information, it will be difficult to troubleshooting your problem, maybe a support ticket will be the best thing to do here.
However, just in case of, the split tunneling per domain requires a GP subscription license on the Firewall. May be the cause of your problem.
08-21-2019 01:15 PM
I have exactly the same problem. Panorama on 9.0.3 level, firewalls on 8.1.8H5. Information on included and excluded networks in split tunneling is visible on Panorama but not on firewalls. There is no relevant issue in commit warnings.
Did you resolved that problem?
03-17-2020 02:05 PM
I have configured split tunneling on version 9.0.4 in order to offload Office365 from the tunnel. I have added 163 entries in excluded domains. That works fine so far. I don't understand the purpose of included domain list. I even notice that my vpn is not working when I add a list on PA-820. It is working on PA-3200. Which list has a precedence in case of conflicting entries? I can't find this documented on PA.
03-17-2020 02:07 PM
One comment. For domain based split tunneling you need a global portal license. Do you have it on both devices?
03-18-2020 02:18 AM - edited 03-18-2020 02:26 AM
Sorry, my bad. The firewall type 820 was running 8.1.11. After upgrade to 9.0.5 it is all working good. No Global Protect license is needed for split-tunnel based on domain. I also notice that included domains are required for Office 365 to function properly. That because we use SSO and Microsoft is expecting to see logins coming from registered public addresses. For that I include domains from option 56 as on next Microsoft page:
https://docs.microsoft.com/en-us/office365/enterprise/urls-and-ip-address-ranges
The rest I add to excluded list. In order to configure I use set cli like in next example:
excl:
set global-protect global-protect-gateway GATEWAY_NAME remote-user-tunnel-configs CONFIG_NAME split-tunneling exclude-domains list *.microsoft.com
incl:
set global-protect global-protect-gateway GATEWAY_NAME remote-user-tunnel-configs CONFIG_NAME split-tunneling include-domains list login.microsoft.com
From this lists is visible why included list is needed.
On the portal I use option not to use tunnel for all DNS queries. That way the clients use local ISP for resolving Microsoft addresses, in order to connect to the nearest pod.
Let me know if you need complete list of Office 365. I had to tweak it in order to have less than 200 entries.
03-18-2020 09:37 AM
I am having the same issue but we are trying to exclude WebEx and Blackboard Collaborate and I cannot get this to work via domain names...the traffic just comes through the VPN.
Any suggestions?
03-19-2020 01:33 AM
@goran.katava , Hi
i would like to see your cut down list as may be the way to go but I found this link and it suggests only a few for optimization.
I dont thing 365 will work if we shutdown the VPN tunnel with such a few url's but it does seem to keep the bulk of office traffic local.
03-25-2020 08:25 AM
Hi Goran
Are you able to share you configuration.. we are trying to split the o365 traffic want to ensure we are configuring it correctly. Teams traffic for us is still going through the tunnel..
Did you do any split tunnel using process or all domains
RJ
03-25-2020 11:03 AM
Hi RJ,
I followed advice from @Mick_Ball, and realized that 'optimized' should be enough for split-tunnel on Global Protect.
Search for category 'optimize' on next :
It takes 4 domains and about 20 subnets.
set global-protect global-protect-gateway GATEWAY_NAME remote-user-tunnel-configs test-Office365-offloading split-tunneling exclude-access-route [ 13.107.18.10/31 13.107.6.152/31
13.107.64.0/18 13.107.128.0/22 13.107.136.0/22 23.103.160.0/20 40.96.0.0/13 40.104.0.0/15 40.108.128.0/17 52.96.0.0/14 52.104.0.0/14 52.112.0.0/14 104.146.128.0/17 131.253.33.215/32 132.245.0.0/16 150.171.32.0/22 150.171.40.0/22 191.234.140.0/22 204.79.197.215/32 ]
set global-protect global-protect-gateway GATEWAY_NAME remote-user-tunnel-configs test-Office365-offloading split-tunneling exclude-domains list outlook.office.com
set global-protect global-protect-gateway GATEWAY_NAME remote-user-tunnel-configs test-Office365-offloading split-tunneling exclude-domains list outlook.office365.com
set global-protect global-protect-gateway GATEWAY_NAME remote-user-tunnel-configs test-Office365-offloading split-tunneling exclude-domains list company-name.sharepoint.com
set global-protect global-protect-gateway GATEWAY_NAME remote-user-tunnel-configs test-Office365-offloading split-tunneling exclude-domains list company-name-my.sharepoint.com
03-25-2020 11:25 AM
Thanks for that.. I am curious have you tried doing split tunnel based on process name
exclude-applications [ "%PROGRAMFILES(X86)%\VMware\VMware Horizon View Client\vmware-view.exe" "%PROGRAMFILES(X86)%\VMware\VMware Horizon View Client\x64\vmware-remotemks.exe" "%PROGRAMFILES%\Microsoft Office\root\Office16\OUTLOOK.EXE" %LOCALAPPDATA%\Microsoft\Teams\current\Teams.exe];
Raj
03-25-2020 12:32 PM
@rajjair , yes we use %LOCALAPPDATA%\Microsoft\Teams\current\Teams.exe as an exception but some teams traffic is still sent via the tunnel
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
