Split tunneling based on the domain is not working.
cancel
Showing results for 
Search instead for 
Did you mean: 

Split tunneling based on the domain is not working.

Split tunneling based on the domain is not working. We need to monitor our user's web traffic while they are on roaming. While users need to connect GlobalProtect and Cisco Any connects simultaneously, some traffic should go via Cisco Any connects and rest of them via GlobalProtect. I tried split tunneling based on the domain but no luck. Is there any solution for this.

 

PAN-OS - 8.1.7

GlobalProtect- 5.0.2

26 REPLIES 26

@goran.katava , Hi

 

i would like to see your cut down list as may be the way to go but I found this link and it suggests only a few for optimization.

 

I dont thing 365 will work if we shutdown the VPN tunnel with such a few url's but it does seem to keep the bulk of office traffic local.

 

https://techcommunity.microsoft.com/t5/office-365-blog/how-to-quickly-optimize-office-365-traffic-fo...

Hi Goran

 

Are you able to share you configuration.. we are trying to split the o365 traffic want to ensure we are configuring it correctly. Teams traffic for us is still going through the tunnel.. 

 

Did you do any split tunnel using process or all domains

 

RJ

Hi RJ,

 

I followed advice from @MickBall, and realized that 'optimized' should be enough for split-tunnel on Global Protect. 

Search for category 'optimize' on next :

https://endpoints.office.com/endpoints/worldwide?clientrequestid=b10c5ed1-bad1-445f-b386-b919946339a...

 

It takes 4 domains and about 20 subnets.

 

set global-protect global-protect-gateway GATEWAY_NAME remote-user-tunnel-configs test-Office365-offloading split-tunneling exclude-access-route [ 13.107.18.10/31 13.107.6.152/31
13.107.64.0/18 13.107.128.0/22 13.107.136.0/22 23.103.160.0/20 40.96.0.0/13 40.104.0.0/15 40.108.128.0/17 52.96.0.0/14 52.104.0.0/14 52.112.0.0/14 104.146.128.0/17 131.253.33.215/32 132.245.0.0/16 150.171.32.0/22 150.171.40.0/22 191.234.140.0/22 204.79.197.215/32 ]

set global-protect global-protect-gateway GATEWAY_NAME remote-user-tunnel-configs test-Office365-offloading split-tunneling exclude-domains list outlook.office.com
set global-protect global-protect-gateway GATEWAY_NAME remote-user-tunnel-configs test-Office365-offloading split-tunneling exclude-domains list outlook.office365.com
set global-protect global-protect-gateway GATEWAY_NAME remote-user-tunnel-configs test-Office365-offloading split-tunneling exclude-domains list company-name.sharepoint.com
set global-protect global-protect-gateway GATEWAY_NAME remote-user-tunnel-configs test-Office365-offloading split-tunneling exclude-domains list company-name-my.sharepoint.com

 

 

Thanks for that.. I am curious have you tried doing split tunnel based on process name

 

exclude-applications [ "%PROGRAMFILES(X86)%\VMware\VMware Horizon View Client\vmware-view.exe" "%PROGRAMFILES(X86)%\VMware\VMware Horizon View Client\x64\vmware-remotemks.exe" "%PROGRAMFILES%\Microsoft Office\root\Office16\OUTLOOK.EXE" %LOCALAPPDATA%\Microsoft\Teams\current\Teams.exe];

 

Raj

@rajjair , yes we use %LOCALAPPDATA%\Microsoft\Teams\current\Teams.exe as an exception but some teams traffic is still sent via the tunnel

Hi MickBall

 

That is what I had and observed also, in the palo traffic logs i could see ms-teams app coming for VPN users. Before I found this forum I had also opened a ticket with support on this issue as wanted a way to confirm traffic for sure is being split or not. What they informed me applications sitting in user context is not supported at this time. I would prefer to use Process ID then IPs as IPs can change and keep config up to date without any automation and checking for changes

 

 

---- Here is what the TAC mentioned to me ----

"

The full path of the application to be included from the tunnel is currently only resolvable in PanGPS context for windows it is system service context.
While for Mac, it is root context in prelogon and user context after user logon.

Currently you have the following path
%USERPROFILE%\AppData\Local\Microsoft\Teams\current\Teams.exe

In order for PanGPS to resolve the path you will need to shift the path to a system service context as opposed to a user context as shown in the example below,
"%ProgramFiles(x86)%\Google\Chrome\Application\chrome.exe"


Other customer requested us to improve this path issue and submitted it as a feature request.
But it has not been implemented yet.
So we suggest to avoid this issue by routing.
Add routes to exclude from the VPN tunnel. These routes are sent through the physical adapter on endpoints rather than through the virtual adapter (the tunnel).

 

"

Hi Rajjair, Mickball,

 

I don't have Global Protect license, and therefor can't use split tunnel based on application/service. 

As I mentioned in previous comment, version 9.0.x seems to support destination domain, even with no license. 

 

We use MS Flow as described in next link, in order to get alerted on any changes of IP ranges or domains.

 

https://techcommunity.microsoft.com/t5/office-365-networking/use-microsoft-flow-to-receive-an-email-...

 

 

 

 

yes static routes are working well...   do you know the cli for this...

 

I have started with "set network tunnel global-protect-gateway"  I can add the gateway name but cannot see how to add the client config name.

 

the documentation sends me here set network tunnel global-protect-site-to-site <name> client split-tunneling access-route [ <access-route1>

 

but not working on 8.1.9

 

I am going to create a new post for this.

Hi,

 

Here is what I use for O365 (optimized option):

 

set global-protect global-protect-gateway GATEWAY-NAME remote-user-tunnel-configs CONFIG-NAME split-tunneling exclude-access-route [ 13.107.18.10/31 13.107.6.152/31 13.107.64.0/18 13.107.128.0/22 13.107.136.0/22 23.103.160.0/20 40.96.0.0/13 40.104.0.0/15 40.108.128.0/17 52.96.0.0/14 52.104.0.0/14 52.112.0.0/14 104.146.128.0/17 131.253.33.215/32 132.245.0.0/16 150.171.32.0/22 150.171.40.0/22 191.234.140.0/22 204.79.197.215/32 ]

L1 Bithead

Hey All

 

If the application process is located in the user profile directory and would like the ability to use that application for exclude and include then please have your SE vote for this feature request  FR#11579

 

Currently GP client does not support the ability to white-list process id located in the user profile directory. Example application is Microsoft teams

 

Thanks

RJ

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!