05-22-2019 12:50 AM - edited 05-22-2019 12:59 AM
Split tunneling based on the domain is not working. We need to monitor our user's web traffic while they are on roaming. While users need to connect GlobalProtect and Cisco Any connects simultaneously, some traffic should go via Cisco Any connects and rest of them via GlobalProtect. I tried split tunneling based on the domain but no luck. Is there any solution for this.
PAN-OS - 8.1.7
GlobalProtect- 5.0.2
03-25-2020 10:31 PM - edited 03-25-2020 10:32 PM
Hi MickBall
That is what I had and observed also, in the palo traffic logs i could see ms-teams app coming for VPN users. Before I found this forum I had also opened a ticket with support on this issue as wanted a way to confirm traffic for sure is being split or not. What they informed me applications sitting in user context is not supported at this time. I would prefer to use Process ID then IPs as IPs can change and keep config up to date without any automation and checking for changes
---- Here is what the TAC mentioned to me ----
"
The full path of the application to be included from the tunnel is currently only resolvable in PanGPS context for windows it is system service context.
While for Mac, it is root context in prelogon and user context after user logon.
Currently you have the following path
%USERPROFILE%\AppData\Local\Microsoft\Teams\current\Teams.exe
In order for PanGPS to resolve the path you will need to shift the path to a system service context as opposed to a user context as shown in the example below,
"%ProgramFiles(x86)%\Google\Chrome\Application\chrome.exe"
Other customer requested us to improve this path issue and submitted it as a feature request.
But it has not been implemented yet.
So we suggest to avoid this issue by routing.
Add routes to exclude from the VPN tunnel. These routes are sent through the physical adapter on endpoints rather than through the virtual adapter (the tunnel).
"
03-26-2020 01:09 AM
Hi Rajjair, Mickball,
I don't have Global Protect license, and therefor can't use split tunnel based on application/service.
As I mentioned in previous comment, version 9.0.x seems to support destination domain, even with no license.
We use MS Flow as described in next link, in order to get alerted on any changes of IP ranges or domains.
04-01-2020 03:42 AM
yes static routes are working well... do you know the cli for this...
I have started with "set network tunnel global-protect-gateway" I can add the gateway name but cannot see how to add the client config name.
the documentation sends me here set network tunnel global-protect-site-to-site <name> client split-tunneling access-route [ <access-route1>
but not working on 8.1.9
I am going to create a new post for this.
04-01-2020 03:49 AM
Hi,
Here is what I use for O365 (optimized option):
set global-protect global-protect-gateway GATEWAY-NAME remote-user-tunnel-configs CONFIG-NAME split-tunneling exclude-access-route [ 13.107.18.10/31 13.107.6.152/31 13.107.64.0/18 13.107.128.0/22 13.107.136.0/22 23.103.160.0/20 40.96.0.0/13 40.104.0.0/15 40.108.128.0/17 52.96.0.0/14 52.104.0.0/14 52.112.0.0/14 104.146.128.0/17 131.253.33.215/32 132.245.0.0/16 150.171.32.0/22 150.171.40.0/22 191.234.140.0/22 204.79.197.215/32 ]
04-01-2020 08:10 AM
Hey All
If the application process is located in the user profile directory and would like the ability to use that application for exclude and include then please have your SE vote for this feature request FR#11579
Currently GP client does not support the ability to white-list process id located in the user profile directory. Example application is Microsoft teams
Thanks
RJ
04-01-2020 10:58 AM
@goran.katava Yes that worked for me. Do you know the similar command for domain exclusion. Also when yo use the show gateway command it does not include domain exclusion.
thanks for your help.
04-01-2020 10:42 PM
You can use '?' in order to see available commands. When in set config mode try next :
set global-protect global-protect-gateway GATEWAY-NAME remote-user-tunnel-configs ?
Thus for domain exclusion it is:
set global-protect global-protect-gateway GATEWAY-NAME remote-user-tunnel-configs CONFIG-NAME split-tunneling exclude-domains list DOMAIN-ENTRY
04-02-2020 03:36 AM
Thanks again for your help, I was not in the configure mode when using "?" so I could not find the commands.
05-20-2020 01:52 AM
I have the same issue trying to split O365 traffic. I have two VM-300 in HA running 9.1.2 and any domain I put into the exclude list is ignored. I have to use Access Route exclusions for it to work, which is cumbersome.
If I add b-0004.b-msedge.net, or *.b-msedge.net as a domain exclusion, my system will connect via the VPN tunnel. IfI add its IP (13.107.6.156) to the Access Route exclusion, it work.
How Can I fix this?
05-20-2020 06:58 AM
Hi, it should be working. You do need license for that.
05-20-2020 03:52 PM
Yeah, I got the GP Gateway license, that's the strange thing. Might have to contact support.
08-18-2020 05:25 PM
Please refer the following document for determining the precedence order while using split-tunnel rules.
Regards,
Varun
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
