Split Tunneling Included Sites next hop

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Split Tunneling Included Sites next hop

L1 Bithead

I figured I would start here since this seems like an easy fix. We are working to include certains IPs/domains/apps etc in the tunnel. Currently the only traffic that is routed through the tunnel is internal networks, which operates fine, all other traffic goes out through their own gateway. When we try to include a domain like ipchicken.com, I cannot pull up the website. The logs show it is set to allow based on one of our outbound vpn rules. On that log, the destination zone/interface is correct. I am able to successfully ping ipchicken.com no problem.

1 accepted solution

Accepted Solutions

L3 Networker

So you included ipchicken.com as an Include Domain?

 

In that case the reason that ping works is because GlobalProtect can't intercept ping traffic for Domain Split Tunnelling, only TCP or UDP (and there are some limitations with UDP on Windows).

 

 

If the traffic is allowed and you're seeing it allowed, I would check these things:

 

1) Do you see packets sent + packets received in the traffic log entry? You have to add these as extra columns or open the detailed log view of that log entry (the magnifying glass on the left side of the log entry).

2) While you're there, also check what it says the NAT IP's are. Since you've never routed the GlobalProtect pools/zone to the outside before, you might be missing a NAT rule.

3) Might also be missing return routes to the GP subnets on the next hop, if your outside line isn't directly connected to the firewall.

Sr. Technical Support Engineer, Strata

View solution in original post

3 REPLIES 3

L2 Linker

I might be missing something from what I read, but can you explain this a bit further?

From what I gathered, only internal networks are using your VPN tunnel, so all other traffic (i.e. ipchicken.com) is using the local/native network interface of those machines. Presuming that the people using VPN are not plugged into your local network, and that they are using their own ISP, internet cafe, etc... What logs are you seeing?

L3 Networker

So you included ipchicken.com as an Include Domain?

 

In that case the reason that ping works is because GlobalProtect can't intercept ping traffic for Domain Split Tunnelling, only TCP or UDP (and there are some limitations with UDP on Windows).

 

 

If the traffic is allowed and you're seeing it allowed, I would check these things:

 

1) Do you see packets sent + packets received in the traffic log entry? You have to add these as extra columns or open the detailed log view of that log entry (the magnifying glass on the left side of the log entry).

2) While you're there, also check what it says the NAT IP's are. Since you've never routed the GlobalProtect pools/zone to the outside before, you might be missing a NAT rule.

3) Might also be missing return routes to the GP subnets on the next hop, if your outside line isn't directly connected to the firewall.

Sr. Technical Support Engineer, Strata

Looks like this was an issue where we didnt have a NAT rule for the client vpn zone. Once I made a client vpn to outside nat that seemed to fix the issue.

  • 1 accepted solution
  • 1720 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!