Hi everyone and welcome back to PANCast. Today, we are going to talk about split tunneling for GlobalProtect. We’ll look at what it is, why you would want to use it, and discuss some details on how it is configured.
This is a GlobalProtect feature, so it covers both on-prem firewalls as well as Prisma Access, which is our cloud-based SASE solution.
So, what is split tunneling? If you are using GlobalProtect, then you are obviously securing your users by making sure they connect to either a GlobalProtect gateway or Prisma Access. We would normally want all of the users traffic to use the VPN tunnel so you can control, inspect and monitor the traffic. However there can be reasons you may want some of the traffic to go direct. Having some of this traffic bypass the VPN and go direct is called split tunneling.
Before we get into some common uses, let’s remember that the reason you are using GlobalProtect is for security. By configuring split tunneling, you are bypassing Palo Alto Networks security processing for that traffic, so you really need to make sure this is acceptable for your environment. You will also need to understand any risks in the traffic you are bypassing from the VPN. Finally, don’t forget to test to confirm what you have configured is working as expected
Let’s start by looking at reasons you would want to use split tunneling. We’ll talk about some of the more common reasons but remember the functionality is there to give you more control. This is a feature to give you greater flexibility with your GlobalProtect VPN deployment.
So, what are some of the more common examples? Let’s start with video traffic. We know video traffic can be very bandwidth intensive. In the current working climate where you may have a lot of your users working from home, having this video traffic go via your GlobalProtect gateway or Prisma Access can cause additional load. This additional load could potentially affect other users and other traffic. Splitting video traffic out from the tunnel removes that extra load from the firewalls or from the Prisma Access security processing nodes
Some vendors—for example, Microsoft—currently recommend that some of their hosted applications do not go over VPN and are split tunneled. For example things like Sharepoint and Microsoft Teams. This still gets back to your requirements and your individual security posture but you can see there are valid reasons why you would want to use split tunneling.
The final common reason is somewhat related to the previous two. Due to the nature of VPN, there is inherently an increase in latency. Remember that a VPN is there to secure your users so there will be some overhead in doing this. This includes things like encrypting and decrypting the traffic and the actual layer 7 inspection. You may have some latency sensitive applications that do not perform as well when the traffic goes over the VPN so this is another scenario where split tunneling can be used.
These are just a few of the more common examples of why you would want to use split tunneling. Now we will look at the options to configure it.
Historically split tunneling was configured using routes. We used routes so that specific traffic could either be forced through the tunnel or direct. This can be quite limiting for services such as Office 365 where not only could there be a large number of routes but they also may change over time. Fortunately, we now have different ways of configuring split tunneling and the one you choose will depend on your requirements.
So route-based split tunneling is still available and if this is all that is required and will cover your needs then it is easy enough to configure. You just specify the routes to exclude and when GlobalProtect is connected, any traffic to an excluded network will bypass the VPN. Now I should also mention that in this example I have said it is routes we want to exclude. When you configure split tunneling you can specify routes either to exclude or to include. A common scenario is you just route everything through the VPN and then exclude specific routes as required. Having both include and exclude does give you greater flexibility though.
So, aside from the standard route-based split tunneling the other options for split tunneling are based on the following:
Just like route-based, for domain and client process you can configure either include or exclude.
Destination domain-based split tunneling is pretty straightforward and one of the more common types we see. You specify the domains you want to include or exclude and using DNS monitoring the client knows whether the traffic should go via the VPN or direct. The key thing to be aware of here is that GlobalProtect is monitoring DNS to work out which IPs to split tunnel.
As we are talking about DNS, there is also another option you can configure when using domain-based split tunneling called split DNS. Generally, all DNS traffic goes via the tunnel when connected. With this option, you can specify whether the actual DNS queries use the VPN tunnel or go direct.
So for both route-based and domain-based there is still a reliance on knowing you have everything covered as both IP ranges and domains can change. While this will cover your browser-based needs, if we are talking about a specific application then you can also use client process. The benefit here is that all traffic from the client process will either be included or excluded.
So let’s say your users make use of Zoom quite regularly and it is generating a lot of video and screen-share traffic. You have reviewed the application traffic and decided to bypass it from the VPN. Rather than find the IP ranges or domains that Zoom uses, you can add an exclude policy for the Zoom client process. This means any traffic from the actual process on the workstation is bypassed, regardless of the end destination.
And finally, as we mentioned earlier, we know video traffic can be quite bandwidth intensive. For this you can exclude certain video traffic based on appID, for example YouTube. When using this method, you do not have to worry about finding and updating IP ranges or domains. You can exclude the traffic just based on the video application.
One last thing to note is that with having these different options, there can be situations where there could be a conflict. For example, you may be using an application that is excluded from the tunnel yet the destination domain the application is trying to connect to is included. In these situations there is an order of processing to determine which action is taken. I won’t go through the details but just so you know it exists and if required you can find the details on our admin guides.
So as you can see when we talk about split tunneling there is quite a bit involved. We do have a number of options on how to configure it to cover different scenarios and also different customer needs. The key points here are understanding the different options, deciding if and which traffic should bypass the VPN and, finally as with most things, test it after you have configured it to ensure what you expect is what is actually happening.
And that’s it for today’s episode! Hopefully you now know the different options for GlobalProtect split tunneling and also when you would choose to use them. For more detailed information and configuration guides, along with the transcript of this episode, remember to head to live.paloaltonetworks.com and search for PANCast.
Check out the full YouTube playlist: PANCast: Insights for Your Cybersecurity Journey.