04-13-2020 12:25 PM - edited 04-13-2020 12:37 PM
@RLJFRY Yes I do have a ticket open with Palo. According to the document you referenced, they are doing domain based AND EXE based. However, that example they provided wouldn't need the EXE excluded so having it "work" using a %userprofile% in the path is a false sense of accomplishment. It would have been the domain that made it work.
Also in my meeting with him today, what he explained is that when you do an application/EXE based split tunnel, it only lets you reach out to the first destination that EXE requested. So for example outlook.exe requests access to outlook.office365.com but the IP it really connects to for data is a CNAME for something like mdw-efz.ms-acdc.office.com then you will not see outlook.exe doing a split tunnel. You in this case have to do it based upon domain and include both *.office.com and *.office365.com. Outlook only successfully split tunneled for me when both domains were bypassed and I didn't even use the EXE because it doesn't do any good. Therefore, I've never done a %variable% based path because these EXE's in those paths have to communicate with more than one destination anyway and wouldn't know if it worked or not because it wouldn't work 100% anyway.
Here's another good reference for split tunnel: https://live.paloaltonetworks.com/t5/General-Articles/GlobalProtect-Optimizing-Office-365-Traffic/ta...
