GlobalProtect: Optimizing Office 365 Traffic

cancel
Showing results for 
Search instead for 
Did you mean: 
L4 Transporter
Did you find this article helpful? Yes No
100% helpful (1/1)

GlobalProtect: Optimizing Office 365 Traffic
via VPN Split Tunnel Exclude Access Route

 

Background:

Due to the COVID-19 pandemic, enterprises require their employees and contractors to work remotely. Customers can deploy GlobalProtect with on-premise firewall to securely enable remote work from home, including access to their corporate Microsoft Office 365 applications.

 

Microsoft has made two recommendation to customers using Office 365 applications to optimize user experience during the COVID-19 pandemic:

  1. Split tunnel Office 365 applications instead of routing them over a VPN tunnel
  2. Split tunnel Office 365 applications using specific optimized Microsoft provided IP address ranges instead of split tunneling using FQDNs

 

NOTE: Split-tunnel traffic is not inspected by next-generation firewall and, therefore, does not have the threat-protection offered by Palo Alto Networks. Hence, customers are advised to carefully review before enabling this feature, and then decide whether the split tunnel for Office 365 traffic meets their environment needs.

 

The document is written to provide guidance to Palo Alto Networks customers on how these recommendations from Microsoft on Office 365 access can be implemented using our the GlobalProtect application in next-generation firewalls.

 

Objective:

The objective of this document is to provide guidance to customers for optimizing their Office 365 user traffic.

 

While Palo Alto Networks next-generation firewall supports multiple split tunneling options using Access Route, Domain and Application, and dynamically split tunneling video traffic. This document specifically focuses on implementing split tunneling exclude using access route feature based on Microsoft recommendations for the following Office 365 Applications:

  • Skype for Business Online and Microsoft Teams
  • SharePoint Online and OneDrive for Business
  • Exchange Online

 

This helps enterprises with business continuity, and if the enterprise network infrastructure is overwhelmed with an increased traffic load during COVID-19, customers can chose to split tunnel high bandwidth consumption apps in office 365 to ensure business continuity.

  • For best performance and most efficient use of VPN capacity, traffic to these dedicated IP address ranges associated with Office 365 Exchange Online, SharePoint Online, and Microsoft Teams (referred to as Optimize category in Microsoft documentation) should be routed directly outside of the VPN tunnel. Please refer to Microsoft guidance for more detailed information about this recommendation.

 

Prerequisite:

  • Palo Alto Network Next-Generation Firewall and GlobalProtect App with:
    • PAN-OS 8.1 or above. To use Address Group, PAN-OS 9.0 or above
    • Recommended GlobalProtect App 5.0.x or above releases

 

Platform Supported:

  • Windows, Windows UWP, Mac, iOS, and Linux
    • Both IPv4 and IPv6
  • GlobalProtect and Operating System Compatibility matrix can be found here: Where Can I Install the GlobalProtect App?
  • NOTE: Split tunnel exclude access route feature is not supported by GlobalProtect app on the following platforms due to operating system framework limitation:
    • Android

 

Split Tunnel Exclude Access Route:

  • GlobalProtect supports split tunnel exclude access route feature. This feature can be configured to exclude traffic for certain subnets outside the VPN tunnel rather than tunneling all traffic over VPN.
  • Excluding certain high volume and latency sensitive application subnets from GlobalProtect VPN tunnel via split tunnel exclude access route feature can enhance user experience during high work from home (WFH) moment, particularly, during the COVID-19 pandemic.
  • Current split tunnel exclude routes support is up to 200 exclude access routes. This includes both IPv4 and IPv6 routes combined. Currently, the number of IP address ranges in the Office 365 Optimize category (recommended for split tunnel configuration) is 20 IPv4 ranges and 30 IPv6 ranges.

 

Configuration:

    1. Start with finding out which of the following applications is used in your enterprise and which you would like to split tunnel exclude traffic for it from your GlobalProtect VPN tunnel:
      1. Skype for Business Online and Microsoft Teams
      2. SharePoint Online and OneDrive for Business
      3. Exchange Online

    2. Next, find the respective subnets/IP addresses for the specific application. Microsoft applications have three categories of endpoints:
      1. Optimize
      2. Allow
      3. Default
      Details on the category taxonomy and our general guidance on treatment of Office 365 traffic is provided at http://aka.ms/pnc#new-office-365-endpoint-categories. Per specific guidance provided by Microsoft on optimizing Office 365 traffic via VPN split tunnel exclude routes (direct egress), the “Optimize” endpoints are the highest volume and latency sensitive; hence, the focus should be split tunnel exclude “Optimize” endpoints from the VPN tunnel.
    3. The list of “Optimize” endpoints and their subnets/IP addresses for the specific Office 365 Microsoft application can be found via following two methods:
      1. These subnets are listed on http://aka.ms/o365ip [look for corresponding rows marked as Optimize category]
      2. Another way to find subnets/IP addresses is via a query to a REST interface. This is three steps process:
        1. Send https request to a RESTful web service
          PS C:\> $ep = Invoke-RestMethod("https://endpoints.office.com/endpoints/worldwide?clientrequestid=" + ([GUID]::NewGuid()).Guid )
        2. Filter “Optimize” category IP Addresses
          PS C:\> $ep|?{$_.category -eq "Optimize"}|select-object category, serviceAreaDisplayName, ips, urls |ForEach-Object {$ips += $_.ips; $urls += $_.urls}

        Finally, grab the unique ip prefixes and urls from the result of step ii:
        PS C:\> $ips |Sort-Object -Unique
        104.146.128.0/17	   2603:1096:a00::/39		   40.108.128.0/17	
        13.107.128.0/22		   2603:1096:c00::/40		   40.96.0.0/13
        13.107.136.0/22		   2603:10a6:200::/40		   52.104.0.0/14
        13.107.18.10/31		   2603:10a6:400::/40		   52.112.0.0/14
        13.107.6.152/31		   2603:10a6:600::/40		   52.120.0.0/14
        13.107.64.0/18		   2603:10a6:800::/40		   52.96.0.0/14
        131.253.33.215/32	   2603:10d6:200::/40
        132.245.0.0/16		   2620:1ec:4::152/128
        150.171.32.0/22		   2620:1ec:4::153/128
        150.171.40.0/22		   2620:1ec:8f0::/46
        191.234.140.0/22	   2620:1ec:8f8::/46
        204.79.197.215/32	   2620:1ec:900::/46
        23.103.160.0/20		   2620:1ec:908::/46
        2603:1006::/40		   2620:1ec:a92::152/128
        2603:1016::/36		   2620:1ec:a92::153/128
        2603:1026::/36		   2620:1ec:c::10/128
        2603:1036::/36		   2620:1ec:c::11/128
        2603:1046::/36		   2620:1ec:d::10/128
        2603:1056::/36		   2620:1ec:d::11/128
        2603:1096::/38		   2a01:111:f400::/48
        2603:1096:400::/40	   2a01:111:f402::/48
        2603:1096:600::/40	   40.104.0.0/15
        
        PS C:> $urls
        Outlook.office.com
        Outlook.office365.com
        *.sharepoint.com​

        NOTE:
        To configure the split tunnel for Office 365 using exclude routes, you will only need IP addresses from the above output. URLs/FQDNs are not used in recommended split tunnel configuration, but may be useful for clients, who need to configure proxy exclusions/.pac file customizations in addition to VPN split tunnel setup.
        PowerShell showing the REST API commandsPowerShell showing the REST API commands 

    4. Per the information provided by Microsoft team, the current intent is to hold these subnets/IP addresses static for the next few months in order to allow for quick customer deployments related to the COVID-19 situation. In long term, customers would need to either build automation to keep this configuration up to date, or follow the suggestions and subscribe to update notifications at: https://docs.microsoft.com/en-us/office365/enterprise/office-365-ip-web-service#update-notifications

    5. Considering the fact that to exclude any application we will have to exclude multiple subnets, it is better to utilize Addresses and Address Groups to better manage and define subnets

    6. To configure Address on the Panorama, navigate to: Object > Address > Add
      Panorama Address Configuration ScreenPanorama Address Configuration Screen

    7. We can add all the subnets, IPv4 and IPv6, associated with our specific applications
      Panorama Objects Tab - Mobile_User_Device_GroupPanorama Objects Tab - Mobile_User_Device_Group

    8. Next define the Address Group and add all the Addresses or Address Group defined in the previous step with 'Exchange Online’ Address Group. To configure Address Groups on the Panorama, navigate to: Object > Address Groups > Add
      Panorama Address Group ScreenPanorama Address Group Screen

    9. Review the Address Groups configuration
      Panorama Object Tab Address GroupsPanorama Object Tab Address Groups

    10. Final step is to apply the Address Group under Split Tunnel Exclude Access Route. To configure Split Tunnel Exclude Access Route on the Panorama, navigate to: Network > GlobalProtect > Gateway > Agent > Client Settings > Client-Config > Split Tunnel > Access Route > Add. Here specify the Address Group, Office 365 - Skype for Business and Teams, defined earlier.
      Config > Split Tunnel > Access RouteConfig > Split Tunnel > Access Route

    11. Once configured click ‘OK’ and ‘Commit and Push’ the configuration from Panorama. Above configuration is pushed on the GlobalProtect once it is connected to the gateway.

    12. The steps described so far can be utilized to exclude subnets/IP addresses for more than one application as well. Following is the configuration summary screen shot showing split tunnel exclude access route configuration for more than one the applications.
      1. Configure Address Groups
        Panorama Address Group ConfigurationPanorama Address Group Configuration

      2. Split Tunnel Exclude Access Route Configuration
        Configs Split Tunnel Access RouteConfigs Split Tunnel Access Route

 

Output & Verification:

  • You can verify the split tunnel exclude access route configuration received from the gateway in PanGPS.log file in GlobalProtect logs. More information on collecting GlobalProtect logs can be found in our Knowledge Base: How to Collect Logs from GlobalProtect Clients.

 

 

 

 

 

<exclude-access-routes>
       <member>52.112.0.0/14</member>
       <member>13.107.64.0/18</member>
       <member>52.120.0.0/14</member>
</exclude-access-routes>

 

 

 

 

 

 

  • We can utilize the ‘route print’ command on Windows OS to print routing table and make sure that routes for the excluded subnets are going out via physical interface. Similar commands can be utilized for other operating system for verification

 

Rate this article:
(3)
Comments
Community Team Member

@markmill 
As per the Prerequisites section, in order to use Address Group you need to be on PAN-OS 9.0 or above.

L0 Member

Just to confirm, I take it that the "No direct access to local network" is not an option in this scenario. I have a requirement to prevent the local network from being accessed or accessing the PC/Mac in question.

L0 Member

@steveomitchell I know you posted your comment a couple of months ago but just ran across it. You should be able to still do the "No direct access to local network" and do exclusions. The No direct access just adds a route in the client route table for the local subnet and points it to the tunnel with a lower metric. The exclusions also add a route in the table but points it to the local interface. We are using both so you should be fine.

L0 Member

Hi all Panorama Users,

 

Important to know is, that address groups are not valid in the exlcude section without a trick for devices managed by panorama.

 

The issue is related to the usage of the address group in the exclude list. The exclude list is not one of the areas where Panorama considers the address group to be used. Therefore, it is expected for the push to fail if this group is not referenced elsewhere.
When the option "Share Unused Address and Service Objects with Devices" under panorama settings is unselected, then the shared objects/group will not be sent to the device. As a result, the commit on the device will fail.

 

To resolve this issue, you have two options:
1- Configure the Subnets directly on the exclude list.-> not prefered, because maintaining could be worse if you have multiple settings with that IPs
2- Configure the individual address objects on the exclude list.
- If push fails, enable/check the "Share Unused Address and Service Objects with Devices”, then commit and push.
Panorama > Setup > Management > Panorama Settings -> Depends on the box limit of Object count, if you can use this solution

3-prefered in my eyes:

- Configure a dummy security rule in panorama to the bottom of the policy, where it will never be used, and add to this rule the address group. -> This forced the panorama to push the address group to the firewall
- Commit and push. Only to the device group which is desired to use this address group in splittunneling. (Edit selection and choose the target device group, then push).
- Check firewall and make sure the dummy rule is added successfully to the security policies.
- Add the address group on GP gateway, in the Exclude area.
- Commit to the panorama, then Commit and push, to the target template Stack.

 

happy firewalling

Register or Sign-in
Article Dashboard
Version history
Last update:
‎07-16-2020 09:31 AM
Updated by:
Retired Member
Contributors