Netskope Can Interfere with Domain and Application-Based Split Tunneling

Netskope Can Interfere with Domain and Application-Based Split Tunneling

12144
Created On 04/29/21 20:21 PM - Last Modified 09/09/21 03:16 AM


Symptom


When using a domain-based and/or application-based split tunneling configuration with the GlobalProtect App and the Netskope client installed, the domain and application-based split tunneling may not work as expected or not work at all.

Environment


  • Windows 10 or macOS computer
  • GlobalProtect 5.1 or newer
  • Netskope client (or other third party endpoint protection software)
  • GlobalProtect Gateway configured with domain-based and/or application based Split Tunnel

Cause


The Netskope client uses the same method to inspect and filter traffic that the GlobalProtect App uses to implement domain and application-based split tunneling. The Netskope client can prevent traffic from being sent out the correct interface (VPN virtual interface or physical interface).


 

Resolution


To resolve this perform one of the following steps:

  1. The traffic that needs to be tunneled based on GlobalProtect's domain and application-based configuration can be white-listed or excluded from inspection in the Netskope configuration settings.
  2. Additional workarounds:
  • The traffic inspection feature of Netskope can be disabled.
  • GlobalProtect domain-based and application-based split tunneling config can be removed and replaced with only route-based split tunneling.
Note: These steps may be performed within other third-party security products also as a potential workaround.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000001VGGCA2&lang=en_US%E2%80%A9&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail