Users may not be able to access certain applications configured for Application/Domain Split Tunneling when macOS endpoint is upgraded from Catalina to Big Sur followed by GlobalProtect App upgrade from 5.2.6 to 5.2.8 or 5.2.9.
Symptom
Users may not be able to access certain applications configured for Application/Domain Split Tunneling when macOS endpoint is upgraded from Catalina to Big Sur followed by GlobalProtect App upgrade from 5.2.6 to 5.2.8 or 5.2.9. If the GlobalProtect App is disabled, users can open the same application without any issue.
Environment
Upgrade of macOS endpoint from Catalina to Big Sur followed by GlobalProtect App upgrade from 5.2.6 to 5.2.8 or 5.2.9.
Exclude Split Tunnel Application/Domain is configured for the affected application.
macOS 10.15.4 and later
GlobalProtect App 5.1.4 and above.
Cause
When a macOS endpoint is upgraded from Catalina to Big Sur followed by a GlobalProtect App upgrade from 5.2.6 to 5.2.8 or 5.2.9, system extensions may not be automatically enabled at times. You can verify whether system extensions are enabled or not by issuing the command “$ systemextensionsctl list” from Mac Terminal. You can also go to System Preferences -> Network to verify whether system extensions are enabled or not.
GlobalProtectDo: Domain split tunnel
GlobalProtectAp: App split tunnel
GlobalProtectEn: Enforcer
GlobalProtectDn: Split DNS
When system extensions are not enabled, users may not be able to access applications configured for Application/Domain Split Tunneling. For example, if Zoom application traffic is configured for split tunneling on the GlobalProtect gateway, you may not see Zoom traffic getting excluded from the GlobalProtect tunnel. As a result, users may not be able to access the Zoom application. You can verify whether the traffic is getting successfully excluded from the tunnel or not by doing a packet capture on the macOS Endpoint’s physical adapter. If you do not see either DNS or TCP/UDP packets for the affected application in the packet capture, it indicates that split tunneling is not working as expected.
Resolution
To resolve this issue, you can use the following workaround:
- Reboot the macOS Endpoint to re-enable the System/Network extensions.
(Since GlobalProtect App has NO control of the System/Network extension SDK framework used on macOS endpoints, Palo Alto Networks will not be able to fix this issue by a code change on GlobalProtect App. We have submitted a Feedback case with Apple (FB974069) to track this limitation with the Apple System/Network extension SDK framework).
If the above workaround does not resolve the issue, kindly collect the below logs and open a support case.
- Collect GlobalProtect logs by enabling DUMP level logging.
- Collect Packet capture using the command “sudo tcpdump -i all -k INP -w gptest.pcapng”.
- Collect the output “$ systemextensionsctl list” from Mac Terminal.