GlobalProtect Split tunnel base on APP or domain is not working correctly

• The split tunnel configuration based on APP or Domain is correct, however, some traffic is sent directly through the tunnel instead of on the local network.
• Here are the steps to verify the split tunneling:
• Review the the PanGPS logs,  confirm the split configuration and traffic is sent to the agent correctly:

           <exclude-split-tunneling-application>
            <member>%AppData%\Local\slack\slack.exe</member>
            <member>%USERPROFILE%\AppData\Roaming\Zoom\bin\CptHost.exe</member>
            <member>%USERPROFILE%\AppData\Roaming\Zoom\bin\Zoom.exe</member>
            <member>/Applications/Dropbox.app/Contents/MacOS/Dropbox</member>
            <member>/Applications/Slack.app/Contents/MacOS/Slack</member>
            <member>/Applications/zoom.us.app/Contents/Frameworks/ZoomPhone.app</member>
            <member>/Applications/zoom.us.app/Contents/MacOS/zoom.us</member>
            <member>C:\Program Files (x86)\Dropbox\Client\Dropbox.exe</member>
            <member>C:\Program Files (x86)\zoom\bin\CptHost.exe</member>
            <member>C:\Program Files (x86)\Zoom\bin\Zoom.exe</member>
            <member>C:\Program Files\Zoom\bin\Zoom.exe</member>
        </exclude-split-tunneling-application> 
        <exclude-split-tunneling-domain>
            <member>zoom.com</member>
            <member>youtube.com</member>
            <member>dropbox.com</member>
            <member>XXXX.zoom.us</member>
            <member>zoom.us</member>
        </exclude-split-tunneling-domain> 

• Check the PanGPS logs at dump level to see if split tunneling is correctly evaluated:

(P6072-T3668)Dump (  91): 05/31/22 16:14:39:881 Received DNS request for XXXX.zoom.us with type 1
(P6072-T3668)Dump (1467): 05/31/22 16:14:39:881 Domain name XXXX.zoom.us matches exclude single domain
(P6072-T3668)Dump ( 531): 05/31/22 16:14:39:881 EnforceSplitDns, ret1=0, ret2=-1, type1=4, type2=0 (3/4-in/exclude), bReplyNoSuchName=0
(P6072-T3668)Dump ( 532): 05/31/22 16:14:39:881 EnforceSplitDns, qname=XXXX.zoom.us, from tunnel=1, reply no such name = 0

• Carry out a test and capture traffic on the GP virtual adapter and physical adapter.
• The captured traffic on GP virtual adapter shows traffic is going through GP instead of the local network
• This can also be verified by checking the traffic logs on the gateway.

• GlobalProtect (GP) Portal and Gateway
• Application or Domain Split Tunneling
• Windows OS

• The split tunnel features work together with "network service".
• This is the service that would interfere with the GP split tunnel feature.
• This could occur if the client has some software that kills this process to manage bandwidth, etc., which in turn blocks the GP client from splitting the tunnel and resetting the network service to the original state.

1. Check "Processinfo.txt" log within the GP logs and look for any services such as:

1. • Name=Killer Smart AP Selection Service
   • Name=KillerNetworkService.exe
   • Name=Killer Analytics Service

2. If there are any of the above services running, Disable them. This will fix the issue
3. Disabling "KillerNetworkService.exe" should also be sufficient to to fix the issue. 

DNS query is captured on the GP virtual adaptor:



However, traffic towards the resolved IP is captured on the virtual GP adapter as well, this traffic should go over the local network: