GlobalProtect Domain Split Tunnel with Sophos Endpoint Agent Behavior

288

Created On 06/30/22 00:08 AM - Last Modified 11/17/25 20:40 PM

GlobalProtect

Symptom

Behavior Seen
=====================================

GlobalProtect Domain Based Split Tunnel failing to exclude traffic out of the physical interface when Sophos Endpoint is enabled/installed
Developer tools show no address for the excluded FQDN when attempting to connect
nslookup still able to resolve FQDN however
No traffic logs generated for traffic coming from tunnel interface
Split tunneling configuration is applied correctly in PanGPS logs
Pcaps on Physical interface show no TCP or UDP connection going through the interface for excluded traffic
Pcaps Virtual Adapter shows no sequent TCP or UDP traffic excluded traffic going through the interface
Debugview capture shows the addresses of the excluded traffic are being binded (no errors)
Disabling/uninstalling Sophos and rebooting machine allows exclude traffic to work properly

GlobalProtect Domain Based Split Tunneling for excluded routes and Sophos Endpoint with Web Control or Web Protection are not compatible as they both create similar WFP rules causing the binding for the physical interface to not map the Split Tunnel configuration from GlobalProtect Agent as Sophos Endpoint WFP rules will bind while GlobalProtect is disconnected from the tunnel and take priority

Migrate to Application Based Split tunneling
Migrate to IP Based Split Tunneling
Disabling Sophos Web Control https://docs.sophos.com/central/Customer/help/en-us/central/Customer/concepts/ConfigureMalwareProtection.html
Disabling Sophos Web Protection https://docs.sophos.com/central/Customer/help/en-us/central/Customer/concepts/ConfigureWebControl.html
Uninstalling Sophos Endpoint Agent

Sophos Endpoint Security shows to have similar behavior with GlobalProtect Enforcer as this feature also leverages similar WFP rules