GlobalProtect: Split-tunnel Domain Not Working with Chrome Browser on macOS

GlobalProtect: Split-tunnel Domain Not Working with Chrome Browser on macOS

13284
Created On 08/12/22 02:25 AM - Last Modified 04/22/24 07:36 AM


Symptom


 

  • GlobalProtect Gateway configured with include or exclude domain for split tunneling. 
  • Chrome browser version 104.0.5112.79 used on macOS 11 or macOS 12 
  • Users launching any website configured in include or exclude domain fail with the error "This site can't be reached"
     

browser-error.png

 

Environment


 
  • GlobalProtect 5.2.11/6.0.0 & above 
  • Chrome browser 104.0.5112.79
  • macOS 12.x (Monterey) and macOS 11.x (BigSur)
  • macOS Network adapter’s IPv6 is set to "Link-Local Only"
  • GlobalProtect Gateway configured with split-tunnel include or exclude domains
  • GlobalProtect Gateway configured with either 
    • IPv6 sinkhole enabled or 
    • IPv6 virtual pool configured on on-prem firewalls

Cause



GlobalProtect cannot parse the correct IPv6 address of the macOS endpoint physical interface.

Resolution


The issue is being actively investigated, currently, any one of the following workarounds can be used: 

Workarounds: 
  1. Downgrade to Chrome browser version 103.0.5060.134 or below.
  2. Use Safar or Firefox, no issues have been reported on these. 
       3. You can turn off ipv6 from the command line:  
Sudo networksetup -setv6off Wi-Fi


    4.Change network adapter IPv6 configuration to Automatically from Link-local only & ensures that adapter gets        IPv6 address.


2022-08-11 19_19_37-Screenshot.png


​​​​​​​
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000CrA9CAK&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language