How to GlobalProtect Split-Tunnel Exclude Webex Application Process

The article provides information on configuring  Application based Split Tunneling using Webex as the client.

• Palo Alto Firewalls
• Supported PAN-OS
• GlobalProtect
• GlobalProtect Gateway License 

1. Use the CurrPorts application (internet download) and install and run this application on the laptop with the Global Protect agent
2. Start a webex meeting on the laptop with the Global Protect agent running on it and notice the applications listed in the first column (3rd from last column in the graphic below)
3. Also, take note of the Process Path listed (3rd from last column in the graphic below)
4. Ignore the rows with the IP address or 127.0.0.1, and only look at the rows that have the laptops physical adapter IP address listed and that of the IP address assigned to the Global Protect adapter
5. Below my GP adapter is 10.0.0.100 and the laptop's physical IP address is 172.16.0.100

CurrPorts Application Output (Click Image to Enlarge)

Above in the graphic we can see there are 2 applications listed in the rows mentioned above.

The application listed in the rows we care about are the following:

1) ptoneclk.exe
2) atmgr.exe

Next we want to find the application paths associated with the above 2 listed applications.

The 2 application paths found are:

1) c:\users\user1.bear\appdata\local\webex\webex\meetings\atmgr.exe
2) c:\Program Files (x86)\WebEx\WebEx\Applications\ptoneclk.exe

These above 2 application paths will be what we use to enter into the Firewall's GP Gateway in the split-tunnel application exclusion list.  However, first we want to convert a format that will work universally for all users (not just 'user1' as seen above).  This way the new format can be used in the GP gateway split-tunnel exclude application list.

Here we substitute the following %VARIABLES% instead of the hard coded paths:


1) c:\users\user1.bear\appdata\local\webex\webex\meetings\atmgr.exe

Becomes:

1) %localAPPDATA%\webex\webex\meetings\atmgr.exe

And

2) c:\Program Files (x86)\WebEx\WebEx\Applications\ptoneclk.exe

Becomes:

2) %PROGRAMFILES(x86)%\webex\webex\applications\ptoneclk.exe

6. Now we want to add the above 2 converted application paths to the GP Gateway Split-tunnel Exclude Application list

7. Perform a Commit and on the GP agent connected laptop used to test, exit the WebEx application and also, restart the PanGPS service in Windows Services on that laptop.  We do this to ensure the GP agent will pull down the new Split-tunnel Exclude Application list configured on the GP Gateway in the previous step
8. Once the GP agent is connected, run the WebEx application and then look again at the CurrPorts application output and confirm that those 2 applications discovered in previous steps are now only see in the rows for the laptop's physical adapter.  This confirms that the WebEx application and its associated traffic is now being excluded from the GP tunnel

Above we can now verify the 2 applications 'atmgr.exe' and 'ptoneclk.exe' are both associated with the laptop's physical adapter only (172.16.0.100)