Exclude domain and Exclude application split tunneling causing issues with multiple applications on macOS Catalina
When GlobalProtect is configured with exclude domain and/or exclude application to send traffic via the physical adapter, multiple applications are freezing or erroring out on macOS Catalina 10.15.x.
As an example, In Google Chrome, one will see errors like "ERR_NETWORK_CHANGED" or "ERR_TIMED_OUT" in the browser.
Similarly, for the Microsoft Teams app, the application intermittently loses connection and we will see a similar error in the Teams log (see error below)
-- info -- OnErrorOccurred - Description: CNS:Get Method: GET Error: net::ERR_TIMED_OUT
- GlobalProtect client 5.1 and 5.2.
- macOS Catalina 10.15.x.
- Browsers affected: Chrome
- Applications affected: Microsoft Teams.
- The issue seems to be only affecting macOS Catalina 10.15.x when the GlobalProtect gateway is configured to use "exclude domain" and/or "exclude application".
- The cause seems to be with the macOS system API call related to System Extension specific to macOS Catalina.
- Palo Alto Networks has opened an inquiry with Apple and more details can be viewed on this link on Apple developer forums.
- For more details, Refer Apple Bug ID FB7868606 and see the disclaimer from Palo Alto Networks below.
- Upgrade to the latest macOS BigSur 11.2.x or higher
- If you can't upgrade to macOS BigSur, then just use the full tunnel on the GlobalProtect gateway configuration by disabling the split tunnel.
- If you can't disable split tunneling on the GlobalProtect gateway config, You can also use Safari or Firefox browser as a workaround.
Disclaimer: Please note the below statements about Apple’s System Extensions and Chrome Browser are made with limited information made available through their respective websites, documentation, and support tickets. Palo Alto Networks is not responsible nor can it be held accountable for any information provided on third party products, for the functionality of third party products, or future product changes in third party products.
As per Apple’s recommendations, starting macOS Catalina, GlobalProtect 5.2.4 uses macOS System Extensions to facilitate split-tunneling of traffic to destinations based on gateway configuration. We observed that end-users did not face issues accessing split-tunnel destinations on Safari, but Chrome browser constantly displayed "A network change was detected, ERR_NETWORK_CHANGED.” or at times it would take a long time to load.
GlobalProtect uses API [setTunnelNetworkSettings] to set the new IPs once the IP for particular domain/subdomain changes, otherwise the system won't redirect the TCP/UDP connection to GlobalProtect. The need to frequently call this API is attributed to constantly changing Cloud IPs for SaaS applications. Apple doesn’t restrict an application from calling this API multiple times or frequently. Google’s Chrome Browser attempts to monitor changes to network interfaces, in order to ensure a good user experience. When GlobalProtect calls the [NEAppProxyProvider setTunnelNetworkSettings] to support the Split-tunneling by Domains use-cases, Chrome perceives this as a network interface change, disrupting the connection to the website domain. This issue is not seen in other mainstream browsers such as Safari and Firefox.
We have also recently noticed that when the above use-case was tested with macOS Big Sur along with GlobalProtect 5.2.4 version: include domains, exclude domains, and all domains opened up without any err_network_changed errors on chrome browser. We expect this could be due to changes made in Big Sur by Apple that impacts the system extensions behavior. Apple or Google have not provided official confirmation on this issue.
Apple Developer Forum
Note: Other applications may also be affected by this issue.