How to add or delete entries on GlobalProtect split tunneling config from the CLI

How to add or delete entries on GlobalProtect split tunneling config from the CLI

34121
Created On 01/06/21 19:18 PM - Last Modified 01/12/21 16:14 PM


Objective


Add or delete split tunneling entries quickly from CLI. Useful for including in scripts to automate these tasks if user choses.

Environment


  • GlobalProtect™ App 4.1+ 
  • PAN-OS® 8.1 and later releases

Procedure


1. On Palo Alto Networks firewall CLI, these commands are issued in the configure mode.

> configure

2. To add an entry from the firewall's CLI, select one of these options from the following hierarchy

# set vsys <vsys name> global-protect global-protect-gateway <Gateway Name> remote-user-tunnel-configs <Config Name> split-tunneling ?
> access-route           subnets need to be accessed by GlobalProtect clients
> exclude-access-route   subnets need to be excluded by GlobalProtect clients
> exclude-applications   applications need to go out of tunnel
> exclude-domains        Domains need to go out of tunnel
> include-applications   applications need to go through tunnel
> include-domains        Domains need to go through tunnel
<Enter>                Finish input

3. To delete an entry from the firewall's CLI, replace the "set" keyword with "delete" keyword.
NOTE: From here on, the options printed after the question mark (?) are left out for brevity.

# delete vsys <vsys name> global-protect global-protect-gateway <gateway name> remote-user-tunnel-configs <config name> split-tunneling ?

4. To add an entry from Panorama, configure it in the specific template where GlobalProtect config is located.

# set template <template name> config vsys <vsys name> global-protect global-protect-gateway <gateway name> remote-user-tunnel-configs <config name> split-tunneling ?

5. To delete an entry from Panorama CLI, replace the "set" keyword with "delete" keyword.

# delete template <template name> config vsys <vsys name> global-protect global-protect-gateway <gateway name> remote-user-tunnel-configs <config name> split-tunneling ?

6. Examples: 

- From firewall CLI, 

> configure
# set vsys vsys1 global-protect global-protect-gateway <gateway name> remote-user-tunnel-configs <config name> split-tunneling exclude-access-route 4.4.2.2/32
# set vsys vsys1 global-protect global-protect-gateway <gateway name> remote-user-tunnel-configs <config name> split-tunneling exclude-domains list google.com ports 443
# set vsys vsys1 global-protect global-protect-gateway <gateway name> remote-user-tunnel-configs <config name> split-tunneling exclude-applications /Applications/MicrosoftLync.app/Contents/MacOS/MicrosoftLync

- After refreshing, the Corresponding changes in the Web UI can be found at Network > GlobalProtect > Gateways > Select gateway > Agent > Client Settings > Select config > Split Tunnel 

Snapshot displaying the split tunnel access route dialog box

Snapshot displaying the split tunnel domain dialog box

Additional Information


1. Additional reference for configuring GP split tunneling:

https://docs.paloaltonetworks.com/globalprotect/10-0/globalprotect-admin/globalprotect-gateways/split-tunnel-traffic-on-globalprotect-gateways/configure-a-split-tunnel-based-on-the-access-route.html

https://docs.paloaltonetworks.com/globalprotect/10-0/globalprotect-admin/globalprotect-gateways/split-tunnel-traffic-on-globalprotect-gateways/configure-a-split-tunnel-based-on-the-domain-and-application.html
 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HCBqCAO&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language