How to configure domain based split tunneling using wildcard
19692
Created On 04/27/21 04:14 AM - Last Modified 12/21/21 04:45 AM
Objective
To match all destination FQDNs based on the parent domain. In many use cases especially in web applications, it's not possible to track every destination domain used by the application using packet captures.
Environment
- Palo Alto Firewall.
- PanOS versions 8.1 and above.
- GlobalProtect versions 4.1 and above.
Procedure
NOTE: For the purpose of this document, we will use the example of the parent domain paloaltonetworks.com.
- Configure the include or exclude domain as *paloaltonetworks.com which matches all the sub domains including the parent domain paloaltonetworks.com. The key here is to remember the wildcard pattern matching process which matches the (*) with any string or an empty string.
- Domain based split tunneling is configured under Network > GlobalProtect > Gateways > {Gateway Name} > Agent > Client Settings > {Name} > Split Tunnel. Refer to the documentation link
Additional Information
- It is common practice to configure wild card domain as *.paloaltonetworks.com which matches support.paloaltonetworks.com and other sub domains but does not match the parent domain paloaltonetworks.com.
- For the above reason, it is a common practice to configure both entries *.paloaltonetworks.com and paloaltonetworks.com in the include or exclude domain section.
- When we have large number of domains to configure, using the wildcard efficiently can help us from reaching the 200 limit and keep the configuration succinct.