Split tunneling behavior on the GlobalProtect client

Split tunneling behavior on the GlobalProtect client

74184
Created On 04/30/21 00:18 AM - Last Modified 05/10/21 18:20 PM


Environment


  • Windows or MacOS client connected to GlobalProtect gateway configured with split tunneling
  • For the purposes of this document, we use the following scheme:
    • GlobalProtect client: Windows PC with IP address 192.168.10.10, default gateway 192.168.10.1
    • GlobalProtect Portal/Gateway: Palo Alto Networks firewall with portal and gateway hosted on 192.168.10.1
    • Virtual interface after connecting to GlobalProtect: 172.16.10.1
    • Screenshots provided are for Windows but the behavior is the same for MacOS as well
    • Split-Tunnel Option under portal app settings is set to Network Traffic Only (Default)
    • Resolve All FQDNs Using DNS Servers Assigned by the Tunnel (Windows Only) under portal app settings to Yes (Default)
    • No direct access to local network under gateway split tunnel settings disabled (Default)
 
 

Resolution



The following are different access route-based and domain-based split tunneling options. Please be aware that the traffic behavior with the route-based option is purely based on the local routing table. However, domain-based split tunneling utilizes a filter driver in Windows and network extensions in MacOS. 

  1. No split-tunneling configured

Routing Table:

no-split-tunneling

Traffic Behavior: 

  • A default route with lower metric is created pointing to the virtual interface which routes all traffic inside the tunnel

  1. Include access routes only

    For this case, let's configure one private IP subnet as include access route.
only-include-route
 
Routing Table: 
include-only-rt
 
Traffic Behavior: 
  • Include access route is installed pointing to the virtual interface
  • Traffic matching include access route goes through the tunnel
  • No default route pointing to the virtual interface which routes rest of the traffic outside the tunnel 

  1. Exclude access routes only

    For this case, lets exclude IP ranges needed for Microsoft Teams.
exclude-route-only
 
Routing Table: 
exclude-route-only-rt
 
Traffic Behavior: 
  • Exclude access routes are installed pointing to the external interface
  • Traffic matching exclude routes goes outside the tunnel
  • Default route with lower metric is installed pointing to the tunnel which routes rest of the traffic inside the tunnel
  • In this case, it is common practice to configure an include access route of 0.0.0.0/0. This is redundant and not required because the gateway pushes an implicit include default route anyway.
<access-routes>
            <member>0.0.0.0/0</member>
     </access-routes> 
     <exclude-access-routes>
           <member>13.107.64.0/18</member>
  <member>52.112.0.0/14</member>
 <member>52.120.0.0/14</member>
     </exclude-access-routes>

  1. Both include and exclude routes

    For this case, we will configure both include and exclude IP ranges.
both-access-routes
 
Routing Table: 
both-access-routes-rt
 
Traffic Behavior: 
  • Both exclude and include access routes are installed pointing to the respective interface
  • Traffic matching include routes goes through the tunnel
  • Traffic matching exclude routes goes outside the tunnel
  • Default route pointing to the tunnel is not installed which routes rest of the traffic outside the tunnel 
  • Since default route points to the external interface, configuring exclude routes here is redundant unless we have a special use case causing a conflict on the local routing table and more specific routes are needed explicitly. 

  1. Include domains or applications only

    For this case, let's configure *paloaltonetworks.com as include domain and no access routes. 
include-domain-only
 
Routing Table: 
include-domain-only-rt
 
Traffic Behavior:  
  • All traffic matching the include domains or applications goes through the tunnel
  • Default route with lower metric is installed pointing to the tunnel which routes rest of the traffic inside the tunnel.
  • Typically in this case, we would like the default route to point to the external interface because it doesn't make sense to include some domains and/or applications if all the traffic is going inside the tunnel anyway.
  • To resolve this, it is common practice to configure an exclude access route of 0.0.0.0/0. This will not produce the desired result because the implicit include default route pointing to the tunnel will still retain lower metric. 
<access-routes>
           <member>0.0.0.0/0</member>
     </access-routes> 
     <exclude-access-routes>
           <member>0.0.0.0/0</member>
     </exclude-access-routes> 
<include-split-tunneling-domain>
           <member>*paloaltonetworks.com</member>
     </include-split-tunneling-domain> 
  • A valid solution to this problem is to configure a dummy include access route (in this case 172.17.0.0/16) which will make the default route pointing to external interface preferred. Below is the resulting routing table. 
include-domain-workaround
 

  1. Exclude domains or applications only

    For this case, let's configure *paloaltoetworks.com as exclude domain and no access routes.
exclude-domain-only
 
Routing Table: 
include-domain-only-rt

Traffic Behavior: 
  • All traffic matching the exclude domains or applications goes outside the tunnel
  • Default route with lower metric is installed pointing to the tunnel which routes rest of the traffic inside the tunnel

  1. Both include and exclude domains or applications

    For this case, let's configure to include domain *paloaltonetworks.com and exclude domain *zoom.us
include-exclude-domain

Routing Table: 
include-domain-only-rt
Traffic Behavior: 
  • All traffic matching the exclude domains or applications goes outside the tunnel
  • All traffic matching the include domains or applications goes inside the tunnel
  • Default route with lower metric is installed pointing to the tunnel which routes rest of the traffic inside the tunnel
  • Configuring include domain or application is redundant here unless in a special use case with local routing table conflicts or conflicts arising from access routes. 

NOTE: More combinations are possible with all the 6 split tunneling options available which we will not cover specifically. To determine how the traffic is matched, always follow the precedence criteria described in the document below. Any traffic that doesn't match the application or domain based split tunneling rules will follow the routing table based on the rules described in sections 1 through 4
  • https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-new-features/globalprotect-features/split-tunnel-for-public-applications.html
 

Additional Information


  1.  NO DIRECT ACCESS TO LOCAL NETWORK" CONFIGURED WITH SPLIT TUNNEL
  1.  HOW TO CONFIGURE SPLIT DNS
  2.  GlobalProtect: Implement Split Tunnel Domain and Applications 
  3.  Troubleshoot Split Tunnel Domain & Applications and Exclude Video Traffic
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000oM3WCAU&lang=en_US%E2%80%A9&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language