Log Collection for macOS Split Tunneling Issues

• PAN-OS 8.1 and above
• GlobalProtect App 5.1.8 and above
• macOS clients

For include/exclude applications, please be aware that you must have all those applications installed before GP login. Otherwise, you would need to reconnect to GP after you install those applications. So, please double check that all application paths configured in include/exclude application list exist on the client device before GP login.

Please follow below steps to collect the information from client side only:

1. In the macOS Terminal, run below command to capture packets 

   sudo tcpdump -i all -k INP -w gptest.pcapng

2. Change GP logging level to Dump (Settings -> Troubleshooting -> Logging Level)
3. If the issue may involve the GP login process, please disconnect or disable first and reconnect to GP
4. Start to reproduce the issue
5. Once the issue is reproduced, stop the packet capture and collect the GP logs (Settings -> Troubleshooting -> Collect Logs)
6. Change GP logging level back to Debug
7. Collect gptest.pcapng (which would be saved under /Users/<username> path) and GP logs
8. Please run below commands to check if any third party applications use system extensions or kernel extensions:
   1. Following command checks if any third party application uses system extensions 

      systemextensionsctl list

   2. Check System Preferences -> Network to see if the application's network extension is loaded or not. Please take a screenshot for reference
   3. Following command shows all third party kernel extensions 

      kextstat -l | grep -v apple

Kindly note the time of the issue, domain name and the process involved accessing the domain. For example, 14:05:00 PST, using Chrome to access www.yahoo.com, it shows unreachable.