How To capture logs for GlobalProtect Split tunnel issues on macOS

This article aims to collect essential data for troubleshooting macOS split tunneling issues.

• Next-Gen Firewalls
• Supported PAN-OS versions
• Supported GlobalProtect (GP) App versions
• macOS clients

• When using include/exclude for any applications, those applications must be installed prior connecting to GlobalProtect.
• If the applications are installed later, GP App must be reconnected.

Follow the steps listed below to collect the logs information from client side.

1. In the macOS Terminal, run below command to capture packets. 

   $ sudo tcpdump -i all -k INP -w gptest.pcapng

2. Change GP logging level to Dump (Settings -> Troubleshooting -> Logs).

3. If the issue involves the GP login, disconnect and reconnect the GP App.

4. Reproduce the issue.
5. Once the issue is reproduced, stop the packet capture and collect the GP logs (Settings -> Troubleshooting -> Collect Logs).
6. Change GP logging level back to Debug.

7. Collect gptest.pcapng (which would be saved under /Users/<username> path) and GP logs.
8. Run the commands below to check if any third party applications use system extensions:

$ netstat -arn
$ systemextensionsctl list
$ sudo launchctl list | grep -i palo
$ ps aux | grep -i com.paloaltonetworks.GlobalProtect.client.extension
$ ps aux | grep nesessionmanager
$ ps aux | grep sysextd

9. Check System Preferences -> Network to see if the application's network extension is loaded. Take a screenshot for reference.
10. Note down the time of the issue, domain name and the process involved accessing the domain. (Example, 14:05:00 PST, using Chrome to access www.yahoo.com, shows unreachable).

Log Collection for Split Tunneling Issues on Windows Clients