Log Collection for Split Tunneling Issues on Windows Clients
10618
Created On 07/27/21 23:49 PM - Last Modified 07/28/21 19:21 PM
Objective
This article provides the steps to collect the necessary data to troubleshoot split tunneling issues on Windows GlobalProtect clients.
Environment
- PAN-OS 8.1 and above
- GlobalProtect App 5.1.8 and above
- Windows clients
Procedure
- Download and install DebugView on your Windows client. Run DebugView as Administrator and go to Capture, enable Capture Kernel, Enable Verbose Kernel Output, Pass-Through and Capture Events. Output can be logged to a file by selecting File > Log to File or save it to a text file later.
https://docs.microsoft.com/en-us/sysinternals/downloads/debugview
- Set the GlobalProtect App logging level to Dump. (Settings -> Troubleshooting -> Logging Level)
- Set up packet capture on both the Internet / External interface and PanGP virtual interface simultaneously. In Wireshark, use Capture > Options and select both the interfaces.
NOTE: Use the ipconfig/all command output to select the correct interfaces in Wireshark. For example, PanGP virtual interface can be Ethernet2 and external interface can be WiFi or Ethernet. It varies from PC to PC and depending on the type of interface used.
- From command prompt, issue the command ipconfig/flushdns to flush the DNS cache. This will help capture the DNS queries better in the pcap for domain based split tunneling.
- Generate the intended traffic. If testing domain based split tunneling, use private browsing or incognito mode in case the browser caches any DNS queries.
- Once the test is completed, save the DebugView output, GlobalProtect dump level logs and packet capture.
- Collect a screenshot of the Details tab of the following system file. Right click > Properties > Details
C:\WINDOWS\system32\DRIVERS\gpfltdrv.sys
- Upload the following to the TAC support case:
- DebugView log
- GlobalProtect dump level log
- Wireshark capture
- Screenshot of the gpfltdrv.sys file