How To gather initial information for Global Protect Split tunnel issues on MAC O/S
569
Created On 01/20/23 17:12 PM - Last Modified 10/27/25 06:25 AM
Objective
To help with initial data gathering of MAC O/S based Global Protect clients having issues with split tunneling or other related issues on the MAC O/S clients.
Environment
MAC O/S based Global Protect clients with the PaloAlto Networks Firewall configured with split tunneling.
Procedure
Follow these steps to gather initial data to assist with troubleshooting MAC O/S based GP clients using split tunneling:
STEP a) Disconnect and reconnect to Global Protect:
| Disconnect: | Connect: |
STEP b) Change the debug level to “Dump”, to make sure that PanGPS.log will contain the details related to split-tunnel functionality
Settings -> Troubleshooting -> Logs:
STEP c) Enable tcpdump using the MAC O/S Terminal. The following will capture packets on all of the MAC O/S interfaces. Take packet captures from the terminal, Wireshark should NOT be used. Use this command to gather pcaps from all MAC interfaces:
$ sudo tcpdump -i all -k INP -w gptest.pcapng
STEP d) Next, perform a "refresh connection" by clicking on the three lines at the top right corner on GP agent:
STEP e) Initiate ping to if the destination IP address is known.
STEP f) Initiate traffic that demonstrates the issue.
STEP g) Change GP log level back to Debug level:
Settings -> Troubleshooting -> Logs:
STEP h) Collect the below output from MAC O/S CLI terminal:
$ netstat -arn $ systemextensionsctl list $ sudo launchctl list | grep -i palo $ ps aux | grep -i com.paloaltonetworks.GlobalProtect.client.extension $ ps aux | grep nesessionmanager $ ps aux | grep sysextd
STEP i) Make sure to mark the time of the test using the local MAC's clock for the GP logs.
STEP j) Collect the GP logs, packet captures, MAC O/S Terminal outputs, attach them to the case and also provide the time stamp of the test time:
How to Collect Logs from GlobalProtect Clients