GlobalProtect がスプリット トンネル設定を正しく受信しても、Mac OS X ではスプリットトンネルが機能しない

GlobalProtect がスプリット トンネル設定を正しく受信しても、Mac OS X ではスプリットトンネルが機能しない

8598
Created On 02/06/23 10:14 AM - Last Modified 03/21/25 20:17 PM


Symptom


Split tunnel does not work correctly even if GlobalProtect would receive split-tunnel configuration. The configuration related to split tunnel can be confirmed in PanGPS.log. Here is a sample log in PanGPS.log. 
gateway sample-gateway's config is 
        <response status="success">
                <need-tunnel>yes</need-tunnel>
                <ssl-tunnel-url>/ssl-tunnel-connect.sslvpn</ssl-tunnel-url>
                <portal>GP-Portal</portal>
                <user>GPUser01</user>
                <lifetime>2592000</lifetime>
                <timeout>10800</timeout>
                <disconnect-on-idle>10800</disconnect-on-idle>
                <bw-c2s>1000</bw-c2s>
                <bw-s2c>1000</bw-s2c>
                <gw-address>X.X.X.X</gw-address>
                <ipv6-connection>no</ipv6-connection>
                <ip-address>X.X.X.X</ip-address>
                <netmask>255.255.255.255</netmask>
                <ip-address-preferred>yes</ip-address-preferred>
                <dns>
                        <member>8.8.8.8</member>
                </dns> 
                <wins>
                </wins> 
                <dns-suffix>
                </dns-suffix> 
                <default-gateway>X.X.X.X</default-gateway>
                <mtu>0</mtu>
                <no-direct-access-to-local-network>yes</no-direct-access-to-local-network>
                <access-routes>
                        <member>0.0.0.0/0</member>
                        <member>8.8.8.8/32</member>
                </access-routes> 
                <exclude-access-routes>
                </exclude-access-routes> 
                <exclude-split-tunneling-application>
                        <member>/Applications/zoom.us.app/Contents/MacOS/zoom.us</member>
                </exclude-split-tunneling-application> 
...
In this case, Only Zoom was a split-tunnel target.

Environment


  • Mac OS で実行される Global Protect。

Cause


If you can see the following log in PanGPA.log, you would never enable required plugin on Mac OS. 
Info ( 552): system ext is not ready. enable it first
Another way to confirm is to check systemextensionsctl.txt file which will show following. 
GlobalProtectExtension	[activated waiting for user]

Resolution


次のドキュメントで説明されているように、Mac OS でプラグインを有効にする必要があります。

macOS システム拡張機能のサポート
https://docs.paloaltonetworks.com/globalprotect/5-1/globalprotect-app-new-features/new-features-releases-in-gp-app/macos-system-extensions-support

Additional Information


jamf PROを使用してシステムとネットワークの拡張機能を有効にする
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HAW8CAO
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000sao5CAA&lang=ja&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language