即使 GlobalProtect 能够正确接收拆分隧道配置，拆分隧道也无法在 Mac OS X 上工作

8606

Created On 02/06/23 10:14 AM - Last Modified 03/21/25 20:17 PM

Symptom

Split tunnel does not work correctly even if GlobalProtect would receive split-tunnel configuration. The configuration related to split tunnel can be confirmed in PanGPS.log. Here is a sample log in PanGPS.log.

gateway sample-gateway's config is 
        <response status="success">
                <need-tunnel>yes</need-tunnel>
                <ssl-tunnel-url>/ssl-tunnel-connect.sslvpn</ssl-tunnel-url>
                <portal>GP-Portal</portal>
                <user>GPUser01</user>
                <lifetime>2592000</lifetime>
                <timeout>10800</timeout>
                <disconnect-on-idle>10800</disconnect-on-idle>
                <bw-c2s>1000</bw-c2s>
                <bw-s2c>1000</bw-s2c>
                <gw-address>X.X.X.X</gw-address>
                <ipv6-connection>no</ipv6-connection>
                <ip-address>X.X.X.X</ip-address>
                <netmask>255.255.255.255</netmask>
                <ip-address-preferred>yes</ip-address-preferred>
                <dns>
                        <member>8.8.8.8</member>
                </dns> 
                <wins>
                </wins> 
                <dns-suffix>
                </dns-suffix> 
                <default-gateway>X.X.X.X</default-gateway>
                <mtu>0</mtu>
                <no-direct-access-to-local-network>yes</no-direct-access-to-local-network>
                <access-routes>
                        <member>0.0.0.0/0</member>
                        <member>8.8.8.8/32</member>
                </access-routes> 
                <exclude-access-routes>
                </exclude-access-routes> 
                <exclude-split-tunneling-application>
                        <member>/Applications/zoom.us.app/Contents/MacOS/zoom.us</member>
                </exclude-split-tunneling-application> 
...

In this case, Only Zoom was a split-tunnel target.

Environment

在 Mac OS 上运行的 Global Protect。

Cause

If you can see the following log in PanGPA.log, you would never enable required plugin on Mac OS.

Info ( 552): system ext is not ready. enable it first

Another way to confirm is to check systemextensionsctl.txt file which will show following.

GlobalProtectExtension	[activated waiting for user]

Resolution

您必须按照以下文档的说明在 Mac OS 上启用插件。

macOS 系统扩展支持
https://docs.paloaltonetworks.com/globalprotect/5-1/globalprotect-app-new-features/new-features-released-in-gp-app/macos-system-extensions-support

Additional Information