All Adapters Are Detected as Domain Networks When Using Domain Based Split Tunneling on GlobalProtect

• Active Directory domain configured under Include Domain list of Split Tunnel configuration on GlobalProtect Gateway.
• All interfaces are detected as being part of the Domain Network after connecting to GlobalProtect.
• This happens even when the Physical interfaces do not have access to the Domain Network.

• Palo Alto Firewalls
• Supported PAN-OS versions
• GlobalProtect Gateway
• Active Directory Domain configured under Include Domain list of Split Tunnel configuration
• Windows Clients

When domain based Split Tunneling is in effect, following behavior is observed:

• GlobalProtect will monitor all connections at the kernel level and make the decision on whether to bind the connection to the Physical Adapter or GlobalProtect Virtual Adapter.
• GlobalProtect will rebind all connections of that domain to the GlobalProtect Virtual Adapter IP regardless of which interface initiated them.
• When GlobalProtect connects, Windows NLA will re-check every adapter's location due to the network change.
• This leads to testing Domain Controller Reachability via the network on each adapter.
• Hence, all of those reachability checks initiated on separate adapters are instead bound to the GlobalProtect interface where the Domain Controller is actually reachable.
• This results in all adapters passing the domain location check.

If the Active Directory Domain must be included in the Domain Split Tunneling settings, this is the expected behavior from Microsoft NLA and there is no known workaround.