How to configure Split Tunnel settings to forward all DNS traffic through physical adapter only?

• By default, GlobalProtect app would send all DNS request packets through the tunnel.
• This article provides the GlobalProtect configuration for sending the DNS request packet through the physical adapter.

• Palo Alto Firewalls
• Supported PAN-OS
• GlobalProtect (GP) App
• GlobalProtect Portal with Split DNS enabled
• GlobalProtect Gateway with Split tunneling enabled

Follow the steps below to create a separate configuration on the firewall for the users that require their DNS resolutions to occur through physical interface only:

1. Portal Agent configuration:
   1. Set the value of Split-Tunnel Option to Both Network Traffic and DNS

GUI: Network > GlobalProtect > Portals > [portal-name] > Agent > [agent-config] > App

2. Gateway agent configuration:
   1. Add all of the internal LAN IP addresses (ie. 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) to the Include Access Route list.

GUI: Network > GlobalProtect > Gateways > [gateway-name] > Agent > Client Settings > [agent-name] > Split Tunnel > Access Route

1. 2. Add an unresolvable FQDN like "dummy.local" to Include Domain list.

GUI: Network > GlobalProtect > Gateways > [gateway-name] > Agent > Client Settings > [agent-name] > Split Tunnel > Domain and Application

1. 3. Add an IP address that is NOT a DNS server such as 172.19.0.1 in Network Services.

GUI: Network > GlobalProtect > Gateways > [gateway-name] > Agent > Client Settings > [agent-name] > Split Tunnel > Domain and Application

3. Commit the configuration changes.
4. Have the users perform "Refresh Connection" from GP app to get the new gateway settings.