limitation of GlobalProtect Include/Exclude Client Application Process Name
13021
Created On 05/15/20 23:21 PM - Last Modified 05/20/22 20:12 PM
Symptom
- Starting GlobalProtect App version 4.1, with Firewall running PAN-OS 8.1 as GlobalProtect Gateway, Users can configure GlobalProtect Split Tunnel base on traffic originating from the client process.
- In some cases, application at the endpoint would create separate sub-directories with child application files inside dynamically, and network connection would be originated from the application within those sub-directories.
- An Example of one such application is GoToMeeting. Tracing down the application that opens the network connection we could find a folder path like:
C:\Users\user\AppData\Local\GoToMeeting\17359\g2mcomm.exe
C:\Users\user\AppData\Local\GoToMeeting\18223\g2mcomm.exe
Because sub-directories and corresponding application files are created and removed dynamically, customer would want to use wildcard in the application process names when configuring Split Tunnel, for example:
Such a folder path format when configured will not work.
%LOCALDATA%\GoToMeeting\*\g2mcoom.exe
Such a folder path format when configured will not work.
Environment
- GlobalPortect Gateway hosting on Firewall.
- Supported PAN-OS versions.
- GlobalProtect App 4.1, 5.0, 5.1, 5.2 and 6.0.
- Split Tunnel Settings
Cause
Currently wildcard is not supported in process and folder path at this time.
Resolution
- Do not use wildcard in application process name setting because it is currently not supported.
- At this time, No other solution or workaround is available.
- If this is a required feature that is needed to be supported in GlobalProtect, Submit a feature request with designated Systems Engineer or Account team.