GlobalProtect Administrator's Guide
  • GlobalProtect Administrator's Guide
  • GlobalProtect Documentation
  • All Documentation
>
Wildcard Support for Split Tunnel Settings Based on the Application
Focus
Download PDF
Focus
  1. Home
  2. GlobalProtect
  3. GlobalProtect Gateways
  4. Split Tunnel Traffic on GlobalProtect Gateways
  5. Configure a Split Tunnel Based on the Domain and Application
  6. Wildcard Support for Split Tunnel Settings Based on the Application
Download PDF
GlobalProtect

Wildcard Support for Split Tunnel Settings Based on the Application

Table of Contents

Wildcard Support for Split Tunnel Settings Based on the Application

Wildcard Support for Split Tunnel Settings Based on the Application
Where Can I Use This?What Do I Need?
  • GlobalProtect Subscription License
  • Prisma Access
  • GlobalProtect app version 6.3.1 and later versions
  • GlobalProtect app running on windows, and macOS endpoints
Starting from GlobalProtect app 6.3.1 version, you can configure the path for the endpoint application using wildcard character (*) while configuring split-tunnel based on application, both for exclude as well as include traffic. You can add up to 200 entries to the list to exclude or include the traffic through the VPN tunnel.
When you use the wildcard character in the application path and add it in the exclude or include list for split-tunnel, GlobalProtect bypasses the application check for that particular application path even when the application path changes after a software or patch update.
For example, when you apply wildcard character to the path for third-party applications such as Symantec Web Security Service (WSS) or MicrosoftTeams, you don't need to manually update the exclude list for the application in the split-tunnel configuration each time the third-party application path changes after a software update.
To configure the path for the endpoint application using wildcard character (*) while configuring split-tunnel based on applicationon, you must:
  1. Ensure that the GlobalProtect portal is configured.
  2. Ensure that the GlobalProtect Gateway is configured.
  3. Ensure that split-tunnel based on application is configured for the GlobalProtect gateway.
  4. Configure split tunnel settings based on the application.
    1. In the GlobalProtect Gateway Configuration dialog, select AgentClient Settings<client-setting-config> to select an existing client settings configuration or add a new one.
    2. Add the SaaS or public cloud applications that you want to exclude from the VPN tunnel using the application process name (Split TunnelDomain and ApplicationExclude Client Application Process Name). You can add up to 200 entries to the list. For example, add /Applications/Microsoft Lync.app/*/MacOS/Microsoft Lync application traffic from the VPN tunnel.
      Previously the paths were added without wildcards:
      C:\Program Files\WindowsApps\MSTeams_23335.219.2592.8659_x64__8wekyb3d8bbwe\ms-teams.exe.
      After you enable the wildcard support feature, you can add the path with (*):
      C:\Program Files\WindowsApps\*\ms-teams.exe
    3. Click OK to save the split tunnel settings.
    Windows
    macOS
    • You can use wildcard for any application path in the split-tunnel configuration.
    • Only one wildcard character is supported in an application path. For example, Applications/Microsoft Lync.app/*/MacOS/Microsoft Lync. Application path with more than one wildcard character is not supported. For example, C:\Users\user1\AppData\Roaming\*\*\Zoom_launcher.exe
    • The name of the application path should end with the application name and not the folder name. For example: C:\Program Files\WindowsApps\*\ms-teams.exe. It cannot be C:\Program Files\WindowsApps\*

Technical Documentation

Company

Legal Notices

© 2025 Palo Alto Networks, Inc. All rights reserved.