Host a Split Tunnel Configuration File on a Web Server

1. Create and sign the split tunnel configuration file.

   1. Create your split tunnel configuration file in XML format, as in the following example.

   2. Sign the configuration file.

      For example, if the signature file name is config_signature.sha256:

      openssl dgst -sha256 -sign private_key.pem -out config_signature.sha256 config.txt

      You can optionally verify the signature:

      openssl dgst -sha256 -verify public_key.pem -signature config_signature.sha256 config.txt

      Base64 encoding signature file (no wrapping):

      openssl base64 -A -in config_signature.sha256 -out encoded_signature.txt
   3. Add the encoded digest to the configuration file.

      1. Add the encoded digest as the first line in the configuration file. It must be on a single line.
      2. Add the split tunnel configuration as the second line.
      3. If you want the traffic to be routed through GlobalProtect by default, add an <access-routes> section with the default route 0.0.0.0/0.

      The content in the file must not be terminated with a NULL character (ASCII '\0', or ^@)" ).

   4. Host the split tunnel configuration file you just created on a web server that your GlobalProtect endpoints can access.
   5. Enable mutual authentication.

      You will need the public key certificate that you use for mutual authentication for the GlobalProtect configuration.

      For example, to host the split tunnel configuration file in AWS behind the network load balancers protected by the AWS network firewall, you would do the following:

      1. Provision EC2 instances to host servers.
      2. • Create network load balancers (NLB) and configure listeners on TCP port 443.
         • Create Target Groups with port 443 and associate EC2 instances to the Target Groups.
         • Configure the network firewall and two stateless rule groups and associate them with the configured firewalls that you have provisioned. Configure rule 1 to drop packets to all ports and protocols from a specific IP address or subnet. Configure rule 2 to allow packets to TCP port 443.
         • Configure the VPC routing tables to forward traffic from the internet to the NLB via the network firewall.
2. Add the public key certificate you used on your web server to the portal configuration.

   In the App Configurations area, paste the public key certificate in the Enhanced Split Tunnel Client Certificate Public Key field.

3. Enable split tunneling and add the URL for your split tunnel configuration file.

   1. To enable split tunnel, do one of the following:

      • On Panorama, in the GlobalProtect Gateway Configuration dialog, select AgentTunnel Settings to enable Tunnel Mode.
      • On Strata Cloud Manager (Prisma Access), select ConfigurationNGFW and Prisma AccessConfiguration ScopePrisma AccessMobile Users ContainerGlobalProtectSetupGlobalProtect App. In the Tunnel Settings, select Default and specify spilt tunnel settings.
      • On Strata Cloud Manager (NGFW), select ConfigurationNGFW and Prisma AccessDeviceGlobalProtectPortals and GatewaysAgent SettingsAgent Tunnel Settings and then select Add Agent Tunnel SettingsSplit Tunneling.
   2. Configure the tunnel parameters for the GlobalProtect app.
   3. In the GlobalProtect Gateway Configuration dialog, select AgentClient Settings and select an existing client settings configuration or add a new one.
   4. Select Split Tunnel and in the Include Domain section, add the URL of your split tunnel configuration file as the first entry in the Include Domain section.

      Only HTTPS URLs are supported.

   5. Click OK and Commit the changes.

      On Strata Cloud Manager (NGFW), to host a profile:

      1. Select ConfigurationNGFW and Prisma AccessDeviceGlobalProtectProfilesGateway Agent Profiles.
      2. Click Add Profile.
      3. In the Add Gateway Agent Profile page, under Agent Tunnel Settings section, add access routes.