>
    Strata Copilot
    Configure a Split Tunnel Based on the Domain and Application
    Focus
    Download PDF
    Focus
    1. Home
    2. GlobalProtect
    3. GlobalProtect Administrator's Guide
    4. GlobalProtect Gateways
    5. Split Tunnel Traffic on GlobalProtect Gateways
    6. Configure a Split Tunnel Based on the Domain and Application
    Download PDF
    GlobalProtect

    Configure a Split Tunnel Based on the Domain and Application

    Table of Contents

    Configure a Split Tunnel Based on the Domain and Application

    Configure a split tunnel based on the destination domain and application.
    Where Can I Use This?What Do I Need?
    • NGFW (managed by Panorama or Strata Cloud Manager)
    • Prisma Access (managed by Panorama or Strata Cloud Manager)
    • GlobalProtect Gateway license or Prisma Access license with the Mobile User subscription
    When you configure a split tunnel to include all traffic—IPv4 and IPv6—based the destination domain and port (optional) or application, all traffic going to that specific domain or application is sent through the VPN tunnel for inspection and policy enforcement. For example, you can allow all Salesforce traffic to go through the VPN tunnel using the *Salesforce.com destination domain. By including all Salesforce traffic in the VPN tunnel, you can provide secure access to the entire Salesforce domain and subdomains. You can configure a split tunnel without specifying a destination IP address subnet, which extends the split tunnel capability to domains and applications with dynamic public IP addresses, such as SaaS and public cloud applications.
    When you configure a split tunnel to exclude traffic—IPv4 and IPv6—based on the destination domain and port (optional) or application, all traffic for that specific application or domain is sent directly to the physical adapter on the endpoint without inspection. For example, you can exclude all Skype traffic from the VPN tunnel using the C:\Program Files (x86)\Skype\Phone\Skype application process name.
    Follow these recommendations when configuring a split tunnel based on the destination domain and application:
    • With a GlobalProtect license, you can enforce or apply split tunnel rules based on the destination domain and application to Windows and macOS endpoints.
    • On Linux endpoints running GlobalProtect app 6.1 or later you can apply split tunnel rules based on domain or access route only; split tunneling based on application is not supported on Linux endpoints.
    • On Windows devices, domain-based tunneling supports TCP traffic only; UDP traffic is not supported in domain-based split tunneling on Windows.
    • ICMP requests such as for latency, jitter, trace route tests are not supported for split tunneling based on the destination domain.
    • Supported on endpoints with Windows 7 Service Pack 2 and later releases and macOS 10.10 and later releases.
    Use the following steps to configure a split tunnel to include or exclude traffic based on the destination domain or application process name.
    1. Before you begin:
      1. Configure a GlobalProtect gateway.
      2. To modify an existing gateway or add a new one:
        • On Panorama, select NetworkGlobalProtectGateways<gateway-config>.
        • On Strata Cloud Manager (Prisma Access), select ConfigurationNGFW and Prisma AccessConfiguration ScopePrisma AccessGlobalProtectSetupGlobalProtect AppTunnel Settings.
        • On Strata Cloud Manager (NGFW), select ConfigurationNGFW and Prisma AccessDeviceGlobalProtectPortals and GatewaysGatewaysAdd Gateway.
    2. Enable a split tunnel.
      1. To enable split tunnel, do one of the following:
        • On Panorama, in the GlobalProtect Gateway Configuration dialog, select AgentTunnel Settings to enable Tunnel Mode.
        • On Strata Cloud Manager (Prisma Access), select ConfigurationNGFW and Prisma AccessConfiguration ScopePrisma AccessMobile Users ContainerGlobalProtectSetupGlobalProtect App. In the Tunnel Settings, select Default and specify spilt tunnel settings.
        • On Strata Cloud Manager (NGFW), select ConfigurationNGFW and Prisma AccessDeviceGlobalProtectPortals and GatewaysAgent SettingsAgent Tunnel Settings and then select Add Agent Tunnel SettingsSplit Tunneling and specify the tunnel settings.
      2. Configure the tunnel parameters for the GlobalProtect app.
    3. (Tunnel Mode only) Configure split tunnel settings based on the destination domain. These settings are assigned to the virtual network adapter on the endpoint when the GlobalProtect app establishes a tunnel with the gateway.
      You can apply DNS traffic in addition to network traffic if you have already specified Both Network Traffic and DNS as the Split-Tunnel Option in the App Configurations area of your GlobalProtect portal.
      1. In the GlobalProtect Gateway Configuration dialog, select AgentClient Settings<client-setting-config> to select an existing client settings configuration or add a new one.
        If you are using Strata Cloud Manager, do one of the following:
        • On Strata Cloud Manager (Prisma Access), select ConfigurationNGFW and Prisma AccessConfiguration ScopePrisma AccessMobile Users ContainerGlobalProtectSetupGlobalProtect App. In the Tunnel Settings, select Default and specify spilt tunnel settings. Under Split Tunneling, add Exclude Traffic or Include Traffic options.
        • On Strata Cloud Manager (NGFW), select ConfigurationNGFW and Prisma AccessDeviceGlobalProtectPortals and GatewaysAgent SettingsAgent Tunnel Settings and then select Add Agent Tunnel SettingsSplit Tunneling. Add Exclude Traffic or Include Traffic options.
      2. (Optional) Add the SaaS or public cloud applications that you want to route to GlobalProtect through the VPN connection using the destination domain and port (Split TunnelDomain and ApplicationInclude Domain). You can add up to 200 entries to the list. For example, add *.gmail.com to allow all Gmail traffic to go through the VPN tunnel.
      3. (Optional) Add the SaaS or public cloud applications that you want to exclude from the VPN tunnel using the destination domain and port (Split TunnelDomain and ApplicationExclude Domain). You can add up to 200 entries to the list. For example, add *.target.com to exclude all Target traffic from the VPN tunnel.
      4. Click OK to save the split tunnel settings.
    4. (Tunnel Mode only) Configure split tunnel settings based on the application.
      Safari traffic cannot be added to the application-based split tunnel rule on macOS endpoints.
      You can use environment variables to configure a split tunnel based on the application on Windows and macOS endpoints.
      1. In the GlobalProtect Gateway Configuration dialog, select AgentClient Settings<client-setting-config> to select an existing client settings configuration or add a new one.
        If you are using Strata Cloud Manager, do one of the following:
        • On Strata Cloud Manager (Prisma Access), select ConfigurationNGFW and Prisma AccessConfiguration ScopePrisma AccessMobile Users ContainerGlobalProtectSetupGlobalProtect App. In the Tunnel Settings, select Default and specify spilt tunnel settings. Under Split Tunneling, add Exclude Traffic or Include Traffic options.
        • On Strata Cloud Manager (NGFW), select ConfigurationNGFW and Prisma AccessDeviceGlobalProtectPortals and GatewaysAgent SettingsAgent Tunnel Settings and then select Add Agent Tunnel SettingsSplit Tunneling. Add Exclude Traffic or Include Traffic options.
      2. (Optional) Add the SaaS or public cloud applications that you want to route to GlobalProtect through the VPN connection using the application process name (Split TunnelDomain and ApplicationInclude Client Application Process Name. You can add up to 200 entries to the list. For example, add /Applications/RingCentral for Mac.app/Contents/MacOS/Softphone to allow all RingCentral-based traffic to go through the VPN tunnel on macOS endpoints.
      3. (Optional) Add the SaaS or public cloud applications that you want to exclude from the VPN tunnel using the application process name (Split TunnelDomain and ApplicationExclude Client Application Process Name). You can add up to 200 entries to the list. For example, add /Applications/Microsoft Lync.app/Contents/MacOS/Microsoft Lync to exclude all Microsoft Lync application traffic from the VPN tunnel.
      4. Click OK to save the split tunnel settings.
    5. Save the gateway configuration.
      1. Click OK to save the gateway configuration.
      2. Commit your changes.

    © 2026 Palo Alto Networks, Inc. All rights reserved.