Prisma Access
Panorama
Table of Contents
Panorama
Panorama
Define tunnel settings for GlobalProtect app.
You can configure split tunnel settings based on Access Route or Domain and
Application.
- Configure split tunnel settings based on Access Route.
- ClickPanorama > Network > GlobalProtect > Gatewaysand select the gateway you want to customize.
- ClickAgent > Client Settingsand select the config.
- ClickSplit Tunnel > Access Route. The split tunnel settings are assigned to the virtual network adapter on the endpoint when the GlobalProtect app establishes a tunnel withPrisma Access. You can include or exclude specific destination IP subnet traffic from being sent over the VPN tunnel.
- EnableNo direct access to local networkoption to stop users from sending traffic directly to proxies or local resources while connected to GlobalProtect.Enable theNo direct access to local networksetting to reduce risks in untrusted networks such as rogue Wi-Fi access points.
- SelectIncludeandAddthe destination subnets or address object (of type IP Netmask) to route only certain traffic destined for your LAN to GlobalProtect. You can include IPv6 or IPv4 subnets. To include all destination subnets or address objects,Include0.0.0.0/0 and ::/0 as access routes.
- SelectExcludeAddthe destination subnets or address object (of type IP Netmask) that you want the app to exclude. Excluded routes should be more specific than the included routes; otherwise, you may exclude more traffic than intended. You can exclude IPv6 or IPv4 subnets.You cannot exclude access routes for endpoints running Android on Chromebooks. Only IPv4 routes are supported on Chromebooks.
- Save the tunnel settings.
- Configure split tunnel settings based on Domain and Application.
- ClickPanorama > Network > GlobalProtect > Gatewaysand select the gateway you want to customize.
- ClickAgent > Client Settingsand select the config.
- ClickSplit Tunnel > Domain and Applicationtab to configure split tunnel settings based on the destination domain.You might experience some incompatibility issues when using a third-party endpoint security product such as Sophos on macOS endpoints.
- (Optional)SelectInclude DomainandAddthe SaaS or public cloud applications that you want to route to GlobalProtect through the VPN connection using the destination domain and port. You can add up to 200 entries to the list. For example, add *.gmail.com to allow all Gmail traffic to go through the VPN tunnel.
- (Optional)SelectExclude DomainandAddthe SaaS or public cloud applications that you want to exclude from the VPN tunnel using the destination domain and port. You can add up to 200 entries to the list. For example, add *.target.com to exclude all Target traffic from the VPN tunnel.
- Configure split tunnel settings based on the application.Safari traffic cannot be added to the application-based split tunnel rule on macOS endpoints.You can use environment variables to configure a split tunnel based on the application on Windows and macOS endpoints.
- (Optional)SelectInclude Client Application Process NameandAddthe SaaS or public cloud applications that you want to route to GlobalProtect through the VPN connection using the application process name. You can add up to 200 entries to the list.
- (Optional)SelectExclude Client Application Process NameandAddthe SaaS or public cloud applications that you want to exclude from the VPN tunnel using the application process name. You can add up to 200 entries to the list.
- Save the tunnel settings.