>
    Strata Copilot
    Configure Split Tunneling for Secure Agentless Access Traffic
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma Access
    3. Prisma Access Administration
    4. Secure Agentless Access
    5. Configure Split Tunneling for Secure Agentless Access Traffic
    Download PDF
    Prisma Access

    Configure Split Tunneling for Secure Agentless Access Traffic

    Table of Contents

    Configure Split Tunneling for Secure Agentless Access Traffic

    For users trying to access Secure Agentless Access from managed devices, configure split tunneling for the SAA domain to help improve performance.
    Where Can I Use This?What Do I Need?
    • Prisma Access (Managed by Panorama or Strata Cloud Manager)
    • Prisma Access 5.2.1
    • Minimum Prisma Access dataplane version: 11.2.4
    • Prisma Access license with a Mobile User subscription
    • Secure Agentless Access add-on license
    Secure Agentless Access (SAA) users will typically access the SAA portal from unmanaged devices where the GlobalProtect agent isn't installed. In use cases where your users access SAA from managed devices, it's recommended to configure split-tunneling for the SAA domain to help improve performance.
    You can configure split tunnel settings according to the Prisma Access management interface you're using.

    Configure Split Tunneling for Secure Agentless Access Traffic (Strata Cloud Manager)

    For managed devices, you can configure split tunneling for Secure Agentless Access traffic on Strata Cloud Manager to help improve SAA performance.
    In use cases where SAA is being accessed from managed devices that have GlobalProtect installed, configure split tunneling for the SAA domain to help improve performance.
    1. From Strata Cloud Manager, go to ConfigurationNGFW and Prisma AccessConfiguration ScopePrisma AccessMobile Users ContainerGlobalProtectSetupGlobalProtect App.
    2. In the Tunnel Settings section, select Default.
    3. Configure split tunnel settings to exclude traffic based on the destination domain.
      1. In the Exclude Traffic section, click Add Domain.
      2. Enter the Domain you're using for SAA. This can be the default SAA domain (*.panwpra.com or *.panwsaa.com) or your custom SAA domain.
      3. Save your domain.
    4. Save your tunnel settings and Push Config.

    Configure Split Tunneling for Secure Agentless Access Traffic (Panorama)

    For managed devices, you can configure split tunneling for Secure Agentless Access traffic on Panorama to help improve SAA performance.
    In use cases where your users access SAA from managed devices that have GlobalProtect installed, configure split tunneling for the SAA domain to help improve performance.
    1. In the Cloud Services plugin, select NetworkGlobalProtectGateways<GlobalProtect_External_Gateway>.
    2. Configure split tunnel settings for SAA based on the destination domain. These settings are assigned to the virtual network adapter on the endpoint when the tunnel is established with the gateway.
      1. In the GlobalProtect Gateway Configuration dialog, select AgentClient SettingsDefault.
      2. In the Configs dialog, select Split TunnelDomain and ApplicationExclude Domain.
      3. Add the SAA domain that you want to exclude from the tunnel using the destination domain. This can be the default SAA domain (*.panwsaa.com) or your custom SAA domain.
      4. Click OK to save the split tunnel settings and Commit your changes.

    © 2026 Palo Alto Networks, Inc. All rights reserved.