Prisma Access
GlobalProtect — Customize Tunnel Settings
Table of Contents
Expand All
|
Collapse All
Prisma Access Docs
-
- Prisma Access China
- 4.0 & Later
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
-
-
-
- 5.0 Preferred and Innovation
- 4.2 Preferred
- 4.1 Preferred
- 4.0 Preferred
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
GlobalProtect — Customize Tunnel Settings
Customize the settings for the VPN tunnel the GlobalProtect app establishes to
connect to
Prisma Access
.Where Can I Use
This? | What Do I Need? |
---|---|
|
|
Customize the settings for the VPN tunnel the GlobalProtect app establishes to
connect to
Prisma Access
. Tunnel settings include split tunneling options that you
can use to define what traffic the app sends to Prisma Access
and what can be routed
locally instead (like bandwidth intensive applications that aren’t required for
business use).The
Match Criteria
you define for tunnel settings tells Prisma
Access the users, devices, or systems that should receive the settings. For example,
you could specify that a tunnel settings rule applies to all instances of the
GlobalProtect app in a certain region. In Prisma Access (Managed by Panorama)
, you can
configure split tunnel settings based on Access Route and Domain and
Application.Cloud Management
Cloud Management
Define tunnel settings for GlobalProtect app.
- Click.Manage > Service Setup > Mobile Users > GlobalProtect Setup > GlobalProtect App > Add Tunnel SettingsIf you are using Strata Cloud Manager, click.Workflow >Prisma AccessSetup > Mobile User > GlobalProtect Setup > GlobalProtect App > Add Tunnel Settings
- Enter a name and theMatch Criteriato specify the users, devices, or systems that should receive the settings. For example, you could specify that a tunnel settings rule applies to all instances of the GlobalProtect app in a certain region.
- EnableAuthentication OverrideforPrisma Accessto generate and accept secure, encrypted cookies for user authentication. This setting allows the user to provide login credentials only once during the specified period of time.
- Generate cookie for authentication override—Enables the Prisma Access to generate encrypted, endpoint-specific cookies and issue authentication cookies to the endpoint.
- Accept cookie for authentication override—EnablesPrisma Accessto authenticate users with a valid, encrypted cookie. When the app presents a valid cookie,Prisma Accessverifies that the cookie was encrypted byPrisma Accessoriginally, decrypts the cookie, and then authenticates the user.The GlobalProtect app must know the username of the connecting user to match and retrieve the associated authentication cookies from the user’s endpoint. After the app retrieves the cookies, it sends them toPrisma Accessfor user authentication.
- EnableSplit Tunnelingto define what traffic the GlobalProtect app allows or restricts through the VPN tunnel toPrisma Access. Split Tunneling conserves bandwidth by excluding trafficPrisma Accessthat is not business critical or does not enable productivity.
- Local Network Access—Give Windows and Mac users access to local resources, without requiring them to first connect to Prisma Access.Exclude Traffic—Specify traffic to exclude fromPrisma Accesspolicy inspection and enforcement based on application, domain, and route (like an IP address).Customize Include Traffic—By default, the GlobalProtect app routes all traffic toPrisma Accessexcept what's in the exclude list. Specify traffic that the GlobalProtect app should always route toPrisma Access, even when it meets exclude list criteria.
- Exclude Video Stream Trafficto not send video streaming traffic from the listed applications toPrisma Access. By excluding lower risk video streaming traffic (such as YouTube and Netflix) from the VPN tunnel, you can decrease bandwidth consumption. The video streaming exclusions are applied to all traffic the GlobalProtect app sends toPrisma Access, not just the match criteria you've defined for this rule.
- Save the settings. Repeat the above steps to add more tunnel settings.
- (Optional)Moveto set the order of priority in which the VPN tunnel setting is used while connecting toPrisma Access.
Panorama
Panorama
Define tunnel settings for GlobalProtect app.
You can configure split tunnel settings based on Access Route or Domain and
Application.
- Configure split tunnel settings based on Access Route.
- ClickPanorama > Network > GlobalProtect > Gatewaysand select the gateway you want to customize.
- ClickAgent > Client Settingsand select the config.
- ClickSplit Tunnel > Access Route. The split tunnel settings are assigned to the virtual network adapter on the endpoint when the GlobalProtect app establishes a tunnel withPrisma Access. You can include or exclude specific destination IP subnet traffic from being sent over the VPN tunnel.
- EnableNo direct access to local networkoption to stop users from sending traffic directly to proxies or local resources while connected to GlobalProtect.Enable theNo direct access to local networksetting to reduce risks in untrusted networks such as rogue Wi-Fi access points.
- SelectIncludeandAddthe destination subnets or address object (of type IP Netmask) to route only certain traffic destined for your LAN to GlobalProtect. You can include IPv6 or IPv4 subnets. To include all destination subnets or address objects,Include0.0.0.0/0 and ::/0 as access routes.
- SelectExcludeAddthe destination subnets or address object (of type IP Netmask) that you want the app to exclude. Excluded routes should be more specific than the included routes; otherwise, you may exclude more traffic than intended. You can exclude IPv6 or IPv4 subnets.You cannot exclude access routes for endpoints running Android on Chromebooks. Only IPv4 routes are supported on Chromebooks.
- Save the tunnel settings.
- Configure split tunnel settings based on Domain and Application.
- ClickPanorama > Network > GlobalProtect > Gatewaysand select the gateway you want to customize.
- ClickAgent > Client Settingsand select the config.
- ClickSplit Tunnel > Domain and Applicationtab to configure split tunnel settings based on the destination domain.You might experience some incompatibility issues when using a third-party endpoint security product such as Sophos on macOS endpoints.
- (Optional)SelectInclude DomainandAddthe SaaS or public cloud applications that you want to route to GlobalProtect through the VPN connection using the destination domain and port. You can add up to 200 entries to the list. For example, add *.gmail.com to allow all Gmail traffic to go through the VPN tunnel.
- (Optional)SelectExclude DomainandAddthe SaaS or public cloud applications that you want to exclude from the VPN tunnel using the destination domain and port. You can add up to 200 entries to the list. For example, add *.target.com to exclude all Target traffic from the VPN tunnel.
- Configure split tunnel settings based on the application.Safari traffic cannot be added to the application-based split tunnel rule on macOS endpoints.You can use environment variables to configure a split tunnel based on the application on Windows and macOS endpoints.
- (Optional)SelectInclude Client Application Process NameandAddthe SaaS or public cloud applications that you want to route to GlobalProtect through the VPN connection using the application process name. You can add up to 200 entries to the list.
- (Optional)SelectExclude Client Application Process NameandAddthe SaaS or public cloud applications that you want to exclude from the VPN tunnel using the application process name. You can add up to 200 entries to the list.
- Save the tunnel settings.