With Enhanced Split Tunnel you can manage the list domains, access routes, and applications that you want to include or exclude from the GlobalProtect tunnel using a split-tunnel configuration file that you host locally in your environment. This allows you to modify your split-tunnel settings without having to modify the configuration on the GlobalProtect gateway. In addition, this feature increases the number of included and excluded split-tunnel access routes and domains that you can define from 200 to 1,000. To use this capability, create the XML file and host it on a web server that your GlobalProtect endpoints can reach. To secure the XML file, you must sign it and then enable mutual TLS on the server hosting the split-tunnel configuration file. You can push the public key certificate from the portal configuration to the endpoint. The endpoint needs the certificate to authenticate to the web server.