Host a Split Tunnel Configuration File on a Web Server


Host a Split Tunnel Configuration File on a Web Server

Table of Contents

Host a Split Tunnel Configuration File on a Web Server

Host a split tunnel configuration file on a local web server for expanded support for domains, access routes and applications that you can update dynamically.
Where Can I Use This?
What Do I Need?
  • Prisma Access
  • GlobalProtect Subscription
  • Prisma Access Mobile Users license (for use with Prisma Access)
  • GlobalProtect app version 6.2 or later for Windows and macOS
  • Content release version 8699-7991 or later
You can either define your split tunnel configuration on the GlobalProtect gateway, or you can host it in a Split Tunnel configuration file that you host on a web server in your environment. In order to push the split tunnel configuration to the endpoint:
  • Your split tunnel configuration file must parse as valid XML
  • The web server must be reachable by all endpoints configured to fetch the split tunnel configuration file
  • The server and the client must be able to mutually authenticate
If the GlobalProtect app cannot fetch the split tunnel configuration file, it falls back to the split tunnel configuration that you have configured on the gateway.
The following table shows the split tunnel configuration limits when the configuration is hosted on GlobalProtect vs. when it is hosted in a Split Tunnel Configuration file in your environment:
Split Tunnel By...
Configured on GlobalProtect Gateway
Hosted on a Web Server
Access Route
  1. Create and sign the split tunnel configuration file.
    1. Create your split tunnel configuration file in XML format, as in the following example.
    2. Sign the configuration file.
      For example, if the signature file name is config_signature.sha256:
      openssl dgst -sha256 -sign private_key.pem -out config_signature.sha256 config.txt
      You can optionally verify the signature:
      openssl dgst -sha256 -verify public_key.pem -signature config_signature.sha256 config.txt
      Base64 encoding signature file (no wrapping):
      openssl base64 -A -in config_signature.sha256 -out encoded_signature.txt
    3. Add the encoded digest to the configuration file.
      1. Add the encoded digest as the first line in the configuration file. It must be on a single line.
      2. Add the split tunnel configuration as the second line.
      3. If you want the traffic to be routed through GlobalProtect by default, add an <access-routes> section with the default route
      The content in the file must not be terminated with a NULL character (ASCII '\0', or ^@)" ).
    4. Host the split tunnel configuration file you just created on a web server that your GlobalProtect endpoints can access.
    5. Enable mutual authentication.
      You will need the public key certificate that you use for mutual authentication for the GlobalProtect configuration.
      For example, to host the split tunnel configuration file in AWS behind the network load balancers protected by the AWS network firewall, you would do the following:
      1. Provision EC2 instances to host servers.
        • Create network load balancers (NLB) and configure listeners on TCP port 443.
        • Create Target Groups with port 443 and associate EC2 instances to the Target Groups.
        • Configure the network firewall and two stateless rule groups and associate them with the configured firewalls that you have provisioned. Configure rule 1 to drop packets to all ports and protocols from a specific IP address or subnet. Configure rule 2 to allow packets to TCP port 443.
        • Configure the VPC routing tables to forward traffic from the internet to the NLB via the network firewall.
  2. Add the public key certificate you used on your web server to the portal configuration.
    In the App Configurations area, paste the public key certificate in the
    Enhanced Split Tunnel Client Certificate Public Key
  3. Enable split tunneling and add the URL for your split tunnel configuration file.
    1. In the GlobalProtect Gateway Configuration dialog, select
      Tunnel Settings
      and enable
      Tunnel Mode
    2. Configure the tunnel parameters for the GlobalProtect app.
    3. In the GlobalProtect Gateway Configuration dialog, select
      Client Settings
      and select an existing client settings configuration or add a new one.
    4. Select
      Split Tunnel
      and in the Include Domain section, add the URL of your split tunnel configuration file as the first entry in the Include Domain section.
      Only HTTPS URLs are supported.
    5. Click
      the changes.

Recommended For You