Optimized Split Tunneling for GlobalProtect
GlobalProtect™ now supports split tunneling based on
destination domain, application process name, and video streaming
application.
Software Support
: Starting with GlobalProtect™
App 4.1 and with PAN-OS® 8.1 and later releasesOS Support
:
Windows 7 Service Pack 2 and later releases and macOS 10.10 and
later releasesIn addition to route-based split tunneling, the GlobalProtect
app for Windows and macOS endpoints now supports split tunneling
based on destination domain, client process, and HTTP/HTTPS video
streaming application.
This enhancement requires a GlobalProtect
subscription.
This enhancement enables you to:
- Tunnel enterprise SaaS and public cloud applications for comprehensive SaaS application visibility and control to avoid risks associated with Shadow IT in environments where it is not feasible to tunnel all traffic.
- Send latency-sensitive traffic, such as VoIP, outside the VPN tunnel, while all other traffic goes through the VPN for inspection and policy enforcement by the GlobalProtect gateway.
- Exclude HTTP/HTTPS video streaming traffic from the VPN tunnel. Video streaming applications, such as YouTube and Netflix, consume large amounts of bandwidth. By excluding lower risk video streaming traffic from the VPN tunnel, you can decrease bandwidth consumption on the gateway.
The firewall App-ID functionality
identifies the video stream before allowing traffic to be split
tunneled.
The following list describes the order in
which the split tunnel rules are applied:
When you
configure a split tunnel to include traffic based on the application
process name or destination domain and port (optional), all traffic
for that specific application or domain is sent through the VPN
tunnel for inspection and policy enforcement. For example, you can
allow all Salesforce traffic to go through the VPN tunnel using
the
*Salesforce.com
destination domain. By including all
Salesforce traffic in the VPN tunnel, you can provide secure access
to the entire Salesforce domain and subdomains.When you configure
a split tunnel to exclude traffic based on the application process
name or destination domain and port (optional), all traffic for
that specific application or domain is sent directly to the physical
adapter on the endpoint without inspection. For example, you can
exclude all Slack traffic from the VPN tunnel using the
C:\Program
Files\Slack Deployment\slackDeploymentTool
application process
name.Use the following steps to configure a split tunnel
for public applications or video streams:
- Configure a split tunnel to include or exclude public applications based on the destination domain:
- Select to modify an existing gateway orAdda new one.
- Enable split tunneling.
- On the tab, enableTunnel Modeto enable split tunneling.
- Configure the tunnel parameters for the GlobalProtect app.
- Configure a split tunnel to include or exclude SaaS or public cloud applications based on the destination domain and port (optional).This feature supports both IPv4 and IPv6 traffic.
- On the tab, select an existing client setting orAdda new one.
- Disable theNo direct access to local networkoption (). If enabled, this setting disables split tunneling on Windows, Linux, and macOS networks.
- (Optional)Addthe SaaS or public cloud applications that you want to route to GlobalProtect through the VPN connection using the destination domain and port (). You can add up to 200 entries to the list. For example, add*.office365.comto allow all Office 365 traffic to go through the VPN tunnel.
- (Optional)Addthe SaaS or public cloud applications that you want to exclude from the VPN tunnel using the destination domain and port (). You can add up to 200 entries to the list. For example, add*.engadget.comto exclude all Engadget traffic from the VPN tunnel.
- ClickOKto save your client settings.
- Save the gateway configuration.
- ClickOKto save the gateway configuration.
- Commityour changes.
- Configure a split tunnel to include or exclude public applications based on the application process name:
- Select to modify an existing gateway or add a new one.
- Enable split tunneling.
- On the tab, enableTunnel Modeto enable split tunneling.
- Configure the tunnel parameters for the GlobalProtect app.
- Configure a split tunnel to include or exclude SaaS or public cloud applications based on the application process name.This feature supports both IPv4 and IPv6 traffic.
- On the tab, select an existing client setting orAdda new one.
- Disable theNo direct access to local networkoption (). This setting disables split tunneling on Windows, Linux, and macOS networks.
- (Optional)Addthe SaaS or public cloud applications that you want to route to GlobalProtect through the VPN connection using the application process name (. You can add up to 200 entries to the list. For example, add/Application/Safari.app/Contents/MacOS/Safarito allow all Safari-based traffic to go through the VPN tunnel on macOS endpoints.
- (Optional)Addthe SaaS or public cloud applications that you want to exclude from the VPN tunnel using the application process name (). You can add up to 200 entries to the list. For example, add/Applications/Microsoft Lync.app/Contents/MacOS/MicrosoftLyncto exclude all Microsoft Lync application traffic from the VPN tunnel.
- ClickOKto save your client settings.
- Save the gateway configuration.
- ClickOKto save the gateway configuration.
- Commityour changes.
- Configure a split tunnel to exclude video streaming traffic:
- Select to modify an existing gateway or add a new one.
- Enable split tunneling.
- On the tab, enableTunnel Modeto enable split tunneling.
- Configure the tunnel parameters for the GlobalProtect app.
- Configure a split tunnel to exclude video streaming traffic from the VPN tunnel.All video traffic types are redirected for the following video streaming applications:
- YouTube
- Dailymotion
- Netflix
If you exclude any other video streaming applications from the VPN tunnel, only the following video traffic types are redirected for those applications:- MP4
- WebM
- MPEG
The App-ID functionality on the firewall identifies the video stream before traffic can be split tunneled.If the physical adapter on a Windows or macOS endpoint supports only IPv4 addresses, the endpoint user cannot access the video streaming applications that you exclude from the VPN tunnel when you configure the GlobalProtect gateway to assign IPv6 addresses to the virtual network adapters on the endpoints that connect to the gateway. In this case, ensure that the IP pools used to assign IP addresses to the virtual network adapters on these endpoints do not include any IPv6 addresses ( or ).If you exclude video streaming traffic from the VPN tunnel (), do not include web browser applications, such as Firefox or Chrome, in the VPN tunnel (). This ensures that there is no conflicting logic in the split tunnel configuration and that your users can stream videos from web browsers.To exclude Sling TV app traffic from the VPN tunnel, use application-based split tunneling ().- On the tab, enable the option toExclude video applications from the tunnel.If you enable this option but do not select specific video streaming applications to exclude from the VPN tunnel, all video streaming traffic is excluded.
- (Optional)BrowsetheApplicationslist to view all of the video streaming applications that you can exclude from the VPN tunnel. Click the add icon () for the application(s) that you want to exclude. For example, click the add icon for
directvto exclude DIRECTV video streaming traffic from the VPN tunnel.
- (Optional)Addthe video streaming applications that you want to exclude from the VPN tunnel using theApplicationsdrop-down—a shortened version of theApplicationslist that contains some of the most popular video streaming applications. For example, selectyoutube-streamingfrom theApplicationsdrop-down to exclude all YouTube-based video streaming traffic from the VPN tunnel.
- Save the gateway configuration.
- ClickOKto save the gateway configuration.
- Commityour changes.
