Split Tunnel to Exclude by Access Route
You can now exclude specific destination IP subnet traffic from being sent over the VPN tunnel. With this feature, you can send latency sensitive or high bandwidth consuming traffic outside of the VPN tunnel while all other traffic is routed through the VPN for inspection and policy enforcement by the GlobalProtect gateway.
Now, the routes you send through the VPN tunnel can be defined either as the routes you include in the tunnel, or as routes that you exclude from the tunnel, or a combination of both. For example, you can set up split tunneling to allow remote users to access the internet without going through the VPN tunnel. More specific routes take precedence over less-specific routes. If you don’t include or exclude routes, every request is routed through the tunnel (no split tunneling).
- Configure the GlobalProtect gateway.
- Select the gateway you want to modify, or add a new gateway.
- Enable tunneling and configure the tunnel parameters for an agent configuration.
- On the GlobalProtect Gateway Configuration dialog, select AgentClient Settings to add or modify client settings for the agent.
- Select Client SettingsSplit Tunnel to define a split
tunnel configuration for the client.With a split tunnel, you can define the traffic that flows through the VPN by including routes, excluding routes, or both. In some cases, it can be easier to specify the routes you want the client to exclude, rather than specifying all the routes you want to include. For example, if you want to tunnel everything except one or two class C networks, you can exclude these few networks rather than compiling a long list of the networks you want to include.If you only exclude routes, all other routes are included by default. If you only include routes, all other routes are excluded by default. In the case of a conflict between included and excluded routes, the more specific route configuration will be honored.
- Make sure No direct access to local network is disabled. This setting disables split tunneling for networks on Windows and Mac OS.
- (Optional) In the Includes area, Add the
destination subnets or address object (of type IP Netmask) to route
only some traffic—likely traffic destined for your LAN—to GlobalProtect.These are the routes the gateway pushes to the remote users’ endpoint and thereby determines what traffic the users’ endpoint can send through the VPN connection.
- (Optional) In the Excludes area, Add the
destination subnets or address object (of type IP Netmask)
that you want the client to exclude.These routes will be sent through the endpoint’s physical adapter rather than through the virtual adapter (the tunnel). Excluded routes should be more specific than the included routes; otherwise, you may exclude more traffic than you intended.Excluding routes is not supported on Android. Only IPv4 routes are supported on Chrome.
- Save the gateway configuration.
- Click OK twice
- Commit your changes.
Client Settings Tab
Client Settings Tab Select Network GlobalProtect Gateways Agent Client Settings to configure settings for the virtual network adapter on the client system when an agent ...
Configure a GlobalProtect Gateway
Configure a GlobalProtect gateway to enforce security policies and provide VPN access for your users. ...
Configure GlobalProtect Gateways for LSVPN
Configure GlobalProtect Gateways for LSVPN Because the GlobalProtect configuration that the portal delivers to the satellites includes the list of gateways the satellite can connect ...
GlobalProtect Features New GlobalProtect Features Description Clientless VPN You can now use Clientless VPN for securing remote access to common enterprise web applications that use ...
Windows OS Batch Script Examples
Windows OS Batch Script Examples You can configure the GlobalProtect agent to initiate and run a script for any or all of the following events: ...
GlobalProtect Gateway Satellite Configuration Tab
GlobalProtect Gateway Satellite Configuration Tab A satellite is a Palo Alto Networks firewall—typically at a branch office—that acts as a GlobalProtect agent to enable it ...
Prepare the Satellite to Join the LSVPN
Prepare the Satellite to Join the LSVPN To participate in the LSVPN, the satellites require a minimal amount of configuration. Because the required configuration is ...
GlobalProtect Features Clientless VPN IPv6 for GlobalProtect Split Tunnel to Exclude by Access Route External Gateway Priority by Source Region Internal Gateway Selection by Source ...
Gateway Configuration Disable split tunneling. To do this, ensure there are no Access Routes specified in Agent Client Settings Split Tunnel settings. See Configure a ...