You can now exclude specific destination IP
subnet traffic from being sent over the VPN tunnel. With this feature,
you can send latency sensitive or high bandwidth consuming traffic
outside of the VPN tunnel while all other traffic is routed through
the VPN for inspection and policy enforcement by the GlobalProtect
Now, the routes you send through the VPN tunnel can
be defined either as the routes you include in the tunnel, or as
routes that you exclude from the tunnel, or a combination of both.
For example, you can set up split tunneling to allow remote users
to access the internet without going through the VPN tunnel. More
specific routes take precedence over less-specific routes. If you
don’t include or exclude routes, every request is routed through
the tunnel (no split tunneling).
Select the gateway you want to modify, or add a
Enable tunneling and configure the tunnel parameters for
an agent configuration.
On the GlobalProtect Gateway Configuration dialog, select
add or modify client settings for the agent.
to define a split
tunnel configuration for the client.
With a split tunnel, you can define the traffic that flows
through the VPN by including routes, excluding routes, or both.
In some cases, it can be easier to specify the routes you want the
client to exclude, rather than specifying all the routes you want
to include. For example, if you want to tunnel everything except
one or two class C networks, you can exclude these few networks
rather than compiling a long list of the networks you want to include.
you only exclude routes, all other routes are included by default.
If you only include routes, all other routes are excluded by default.
In the case of a conflict between included and excluded routes,
the more specific route configuration will be honored.
No direct access to local network
disabled. This setting disables split tunneling for networks on
Windows and Mac OS.
) In the
destination subnets or address object (of type IP Netmask) to route
only some traffic—likely traffic destined for your LAN—to GlobalProtect.
These are the routes the gateway pushes to the remote users’
endpoint and thereby determines what traffic the users’ endpoint
can send through the VPN connection.
) In the
destination subnets or address object (of type
that you want the client to exclude.
These routes will be sent through the endpoint’s physical
adapter rather than through the virtual adapter (the tunnel). Excluded
routes should be more specific than the included routes; otherwise,
you may exclude more traffic than you intended.
routes is not supported on Android. Only IPv4 routes are supported