Optimized Split Tunneling for GlobalProtect

GlobalProtect™ now supports split tunneling based on destination domain, application process name, and video streaming application.
Software Support
: Starting with GlobalProtect™ App 4.1 and with PAN-OS® 8.1 and later releases
OS Support
: Windows 7 Service Pack 2 and later releases and macOS 10.10 and later releases
In addition to route-based split tunneling, the GlobalProtect app for Windows and macOS endpoints now supports split tunneling based on destination domain, client process, and HTTP/HTTPS video streaming application.
This enhancement requires a GlobalProtect subscription.
This enhancement enables you to:
  • Tunnel enterprise SaaS and public cloud applications for comprehensive SaaS application visibility and control to avoid risks associated with Shadow IT in environments where it is not feasible to tunnel all traffic.
  • Send latency-sensitive traffic, such as VoIP, outside the VPN tunnel, while all other traffic goes through the VPN for inspection and policy enforcement by the GlobalProtect gateway.
  • Exclude HTTP/HTTPS video streaming traffic from the VPN tunnel. Video streaming applications, such as YouTube and Netflix, consume large amounts of bandwidth. By excluding lower risk video streaming traffic from the VPN tunnel, you can decrease bandwidth consumption on the gateway.
The firewall App-ID functionality identifies the video stream before allowing traffic to be split tunneled.
The following list describes the order in which the split tunnel rules are applied:
split-tunnel.png
When you configure a split tunnel to include traffic based on the application process name or destination domain and port (optional), all traffic for that specific application or domain is sent through the VPN tunnel for inspection and policy enforcement. For example, you can allow all Salesforce traffic to go through the VPN tunnel using the
*Salesforce.com
destination domain. By including all Salesforce traffic in the VPN tunnel, you can provide secure access to the entire Salesforce domain and subdomains.
When you configure a split tunnel to exclude traffic based on the application process name or destination domain and port (optional), all traffic for that specific application or domain is sent directly to the physical adapter on the endpoint without inspection. For example, you can exclude all Skype traffic from the VPN tunnel using the
C:\Program Files (x86)\Skype\Phone\Skype
application process name.
Use the following steps to configure a split tunnel for public applications or video streams:
  • Configure a split tunnel to include or exclude public applications based on the destination domain:
    1. Select
      Network
      GlobalProtect
      Gateways
      to modify an existing gateway or
      Add
      a new one.
    2. Enable split tunneling.
      1. On the
        Agent
        Tunnel Settings
        tab, enable
        Tunnel Mode
        to enable split tunneling.
      2. Configure the tunnel parameters for the GlobalProtect app.
    3. Configure a split tunnel to include or exclude SaaS or public cloud applications based on the destination domain and port (optional).
      This feature supports both IPv4 and IPv6 traffic.
      1. On the
        Agent
        Client Settings
        tab, select an existing client setting or
        Add
        a new one.
      2. Disable the
        No direct access to local network
        option (
        Split Tunnel
        Access Route
        ). If enabled, this setting disables split tunneling on Windows, Linux, and macOS networks.
      3. (
        Optional
        )
        Add
        the SaaS or public cloud applications that you want to route to GlobalProtect through the VPN connection using the destination domain and port (
        Split Tunnel
        Domain and Application
        Include Domain
        ). You can add up to 200 entries to the list. For example, add
        *.office365.com
        to allow all Office 365 traffic to go through the VPN tunnel.
      4. (
        Optional
        )
        Add
        the SaaS or public cloud applications that you want to exclude from the VPN tunnel using the destination domain and port (
        Split Tunnel
        Domain and Application
        Exclude Domain
        ). You can add up to 200 entries to the list. For example, add
        *.engadget.com
        to exclude all Engadget traffic from the VPN tunnel.
      5. Click
        OK
        to save your client settings.
    4. Save the gateway configuration.
      1. Click
        OK
        to save the gateway configuration.
      2. Commit
        your changes.
  • Configure a split tunnel to include or exclude public applications based on the application process name:
    1. Select
      Network
      GlobalProtect
      Gateways
      to modify an existing gateway or add a new one.
    2. Enable split tunneling.
      1. On the
        Agent
        Tunnel Settings
        tab, enable
        Tunnel Mode
        to enable split tunneling.
      2. Configure the tunnel parameters for the GlobalProtect app.
    3. Configure a split tunnel to include or exclude SaaS or public cloud applications based on the application process name.
      This feature supports both IPv4 and IPv6 traffic.
      1. On the
        Agent
        Client Settings
        tab, select an existing client setting or
        Add
        a new one.
      2. Disable the
        No direct access to local network
        option (
        Split Tunnel
        Access Route
        ). This setting disables split tunneling on Windows, Linux, and macOS networks.
      3. (
        Optional
        )
        Add
        the SaaS or public cloud applications that you want to route to GlobalProtect through the VPN connection using the application process name (
        Split Tunnel
        Domain and Application
        Include Client Application Process Name
        . You can add up to 200 entries to the list. For example, add
        /Application/Safari.app/Contents/MacOS/Safari
        to allow all Safari-based traffic to go through the VPN tunnel on macOS endpoints.
      4. (
        Optional
        )
        Add
        the SaaS or public cloud applications that you want to exclude from the VPN tunnel using the application process name (
        Split Tunnel
        Domain and Application
        Exclude Client Application Process Name
        ). You can add up to 200 entries to the list. For example, add
        /Applications/Microsoft Lync.app/Contents/MacOS/MicrosoftLync
        to exclude all Microsoft Lync application traffic from the VPN tunnel.
      5. Click
        OK
        to save your client settings.
    4. Save the gateway configuration.
      1. Click
        OK
        to save the gateway configuration.
      2. Commit
        your changes.
  • Configure a split tunnel to exclude video streaming traffic:
    1. Select
      Network
      GlobalProtect
      Gateways
      to modify an existing gateway or add a new one.
    2. Enable split tunneling.
      1. On the
        Agent
        Tunnel Settings
        tab, enable
        Tunnel Mode
        to enable split tunneling.
      2. Configure the tunnel parameters for the GlobalProtect app.
    3. Configure a split tunnel to exclude video streaming traffic from the VPN tunnel.
      All video traffic types are redirected for the following video streaming applications:
      • YouTube
      • Dailymotion
      • Netflix
      If you exclude any other video streaming applications from the VPN tunnel, only the following video traffic types are redirected for those applications:
      • MP4
      • WebM
      • MPEG
      The App-ID functionality on the firewall identifies the video stream before traffic can be split tunneled.
      If the physical adapter on a Windows or macOS endpoint supports only IPv4 addresses, the endpoint user cannot access the video streaming applications that you exclude from the VPN tunnel when you configure the GlobalProtect gateway to assign IPv6 addresses to the virtual network adapters on the endpoints that connect to the gateway. In this case, ensure that the IP pools used to assign IP addresses to the virtual network adapters on these endpoints do not include any IPv6 addresses (
      Network
      GlobalProtect
      Gateways
      Agent
      Client IP Pool
      or
      Client Settings
      IP Pools
      ).
      If you exclude video streaming traffic from the VPN tunnel (
      Network
      GlobalProtect
      Gateways
      <gateway-config>
      Agent
      Video Traffic
      ), do not include web browser applications, such as Firefox or Chrome, in the VPN tunnel (
      Network
      GlobalProtect
      Gateways
      <gateway-config>
      Agent
      Client Settings
      <client-setting>
      Split Tunnel
      Domain and Application
      ). This ensures that there is no conflicting logic in the split tunnel configuration and that your users can stream videos from web browsers.
      To exclude Sling TV app traffic from the VPN tunnel, use application-based split tunneling (
      Network
      GlobalProtect
      Gateways
      <gateway-config>
      Agent
      Client Settings
      <client-setting-config>
      Split Tunnel
      Domain and Application
      Exclude Client Application Process Name
      ).
      1. On the
        Agent
        Video Traffic
        tab, enable the option to
        Exclude video applications from the tunnel
        .
        If you enable this option but do not select specific video streaming applications to exclude from the VPN tunnel, all video streaming traffic is excluded.
      2. (
        Optional
        )
        Browse
        the
        Applications
        list to view all of the video streaming applications that you can exclude from the VPN tunnel. Click the add icon (
        add_icon.png
        ) for the application(s) that you want to exclude. For example, click the add icon for
        directv
        to exclude DIRECTV video streaming traffic from the VPN tunnel.
        agent-video-traffic-tab-applications-list.png
      3. (
        Optional
        )
        Add
        the video streaming applications that you want to exclude from the VPN tunnel using the
        Applications
        drop-down—a shortened version of the
        Applications
        list that contains some of the most popular video streaming applications. For example, select
        youtube-streaming
        from the
        Applications
        drop-down to exclude all YouTube-based video streaming traffic from the VPN tunnel.
        agent-video-traffic-tab-applications-dropdown.png
    4. Save the gateway configuration.
      1. Click
        OK
        to save the gateway configuration.
      2. Commit
        your changes.

Related Documentation