Optimized Split Tunneling for GlobalProtect

GlobalProtect™ now supports split tunneling based on destination domain, application process name, and video streaming application.
Software Support: Starting with GlobalProtect™ App 4.1 and with PAN-OS® 8.1 and later releases
OS Support: Windows 7 Service Pack 2 and later releases and macOS 10.10 and later releases
In addition to route-based split tunneling, the GlobalProtect app for Windows and macOS endpoints now supports split tunneling based on destination domain, client process, and HTTP/HTTPS video streaming application.
This enhancement requires a GlobalProtect subscription.
This enhancement enables you to:
  • Tunnel enterprise SaaS and public cloud applications for comprehensive SaaS application visibility and control to avoid risks associated with Shadow IT in environments where it is not feasible to tunnel all traffic.
  • Send latency-sensitive traffic, such as VoIP, outside the VPN tunnel, while all other traffic goes through the VPN for inspection and policy enforcement by the GlobalProtect gateway.
  • Exclude HTTP/HTTPS video streaming traffic from the VPN tunnel. Video streaming applications, such as YouTube and Netflix, consume large amounts of bandwidth. By excluding lower risk video streaming traffic from the VPN tunnel, you can decrease bandwidth consumption on the gateway.
The firewall App-ID functionality identifies the video stream before allowing traffic to be split tunneled.
The following list describes the order in which the split tunnel rules are applied:
split-tunnel.png
When you configure a split tunnel to include traffic based on the application process name or destination domain and port (optional), all traffic for that specific application or domain is sent through the VPN tunnel for inspection and policy enforcement. For example, you can allow all Salesforce traffic to go through the VPN tunnel using the *Salesforce.com destination domain. By including all Salesforce traffic in the VPN tunnel, you can provide secure access to the entire Salesforce domain and subdomains.
When you configure a split tunnel to exclude traffic based on the application process name or destination domain and port (optional), all traffic for that specific application or domain is sent directly to the physical adapter on the endpoint without inspection. For example, you can exclude all Skype traffic from the VPN tunnel using the C:\Program Files (x86)\Skype\Phone\Skype application process name.
Use the following steps to configure a split tunnel for public applications or video streams:
  • Configure a split tunnel to include or exclude public applications based on the destination domain:
    1. Configure a GlobalProtect gateway.
      Select NetworkGlobalProtectGateways to modify an existing gateway or Add a new one.
    2. Enable split tunneling.
      1. On the AgentTunnel Settings tab, enable Tunnel Mode to enable split tunneling.
      2. Configure the tunnel parameters for the GlobalProtect app.
    3. Configure a split tunnel to include or exclude SaaS or public cloud applications based on the destination domain and port (optional).
      This feature supports both IPv4 and IPv6 traffic.
      1. On the AgentClient Settings tab, select an existing client setting or Add a new one.
      2. Disable the No direct access to local network option (Split TunnelAccess Route). If enabled, this setting disables split tunneling on Windows, Linux, and macOS networks.
      3. (Optional) Add the SaaS or public cloud applications that you want to route to GlobalProtect through the VPN connection using the destination domain and port (Split TunnelDomain and ApplicationInclude Domain). You can add up to 200 entries to the list. For example, add *.office365.com to allow all Office 365 traffic to go through the VPN tunnel.
      4. (Optional) Add the SaaS or public cloud applications that you want to exclude from the VPN tunnel using the destination domain and port (Split TunnelDomain and ApplicationExclude Domain). You can add up to 200 entries to the list. For example, add *.engadget.com to exclude all Engadget traffic from the VPN tunnel.
      5. Click OK to save your client settings.
    4. Save the gateway configuration.
      1. Click OK to save the gateway configuration.
      2. Commit your changes.
  • Configure a split tunnel to include or exclude public applications based on the application process name:
    1. Configure a GlobalProtect gateway.
      Select NetworkGlobalProtectGateways to modify an existing gateway or add a new one.
    2. Enable split tunneling.
      1. On the AgentTunnel Settings tab, enable Tunnel Mode to enable split tunneling.
      2. Configure the tunnel parameters for the GlobalProtect app.
    3. Configure a split tunnel to include or exclude SaaS or public cloud applications based on the application process name.
      This feature supports both IPv4 and IPv6 traffic.
      1. On the AgentClient Settings tab, select an existing client setting or Add a new one.
      2. Disable the No direct access to local network option (Split TunnelAccess Route). This setting disables split tunneling on Windows, Linux, and macOS networks.
      3. (Optional) Add the SaaS or public cloud applications that you want to route to GlobalProtect through the VPN connection using the application process name (Split TunnelDomain and ApplicationInclude Client Application Process Name. You can add up to 200 entries to the list. For example, add /Application/Safari.app/Contents/MacOS/Safari to allow all Safari-based traffic to go through the VPN tunnel on macOS endpoints.
      4. (Optional) Add the SaaS or public cloud applications that you want to exclude from the VPN tunnel using the application process name (Split TunnelDomain and ApplicationExclude Client Application Process Name). You can add up to 200 entries to the list. For example, add /Applications/Microsoft Lync.app/Contents/MacOS/MicrosoftLync to exclude all Microsoft Lync application traffic from the VPN tunnel.
      5. Click OK to save your client settings.
    4. Save the gateway configuration.
      1. Click OK to save the gateway configuration.
      2. Commit your changes.
  • Configure a split tunnel to exclude video streaming traffic:
    1. Configure a GlobalProtect gateway.
      Select NetworkGlobalProtectGateways to modify an existing gateway or add a new one.
    2. Enable split tunneling.
      1. On the AgentTunnel Settings tab, enable Tunnel Mode to enable split tunneling.
      2. Configure the tunnel parameters for the GlobalProtect app.
    3. Configure a split tunnel to exclude video streaming traffic from the VPN tunnel.
      All video traffic types are redirected for the following video streaming applications:
      • YouTube
      • Dailymotion
      • Netflix
      If you exclude any other video streaming applications from the VPN tunnel, only the following video traffic types are redirected for those applications:
      • MP4
      • WebM
      • MPEG
      The App-ID functionality on the firewall identifies the video stream before traffic can be split tunneled.
      If the physical adapter on a Windows or macOS endpoint supports only IPv4 addresses, the endpoint user cannot access the video streaming applications that you exclude from the VPN tunnel when you configure the GlobalProtect gateway to assign IPv6 addresses to the virtual network adapters on the endpoints that connect to the gateway. In this case, ensure that the IP pools used to assign IP addresses to the virtual network adapters on these endpoints do not include any IPv6 addresses (NetworkGlobalProtectGatewaysAgentClient IP Pool or Client SettingsIP Pools).
      If you exclude video streaming traffic from the VPN tunnel (NetworkGlobalProtectGateways<gateway-config>AgentVideo Traffic), do not include web browser applications, such as Firefox or Chrome, in the VPN tunnel (NetworkGlobalProtectGateways<gateway-config>AgentClient Settings<client-setting>Split TunnelDomain and Application). This ensures that there is no conflicting logic in the split tunnel configuration and that your users can stream videos from web browsers.
      To exclude Sling TV app traffic from the VPN tunnel, use application-based split tunneling (NetworkGlobalProtectGateways<gateway-config>AgentClient Settings<client-setting-config>Split TunnelDomain and ApplicationExclude Client Application Process Name).
      1. On the AgentVideo Traffic tab, enable the option to Exclude video applications from the tunnel.
        If you enable this option but do not select specific video streaming applications to exclude from the VPN tunnel, all video streaming traffic is excluded.
      2. (Optional) Browse the Applications list to view all of the video streaming applications that you can exclude from the VPN tunnel. Click the add icon (
        add_icon.png
        ) for the application(s) that you want to exclude. For example, click the add icon for directv to exclude DIRECTV video streaming traffic from the VPN tunnel.
        agent-video-traffic-tab-applications-list.png
      3. (Optional) Add the video streaming applications that you want to exclude from the VPN tunnel using the Applications drop-down—a shortened version of the Applications list that contains some of the most popular video streaming applications. For example, select youtube-streaming from the Applications drop-down to exclude all YouTube-based video streaming traffic from the VPN tunnel.
        agent-video-traffic-tab-applications-dropdown.png
    4. Save the gateway configuration.
      1. Click OK to save the gateway configuration.
      2. Commit your changes.

Related Documentation