• Host Split Tunnel Config File on Web Server

    • Configure a Split Tunnel Based on the Access Route

    Define specific destination IP subnets to either include in (send through) or exclude from (send direct) the VPN tunnel.

    Default Behavior: If no include/exclude routes are defined, *all* traffic goes through the tunnel (no split tunnel).

    Rule Precedence: More specific routes take precedence over less specific routes (e.g., 192.168.1.0/24 exclude overrides 0.0.0.0/0 include for that specific subnet).

    Gotcha: Avoid specifying the same route as both include and exclude.

    No Direct Access to Local Network

    By default (split tunnel enabled), users can still reach local resources (printers, local proxies) directly via the physical adapter. To prevent potential policy bypass on untrusted networks, enable the No direct access to local network setting.

    Supported on: Windows, macOS, Linux (GP App 6.0.0+).

    When enabled, traffic to the local subnet is forced through the tunnel (IPv4 outgoing, IPv6 outgoing except link-local). Existing connections might be terminated (Windows) or allowed (macOS/Linux). Split tunnel rules for domain/app/route still function as expected.

    IPv4 Traffic Behavior Comparison:

    IPv4 Traffic to Local Subnet No Direct Access Enabled (After Tunnel) No Direct Access Disabled (After Tunnel)
    New Incoming Windows 10 (no domain/app split): Tunnel enforced. Windows 10 (with domain/app split): Allowed via physical. macOS/Linux: Allowed via physical. Allowed via physical.
    New Outgoing Sent via Tunnel. Allowed via physical.
    Existing Windows: Terminated. macOS/Linux: Allowed via physical. Allowed via physical.

    IPv6 Traffic Behavior Comparison:

    IPv6 Traffic to Local Subnet No Direct Access Enabled (After Tunnel) No Direct Access Disabled (After Tunnel)
    New Incoming Allowed via physical. Allowed via physical.
    New Outgoing Sent via Tunnel (except fe80::/10 link-local). Allowed via physical.
    Existing Allowed via physical. Allowed via physical.

    Configuration Steps (Access Route):

    1. Ensure Gateway and Tunnel Mode are configured ( Agent > Tunnel Settings ).
    2. Navigate to Network > GlobalProtect > Gateways > > Agent > Client Settings > .
    3. Select the Split Tunnel tab, then the Access Route sub-tab.
    4. (Optional) To disable local access: Check the No direct access to local network box.
    5. Define Routes:
      • Include: Click Add in the Include area. Enter IPv4/IPv6 subnets (e.g., 10.0.0.0/8) or select an Address Object (type IP Netmask) for traffic that MUST go through the tunnel. (Limit: 1000 routes).
      • Exclude: Click Add in the Exclude area. Enter IPv4/IPv6 subnets or select an Address Object for traffic that should bypass the tunnel. (Limit: 200 routes). Exclude routes should be more specific than includes. Not supported for Android on Chromebooks.
    6. Click OK on the Client Settings.
    7. Click OK on the Gateway config.
    8. Commit changes.
    PCNSE/PCNSA: Understand how to configure include/exclude routes and the purpose/effect of "No direct access to local network".

    Configure a Split Tunnel Based on the Domain and Application

    Allows including or excluding traffic based on the destination domain name (e.g., *.salesforce.com) or the application process path, rather than just IP address. Useful for dynamic IP services like SaaS.

    PCNSE: Know that domain/app split tunneling is useful for SaaS/cloud apps with changing IPs.

    Recommendations & Limitations:

    Configuration Steps (Domain/Application):

    1. Ensure Gateway and Tunnel Mode are configured.
    2. Navigate to Network > GlobalProtect > Gateways > > Agent > Client Settings > .
    3. Select the Split Tunnel tab, then the Domain and Application sub-tab.
    4. Domain-Based Split Tunnel:
      • (Optional) Include Domain: Click Add . Enter domain names (wildcard '*' allowed at the start, e.g., *.paloaltonetworks.com ) and optionally a port number. Traffic to these domains goes through the tunnel. (Limit: 200, see hosting config file for more).
      • (Optional) Exclude Domain: Click Add . Enter domain names (wildcard '*' allowed at the start, e.g., *.youtube.com ) and optionally a port number. Traffic to these domains bypasses the tunnel. (Limit: 200, see hosting config file for more).

      DNS Handling: If the Portal Agent App setting Split-Tunnel Option is set to Both Network Traffic and DNS , these domain rules apply to DNS lookups as well as the subsequent traffic.

    5. Application-Based Split Tunnel:
      • (Optional) Include Client Application Process Name: Click Add . Enter the full path to the application executable (e.g., C:\Program Files\ExampleApp\app.exe or /Applications/Example.app/Contents/MacOS/Example ). Traffic generated by this process goes through the tunnel. (Limit: 200).
      • (Optional) Exclude Client Application Process Name: Click Add . Enter the full path to the application executable. Traffic generated by this process bypasses the tunnel. (Limit: 200).
      • See Wildcard Support section for using '*' in paths.
    6. Click OK on the Client Settings.
    7. Click OK on the Gateway config.
    8. Commit changes.
    PCNSE: Know how to configure split tunnel by domain and application path, including wildcard usage.

    Wildcard Support for Split Tunnel Settings Based on the Application

    Prerequisites

    Starting with GP App 6.3.1, a single wildcard character (*) can be used within the application path for application-based split tunneling (include or exclude).

    This is useful for applications whose paths change frequently due to updates (e.g., version numbers in the path), like Microsoft Teams or Symantec WSS.

    PCNSE: Understand the use case for wildcards in application paths (handling version changes).

    Example:

    Wildcard Example Config

    Configuration:

    1. Follow steps for Application-Based split tunnel.
    2. When adding an Include or Exclude application path ( Network > GlobalProtect > Gateways > ... > Agent > Client Settings > Split Tunnel > Domain and Application ), insert a single '*' where the path segment varies.

      3. Windows Example:

      Windows Wildcard Config

      macOS Example:

      macOS Wildcard Config

    Limitations:

    Configure Split DNS for GlobalProtect App on iOS Endpoints

    Prerequisites

    Split DNS allows specifying which domains are resolved by the gateway's DNS servers and which by the endpoint's local DNS servers. For iOS, GlobalProtect app 6.1.6+ supports Split DNS - Include functionality.

    Split DNS - Exclude functionality is NOT supported on iOS.

    This applies when using On-demand or Always-On connect methods. (Per-App VPN config bypasses this).

    PCNSE: Know that iOS Split DNS supports 'Include' only and has specific configuration requirements compared to Win/macOS.

    iOS Specific Behavior & Configuration Requirements:

    Configuration Steps (Split DNS Include for iOS):

    Assume Portal and Gateway are already configured.

    1. Configure Portal Setting:
      • Navigate to Network > GlobalProtect > Portals > > Agent > > App .
      • Set Resolve All FQDNS Using the Tunnel DNS Server (iOS only) to No .
      • Click OK .
    2. Configure Gateway Client Settings:
      • Navigate to Network > GlobalProtect > Gateways > > Agent > Client Settings > .
      • Access Route Tab:
        • In the Include area, click Add and define at least one specific subnet that should go through the tunnel (e.g., your internal corporate network 10.0.0.0/8). Do NOT include 0.0.0.0/0 here if you want split DNS.

          • iOS Access Route Include

      • Domain and Application Tab:
        • In the Include Domain area, click Add and enter the specific domains (e.g., *.mycorp.local , internalapp.mycorp.local ) whose DNS queries should be resolved by the tunnel DNS servers.

          • iOS Domain Include

        • Leave the Exclude Domain area empty for iOS Split DNS Include.
      • Network Services Tab:
        • Ensure Tunnel DNS Server(s) are configured here (or at the global Agent > Network Services level).

          • iOS Tunnel DNS Server

      • Click OK on Client Settings.
    3. Click OK on Gateway config.
    4. Commit changes.

    Verification Example Log Snippet (PanGPS.log on iOS): 

    DNSSettings = {
 protocol = cleartext
 server = ( x.x.x.x ) // Tunnel DNS
 searchDomains = ()
 matchDomains = (       // Domains to use Tunnel DNS
     paloaltonetworks.com,
     *.paloaltonetworks.com,
 )
 matchDomainsNoSearch = YES
}
IPv4Settings = {
 configMethod = manual
 addresses = ( xxx.xx.xx.xx )
 subnetMasks = ( xxx.xxx.xxx.xxx )
 includedRoutes = (      // Traffic to tunnel
     { destinationAddress = 10.0.0.0 destinationSubnetMask = 255.0.0.0 },
     // ... other includes ...
 )
 excludedRoutes = ()    // Excludes if any were configured (not typical for iOS split DNS)
 overridePrimary = NO
}
// ... IPv6Settings similar ...

    Note the `matchDomains` reflecting the Include Domain rules and `includedRoutes` reflecting the Include Access Route rules.

    Exclude Video Traffic from the GlobalProtect VPN Tunnel

    Allows excluding HTTP/HTTPS video streams (identified by App-ID) from the tunnel to conserve gateway bandwidth.

    PCNSE: Know this feature uses App-ID to identify video and requires a GP license.

    Supported Applications & Traffic Types:

    Prerequisites & Limitations:

    Configuration Steps (Video Exclude):

    1. Ensure Gateway and Tunnel Mode are configured.
    2. Navigate to Network > GlobalProtect > Gateways > > Agent > Client Settings > .
    3. Select the Split Tunnel tab, then the Video Traffic sub-tab.
    4. Check the box Exclude video applications from the tunnel . (If checked but no specific apps added below, *all* identifiable video traffic is excluded).
    5. (Optional) To exclude only specific video apps:
      • Click Add under the Applications list.
      • Select the desired video streaming App-IDs (e.g., youtube-streaming , netflix-streaming ). Add up to 200.

      Add icon

    6. Click OK on the Client Settings.
    7. Click OK on the Gateway config.
    8. Commit changes.

    Host a Split Tunnel Configuration File on a Web Server

    Prerequisites

    Instead of configuring split tunnel rules directly on the gateway, you can host a larger configuration in an XML file on your own web server. This allows for significantly more entries than the gateway GUI permits. PCNSE: Understand this method allows scaling split tunnel rules beyond GUI limits and requires hosting/signing/authentication setup.

    Configuration Limits Comparison:

    Split Tunnel By... Type Configured on Gateway Hosted on Web Server
    Access Route Include 1000 1000
    Exclude 200 1000
    Domain Include 200 1000
    Exclude 200 1000
    Application Include 200 200
    Exclude 200 200

    Fallback: If the GlobalProtect app cannot fetch or validate the configuration file from the web server, it falls back to using the split tunnel configuration defined directly on the gateway (if any).

    Configuration Steps (Hosting Config File):

    1. Create and Sign the Split Tunnel Configuration File:
      1. Create the XML file (`config.xml` or similar) containing your split tunnel rules. Structure includes ` `, ` `, ` `, ` ` with ` ` and ` ` sub-tags containing ` ` entries. Example:

        Split Tunnel XML Example

        Tip: Include ` 0.0.0.0/0 ` in the ` ` section if you want non-excluded traffic to go through the tunnel by default.

      2. Generate a private/public key pair (e.g., RSA `private_key.pem`, `public_key.pem`) if you don't have one for signing.
      3. Sign the XML file using the private key to create a signature digest (e.g., SHA256). Example using OpenSSL:

        openssl dgst -sha256 -sign private_key.pem -out config_signature.sha256 config.xml

      4. Base64 encode the signature digest file (ensure no line wrapping `-A` flag in openssl). Example using OpenSSL:

        openssl base64 -A -in config_signature.sha256 -out encoded_signature.txt

      5. Create the final file to host (e.g., `gp_split_tunnel.cfg`). Prepend the Base64 encoded signature (from `encoded_signature.txt`) as the *first line*. The XML content (`config.xml`) starts on the *second line*. Ensure no trailing NULL characters.

        Signed XML File Structure

    2. Host the Signed File on a Web Server:
      • Place the final file (e.g., `gp_split_tunnel.cfg`) on a web server accessible via HTTPS.
      • Configure the web server for mutual TLS authentication (mTLS). The server must be configured to *require* a client certificate and validate it against a trusted CA. The GlobalProtect app must present a valid client certificate issued by that CA. The app must also trust the web server's certificate.
      • You will need the public certificate of the CA that issues the *client certificates* for the Portal config later.
    3. Configure Portal with Client Cert CA Public Key:
      • Navigate to Network > GlobalProtect > Portals > > Agent > > App .
      • In the Enhanced Split Tunnel Client Certificate Public Key field, paste the public key certificate (PEM format) of the CA that issues the client certificates used for mTLS with your web server. This allows the app to identify which client certificate to present during the mTLS handshake with the web server.

        • Portal Public Key Config

        Note: The verification of the *signature* itself within the downloaded file likely relies on a separate mechanism or pre-shared trust, possibly related to the client cert CA or another configured certificate/key on the firewall/portal, though not explicitly detailed here how the *signing* public key is distributed/used by the app. Focus on configuring the client cert CA public key as shown.

      • Click OK .
    4. Configure Gateway to Use the Hosted File:
      • Navigate to Network > GlobalProtect > Gateways > > Agent > Client Settings > .
      • Select the Split Tunnel tab, then the Domain and Application sub-tab.
      • In the Include Domain list, click Add and enter the HTTPS URL of your hosted split tunnel configuration file (e.g., `https://yourserver.com/path/gp_split_tunnel.cfg`) as the *very first entry*. Order matters here.

        • Gateway URL Config

      • Click OK on Client Settings.
    5. Click OK on Gateway config.
    6. Commit changes.

    GlobalProtect Gateways Quiz

    Test your knowledge! Answer all questions and click Submit.

    1. What is the primary function of a GlobalProtect Gateway?

    2. Which type of GlobalProtect gateway resides on the internal network and is often used with User-ID and HIP checks?

    3. In a multiple gateway configuration using GlobalProtect App 4.0.3 or later, how is the best *available* gateway primarily selected from those with Highest, High, or Medium priority?

    4. What factor is considered *first* when selecting the best available auto-discovery external gateway if Source Region is configured?

    5. When configuring the 'Best Gateway Selection Criteria' on the portal agent's app settings, what does setting it to 'Response Time' measure?

    6. Which interface type must be configured on the firewall for a GlobalProtect gateway operating in Tunnel Mode?

    7. If you configure Client Authentication on a gateway to allow 'User Credentials OR Client Certificate Required', what does the gateway check first?

    8. Which VPN protocol does GlobalProtect attempt to use by default for tunnel mode before potentially falling back to SSL?

    9. What is the purpose of configuring Authentication Override (Cookie Authentication) on a GlobalProtect gateway?

    10. Where do you configure IP Pools for assigning addresses to GlobalProtect clients' virtual adapters?

    11. What is the primary benefit of using DHCP-based IP address assignment for GlobalProtect clients?

    12. When configuring DHCP-based IP assignment on the GlobalProtect gateway, what information from the gateway configuration is often needed for filtering on the DHCP server side (like Windows Policy or Infoblox Filter)?

    13. What happens if the GlobalProtect gateway fails to communicate with the configured DHCP server for IP assignment?

    14. Which feature allows specific traffic (e.g., to internal subnets) to go through the VPN tunnel while other traffic (e.g., general internet browsing) bypasses the tunnel?

    15. What is the purpose of the 'No direct access to local network' setting within split tunnel configurations?

    16. Which method of split tunneling is most suitable for applications like Salesforce or Office 365 that might use dynamically changing IP addresses?

    17. What is a limitation of using wildcard support (*) in application paths for split tunneling?

    18. What is a key requirement to enable Split DNS Include functionality on iOS endpoints?

    19. When excluding video traffic from the tunnel, what is a critical prerequisite regarding IP addressing?

    20. What is the primary advantage of hosting the split tunnel configuration file on a web server instead of configuring it directly on the gateway?