GlobalProtect Split Tunneling Deep Dive

What is Split Tunneling?

Split Tunneling in Palo Alto Networks GlobalProtect is a configuration method that precisely controls which network traffic originating from a remote user's endpoint is sent through the secure VPN tunnel to the corporate network, and which traffic is allowed to go directly to its destination (like the internet) using the user's local network interface and internet connection.

This contrasts fundamentally with the alternative mode, **Full Tunnel**, where *all* network traffic generated by the endpoint – whether destined for internal corporate resources or public internet sites – is forcibly routed through the VPN tunnel. This ensures all traffic is inspected by the corporate firewall.

Conceptual difference between Split Tunnel and Full Tunnel traffic flow.

The decision to implement Split Tunneling involves a trade-off, primarily balancing the desire for comprehensive security inspection against user experience, performance, and corporate bandwidth utilization.

Use Cases & Comparison: Split vs. Full Tunnel

Why Choose One Over the Other?

The choice between Split Tunnel and Full Tunnel depends on your organization's priorities:

Consideration	Split Tunnel	Full Tunnel
Security Visibility & Control	Less visibility ; only corporate-bound (tunneled) traffic inspected by firewall. Direct internet traffic bypasses corporate security stack (Threat Prevention, URL Filtering, etc.). Potential risk if endpoint is compromised via direct connection.	More visibility ; all traffic inspected by corporate firewall. Consistent policy and threat prevention applied.
Bandwidth Consumption (Corporate)	Lower ; general internet and SaaS traffic uses user's local bandwidth. Only specified corporate traffic consumes VPN/firewall bandwidth.	Higher ; all traffic (including internet browsing, video streaming, SaaS) traverses corporate links and firewall.
Performance (Internet/SaaS Apps)	Potentially Better ; direct connection to internet/SaaS avoids latency introduced by routing through the corporate network (hairpinning). Crucial for real-time apps (Zoom, Teams).	Potentially Slower ; internet performance limited by corporate bandwidth and latency to/from the corporate network.
Performance (Internal Resources)	Generally similar to Full Tunnel for included resources.	Generally similar to Split Tunnel for internal resources.
Local Network Resource Access	Easy access to local resources (home printers, other devices on local LAN) as local traffic is not tunneled.	Often Blocked by default or requires specific exclusions/configurations to allow local LAN access.
Configuration Complexity	More Complex ; requires careful definition and maintenance of included/excluded networks, domains, or applications. Potential for misconfiguration.	Simpler initial network setup (conceptually "send everything"). Complexity shifts to firewall policy.
Compliance & Auditing	May not meet requirements if regulations mandate logging/inspection of all user traffic originating from corporate assets/connections.	Easier to meet strict compliance mandates requiring full traffic inspection and logging.
Common Use Cases	Optimizing SaaS (O365, Salesforce, Zoom) performance, reducing corporate bandwidth load, enabling local resource access. Common for general user populations.	High-security environments, meeting compliance, ensuring consistent policy for all traffic, simplifying initial setup for required internal access only. Common for admins, developers, restricted users.

Typical Use Cases for Split Tunneling:

Optimizing SaaS Performance: Allowing direct access to trusted, high-bandwidth SaaS applications like Microsoft 365, Google Workspace, Salesforce, Zoom, Microsoft Teams to improve user experience and reduce load on the corporate internet circuit.
Reducing Bandwidth Load: Preventing general web browsing, video/music streaming, or large software updates from consuming expensive corporate bandwidth.
Supporting Local Resources: Allowing users to easily access their home printers or other devices on their local network without disconnecting the VPN.
Guest or Contractor Access: Providing limited VPN access strictly to necessary internal resources while allowing guests/contractors to use their own internet for everything else.

     Understanding the trade-offs between Split and Full Tunnel (security vs. performance/bandwidth) and the common use cases for each is essential for the exam.
    

Licensing Requirements

Understanding the licensing implications is important when planning your split tunneling strategy:

Basic Split Tunneling (Access Routes - IP Based): Configuring split tunneling using only the Access Routes (Include List) based on destination IP addresses or subnets is a core GlobalProtect feature. It does not require any additional licenses beyond the standard GlobalProtect Gateway license (which itself is often included with the platform or requires a basic GlobalProtect subscription).
Domain/Application Based Split Tunneling:
- Configuring split tunneling using Include/Exclude Domains (FQDNs) or, more significantly, using Include/Exclude Applications/App Filters relies on the firewall's Application Identification (App-ID) engine.
- Therefore, this method requires an active App-ID subscription (which is typically part of the Threat Prevention subscription bundle or available standalone in some cases).
- Without a valid App-ID subscription and up-to-date content versions, the firewall may not accurately identify the applications, rendering Application-based split tunneling ineffective or unreliable.
Exclude Video Streaming Applications:
- This specific checkbox also leverages App-ID to identify common video streaming applications.
- Therefore, it also requires an active App-ID subscription and relevant content updates to function correctly.

     Know that basic IP-based split tunneling (Access Routes) does not require extra licenses. However, Domain/Application based split tunneling (including the "Exclude Video" checkbox) depends on App-ID and thus requires an active App-ID (usually via Threat Prevention) subscription.
    

Licensing Check

Requirement: Allow direct internet access for `office.com` traffic while tunneling all other traffic.

Method: Use "Exclude Domain/App" setting in the Split Tunnel configuration.

License Needed? Yes, an active App-ID subscription is required for domain-based split tunneling to work reliably.

Requirement: Only send traffic destined for `10.0.0.0/8` through the VPN.

Method: Use "Access Routes (Include List)" specifying `10.0.0.0/8`.

License Needed? No, only the base GlobalProtect Gateway license/subscription is needed.

Configuration Methods

Configuration Location

Split tunnel settings are an integral part of the client configuration pushed down from a GlobalProtect Gateway. You configure these settings within a specific **Agent Configuration** block defined on the Gateway.

GUI Path:

Navigate to Network > GlobalProtect > Gateways .
Select the desired Gateway object and click to edit it.
Go to the Agent tab.
Inside the Agent tab, select the Client Settings sub-tab.
Click Add to create a new agent configuration block, or select an existing one to modify it. (Remember, you can have multiple agent configuration blocks matched by OS/User/HIP).
Within the agent configuration window, navigate to the Split Tunnel tab.

This is where you define which traffic goes through the tunnel using the methods described in the following sections.

     Remember the path: It's within the Gateway's Agent > Client Settings configuration, specifically on the Split Tunnel tab.
    

Method 1: Access Routes (Include List - Network Layer)

This is the most fundamental and common method for defining split tunnels. It operates at the network layer (IP addresses).

Purpose: To explicitly define which destination IP networks (subnets) should have their traffic routed **through** the GlobalProtect VPN tunnel.
How it Works: You create a list of IPv4 and/or IPv6 addresses or network ranges (using CIDR notation). When the GlobalProtect agent connects and receives this configuration, it adds specific routes for these networks to the endpoint's routing table, pointing them towards the virtual network adapter created by GlobalProtect.
Traffic Flow: Any traffic destined for an IP address that falls within one of the subnets listed in the "Access Routes" (Include List) will be sent through the VPN tunnel. Traffic destined for any IP address *not* covered by this list will use the endpoint's regular network interface and default gateway (typically going directly to the local network or internet).
Configuration: In the "Split Tunnel" tab, under the "Access Route" section, click "Add" and enter the required IP addresses or CIDR ranges (e.g., 10.0.0.0/8 , 192.168.1.0/24 , 172.16.32.10/32 , 2001:db8:1::/48 ).

Example: Internal Network Access Only

You want users to only access internal corporate networks 10.50.0.0/16 and 10.60.10.0/24 via VPN. All other traffic (internet) should go direct.

Configuration:

Split Tunnel Tab > Access Route (Include List):
10.50.0.0/16
10.60.10.0/24

Result: Traffic to 10.50.1.100 goes via VPN. Traffic to 8.8.8.8 (Google DNS) goes direct via local internet.

     
      Empty Access Route List = Full Tunnel:
     
     If you configure split tunneling but leave the "Access Route" (Include List) completely empty, the GlobalProtect agent interprets this as **Full Tunnel mode**. It will typically modify the endpoint's default route (0.0.0.0/0 and/or ::/0) to point to the VPN tunnel interface, forcing all traffic through the VPN.

     Crucial concept: The Access Route list defines what **IS** included in the tunnel. An empty include list means **everything** is included (Full Tunnel).
    

Method 2: Domain/Application Excludes & Includes (Layer 7)

These methods provide more granular control, operating based on destination domain names (FQDNs) or identified applications (App-ID), allowing overrides to the basic Access Route logic.

     Using these features requires an active **App-ID subscription** (usually part of Threat Prevention) and up-to-date App-ID content on the firewall.
    

Exclude Domains/Applications from Tunnel

Purpose: To specify domains or applications whose traffic should **bypass** the VPN tunnel and go directly via the user's local network, *even if the destination IP address would normally match an included Access Route*.
How it Works: The GlobalProtect agent monitors DNS requests and network traffic. If traffic matches an excluded domain pattern (e.g., *.microsoft.com ) or is identified as belonging to an excluded application (via deep packet inspection referencing App-ID signatures learned from the firewall), the agent routes it directly, ignoring Access Route rules for that specific flow.
Configuration:
- Exclude Domain: Add FQDNs. Wildcards (*) are supported at the beginning (e.g., *.salesforce.com ).
- Exclude Application/Filter: Select predefined Applications (e.g., `zoom-meetings`) or Application Filters (e.g., `saas-collaboration`) from the firewall's App-ID database.
Common Use Case: Improving performance for trusted, high-bandwidth SaaS applications. By excluding Office 365, Zoom, Teams, etc., users get direct, lower-latency access, reducing load on the corporate VPN and internet links.

Example: Exclude Microsoft 365

Access Routes include 10.0.0.0/8 . You want M365 traffic to go direct even if some M365 IPs fall in the 10.x range (less common, but possible with ExpressRoute) or just to optimize performance regardless of Access Routes.

Configuration:

Split Tunnel Tab > Domain and Application > Exclude Domain/Application:
Add Application Filter: microsoft-office-365 (or more specific apps like microsoft-teams , sharepoint-online )
Alternatively, add Domains: *.office.com , *.office365.com , *.onmicrosoft.com , etc. (using App Filters is often easier to maintain).

Result: Traffic identified as M365 (or to those domains) goes direct. Other traffic to 10.x.x.x still uses the VPN.

Include Domains/Applications in Tunnel

Purpose: To specify domains or applications whose traffic **must** go through the VPN tunnel, *even if the destination IP address does NOT match an included Access Route*.
How it Works: If traffic matches an included domain or application, the agent forces it into the tunnel, overriding the normal behavior where non-Access-Route traffic would go direct.
Configuration: Similar to excludes, add FQDNs or select Applications/Filters in the "Include" section.
Less Common Use Case: Primarily used when the default mode is split tunnel (only specific Access Routes defined), but you need to ensure certain critical cloud services (perhaps a specific corporate SaaS app with public IPs) are always accessed via the corporate network for inspection or source IP requirements, regardless of their destination IP not being in the Access Route list.

     Understand the difference: Excludes punch holes *out* of the tunnel (direct access), while Includes pull specific traffic *into* the tunnel when it otherwise wouldn't be. Excludes are far more common.
    

Method 3: Exclude Video Streaming Applications

This is a simplified convenience feature leveraging App-ID.

     Using this feature requires an active **App-ID subscription** and up-to-date App-ID content on the firewall.
    

Purpose: To easily prevent high-bandwidth consumer video streaming traffic from congesting the VPN tunnel and corporate internet links.
How it Works: When checked, the firewall provides the GlobalProtect agent with a list of applications categorized by Palo Alto Networks as common video streaming services (e.g., YouTube, Netflix, Hulu, Vimeo). The agent then routes traffic identified as belonging to these applications directly via the local network, similar to a specific Application Exclude rule.
Configuration: Simply check the box labeled **"Exclude Video Streaming Applications"** in the Split Tunnel tab.
Benefit: Avoids the need to manually list dozens of video streaming domains or App-IDs in the "Exclude Domain/Application" list. The underlying application list is maintained by Palo Alto Networks through App-ID content updates.

Example: Saving VPN Bandwidth

Your primary mode is Full Tunnel (empty Access Routes), but you don't want users' recreational video streaming to consume corporate resources.

Configuration:

Split Tunnel Tab > Access Route (Include List): Leave **empty**.
Split Tunnel Tab > Check the box: **Exclude Video Streaming Applications**.

Result: All traffic goes via VPN *except* for traffic identified as common video streaming apps (YouTube, Netflix, etc.), which goes direct.

Rule Precedence: How Decisions Are Made

When multiple split tunneling methods are configured, the GlobalProtect agent follows a specific order of operations to decide where to route traffic. Understanding this precedence is key for complex configurations:

Simplified Split Tunnel Decision Logic Flowchart.

The general order of precedence is roughly:

Domain/Application Exclusions & Video Exclusions: If traffic matches a specific domain/application exclusion rule OR the "Exclude Video Streaming" rule (if enabled), it is sent directly via the local network interface, **regardless** of any Access Route or Include rules. Exclusions take highest priority to bypass the tunnel.
Domain/Application Inclusions: If traffic matches a specific domain/application inclusion rule, it is sent through the VPN tunnel, **regardless** of whether its destination IP matches an Access Route or not.
Access Route (Include List) Match: If traffic hasn't matched an explicit include/exclude rule above, the agent checks if the destination IP address matches any network listed in the Access Routes. If it matches, the traffic is sent through the VPN tunnel.
Default Action (No Match Above): If traffic hasn't matched any exclude, include, or Access Route rule:
- If the Access Route list **is defined (not empty)**, the default action is to send the traffic via the **local network interface** (standard split tunnel behavior).
- If the Access Route list **is empty**, the default action is to send the traffic via the **VPN tunnel** (Full Tunnel behavior).

     The key takeaway is that specific Domain/Application Exclusions are the most powerful way to force traffic *out* of the tunnel, while specific Domain/Application Inclusions are the most powerful way to force traffic *into* the tunnel when it wouldn't normally go. Access Routes handle the bulk IP-based routing in between.
    

     Understanding this precedence, especially that Exclusions override Access Routes, is important for predicting traffic flow in mixed configurations.
    

Client-Side Behavior & DNS

How Split Tunneling Works on the Client

When the GlobalProtect agent connects and receives its configuration (including split tunnel settings) from the Gateway, it performs several actions on the endpoint OS:

Virtual Network Adapter: A virtual network adapter (e.g., `PanGpa`, `gpvpn`) is created and activated. This adapter gets an IP address assigned from the IP Pool defined in the matched Agent Configuration.
Routing Table Modification: This is the core of split tunneling.
- Access Routes Defined (Split Tunnel Mode):
  - The agent adds **specific routes** to the endpoint's OS routing table for each network listed in the "Access Route" (Include List).
  - These specific routes have the GlobalProtect virtual adapter's gateway as their next hop.
  - The endpoint's **default route** (0.0.0.0/0 or ::/0) typically remains unchanged, pointing to the user's physical network adapter's gateway (e.g., their home router).
- Access Routes Empty (Full Tunnel Mode):
  - The agent typically **changes the endpoint's default route** (0.0.0.0/0 and/or ::/0) to point to the GlobalProtect virtual adapter's gateway.
  - This forces all traffic not matching a more specific local route to go through the VPN tunnel. More specific routes for the local subnet might still exist to allow local network communication if configured.
DNS Configuration: The agent configures the endpoint's DNS settings (specifically for the virtual adapter or system-wide depending on OS and configuration) to use the DNS servers specified in the matched Agent Configuration.
Traffic Interception/Steering: The GlobalProtect agent service actively monitors network traffic initiation (e.g., socket calls, DNS lookups). Based on the destination IP, domain name, or application identification, and comparing against the configured split tunnel rules (Access Routes, Includes, Excludes, Video), it directs the traffic to the appropriate network interface (Virtual VPN adapter or Physical local adapter).

Sequence diagram illustrating GP Agent's role in traffic steering based on rules.

This modification of the routing table and active traffic steering by the agent service are how split tunneling is implemented at the endpoint level.

DNS Considerations (Split DNS)

DNS resolution is a critical, and often tricky, aspect of split tunneling. Clients need to be able to resolve both internal corporate hostnames (for resources accessed via the tunnel) and external public hostnames (for resources accessed directly).

The Challenge (Split DNS):

Internal resources often rely on internal DNS servers (e.g., Active Directory DNS) which are only reachable via the VPN tunnel.
External resources rely on public DNS servers or the user's local ISP DNS servers.
The endpoint needs a way to direct DNS queries appropriately based on the hostname being queried.

Common Approaches & Configuration:

Use Internal DNS Servers Exclusively (Simplest if they forward):
- Configure the GlobalProtect Gateway Agent settings to push **only** your internal corporate DNS servers to the client.
- **Requirement:** Your internal DNS servers must be configured to forward queries for external domains they don't recognize to public DNS resolvers (e.g., Google DNS, Cloudflare DNS, or ISP DNS).
- **Pros:** Simple client configuration. All DNS queries go through the tunnel initially (which might be desired for logging/security).
- **Cons:** Relies entirely on internal DNS availability and correct forwarding. Can add latency to external DNS resolution as it traverses the tunnel. Might fail if internal DNS servers go down.
Use Internal DNS Servers + DNS Suffix Search List:
- Push internal DNS servers via GlobalProtect.
- Configure a **DNS Suffix Search List** in the Gateway Agent settings (e.g., corp.example.com ).
- The client OS will try appending these suffixes to single-label hostnames (e.g., query for `fileserver` becomes `fileserver.corp.example.com`) before querying the assigned DNS servers.
- Still relies on internal DNS forwarding for external names.
"Split DNS" Configuration (More Complex, OS Dependent):
- This involves configuring the client OS to use specific DNS servers for specific domains, often through features like Windows NRPT (Name Resolution Policy Table) or similar mechanisms pushed via endpoint management, or sometimes approximated by careful DNS suffix configuration.
- GlobalProtect itself doesn't directly configure complex OS-level split DNS policies. It primarily pushes the main DNS servers for the VPN interface.
- You might push internal DNS via GP, and users rely on their physical adapter's DNS settings for direct traffic, but the OS needs to be smart enough to choose the right interface/server for the query (which isn't always guaranteed or easily configured just via GP).
Using Public DNS Servers Exclusively (Rare for Split Tunnel):
- Push public DNS servers (e.g., 8.8.8.8) via GlobalProtect.
- **Requirement:** Internal hostnames must somehow be resolvable publicly (e.g., split-horizon DNS setup externally) or users must use FQDNs that resolve publicly, or rely solely on IP addresses for internal access.
- **Pros:** External resolution is fast.
- **Cons:** Usually breaks internal hostname resolution unless specific external configurations are in place. Generally not suitable if internal name resolution is needed.

     **Common Issue:** Users in split tunnel mode can access internal resources by IP address but not by hostname. This almost always points to a DNS configuration problem. The client isn't using or cannot reach the correct internal DNS server via the tunnel, or that server isn't responding correctly.
    

     Understand that DNS is crucial for split tunneling. Know that pushing internal DNS servers (that forward external queries) is a common approach. Be aware of the potential resolution issues when split tunneling is enabled.
    

Conceptual illustration of DNS resolution paths in different scenarios.

Best Practices & Exam Focus

Gotchas and Caveats

While split tunneling offers benefits, it introduces complexities and potential risks:

Security Risk of Direct Access: This is the most significant caveat. Traffic bypassing the tunnel (sent direct) also bypasses all corporate security inspection layers (Firewall Policy, Threat Prevention, WildFire, URL Filtering, DLP, etc.). If an endpoint gets compromised via a malicious site accessed directly, it could potentially pivot to attack resources accessible via the tunnel. Evaluate this risk carefully.
DNS Resolution Complexity: As discussed previously, ensuring reliable DNS resolution for both internal and external resources ("Split DNS") can be challenging and is a common source of issues.
Complexity of Exclusions/Inclusions: Maintaining accurate lists of domains and especially applications for include/exclude rules can be difficult. SaaS applications frequently change their underlying IP addresses and domains, and App-ID signatures need to be kept up-to-date. Over-reliance on highly granular excludes/includes can increase management overhead.
Access Route Specificity: Using overly broad Access Routes (like including `0.0.0.0/0` and then trying to exclude many specific public ranges) is generally discouraged. It becomes functionally similar to configuring exclusions from a full tunnel but is harder to reason about. Best practice is usually to include only the necessary internal ranges.
Order of Operations/Precedence: Complex configurations combining Access Routes with multiple includes and excludes require a clear understanding of the precedence rules (Excludes > Includes > Access Routes > Default) to predict traffic flow accurately.
IPv6 Considerations: If your internal network or target resources use IPv6, ensure you configure both IPv4 and IPv6 Access Routes and DNS settings appropriately. Failure to include IPv6 routes when needed can break access for dual-stacked clients.
Application Identification Latency/Accuracy: Application-based split tunneling relies on App-ID. There might be a slight delay before an application flow is identified, and inaccurate identification (due to encryption, obfuscation, or outdated signatures) can lead to incorrect routing decisions. IP-based Access Routes are generally more deterministic.
Local Network Conflicts: If the user's local network subnet (e.g., home network using 192.168.1.0/24) overlaps with a subnet defined in the Access Route list, unpredictable routing or connectivity issues can occur. GlobalProtect has settings (like "No Direct Access to Local Network" - though this affects all local access) that can sometimes mitigate this, but it's best to avoid common home network ranges in corporate Access Route lists if possible.
Troubleshooting Difficulty: Diagnosing split tunnel issues can be harder than full tunnel problems, as you need to consider both the VPN path/policies AND the local network path/potential blocks.

     The security implication of bypassing corporate inspection for direct traffic is the primary trade-off against performance/bandwidth benefits. DNS issues are the most frequent technical problem encountered.
    

Best Practices for Split Tunneling

To implement split tunneling effectively and minimize risks:

Default to Full Tunnel (Security First): If security visibility and control are paramount, and bandwidth/latency are acceptable, **start with Full Tunnel mode**. Only implement split tunneling if there is a clear, justifiable need based on performance, bandwidth constraints, or specific application requirements.
Be Specific with Access Routes (Include List): When using IP-based split tunneling, precisely define only the **internal corporate subnets** that users genuinely need to access via the VPN in the Access Route list. Avoid overly broad ranges or including `0.0.0.0/0`.
Use Domain/App Exclusions Strategically: Leverage Domain/Application exclusions primarily for **trusted, well-known, high-bandwidth SaaS applications** (e.g., Microsoft 365, Teams, Zoom, Salesforce) where direct access significantly improves user experience and the associated risk is understood and accepted.
Prefer App Filters over Individual Apps/Domains (Where Possible): Using curated Application Filters (like `microsoft-office-365`, `saas-collaboration`) can be easier to manage than listing dozens of individual applications or domains, as Palo Alto Networks maintains the filter definitions.
Minimize Use of Includes: Domain/Application *Inclusions* should be used sparingly, only when necessary to force specific public-facing services through the tunnel that wouldn't be covered by Access Routes.
Simplify when Possible: Avoid creating excessively complex rules with numerous overlapping includes and excludes if a simpler Access Route definition or a slightly broader exclusion can achieve the desired outcome with less management overhead.
Manage DNS Carefully: This is critical. Ensure the DNS servers assigned to VPN clients can resolve internal names AND reliably forward external queries. Test DNS resolution thoroughly for both internal and external domains after implementing split tunnel.
Combine with Endpoint Security: Since split tunneling allows direct internet access, robust endpoint security (EDR, host firewall, up-to-date patching, user awareness training) becomes even more critical to protect the endpoint from threats encountered via the direct path.
Document Thoroughly: Clearly document the split tunnel strategy, the rationale behind it, the specific networks included via Access Routes, and any Domain/Application/Video exclusions or inclusions.
Test, Test, Test: Rigorously test all scenarios:
- Access to resources included in the tunnel (by IP and hostname).
- Access to resources excluded from the tunnel (verify they go direct).
- Access to general internet resources (verify they go direct).
- DNS resolution for internal and external names.
- Access to local network resources (if intended).
Monitor and Review: Periodically review split tunnel configurations, especially domain/app lists, to ensure they are still accurate and necessary. Monitor bandwidth usage and user feedback.

PCNSE Exam Focus for Split Tunneling

Based on the PCNSE exam objectives and common question patterns, here's what you should focus on regarding GlobalProtect Split Tunneling:

Core Concepts:
- Definition: Clearly understand what split tunneling is and how it differs fundamentally from full tunnel mode.
- Purpose/Trade-offs: Know the main reasons for using split tunnel (performance, bandwidth) versus full tunnel (security, control) and the inherent risks/benefits of each.
Configuration Location:
- Be able to navigate to the correct location in the PAN-OS GUI: Network > GlobalProtect > Gateways > [Gateway Name] > Agent tab > Client Settings > [Configuration Name] > Split Tunnel tab .
Configuration Methods:
- Access Routes: Understand this is the primary IP-based method. Know it's an *include* list (defines what goes *in* the tunnel). Crucially, know that an **empty Access Route list means Full Tunnel**.
- Domain/Application Excludes: Understand their purpose (bypass tunnel for performance, SaaS optimization) and that they override Access Routes. Know that they rely on App-ID.
- Domain/Application Includes: Understand their purpose (force into tunnel when not matching Access Routes) and that they rely on App-ID. Know this is less common than excludes.
- Exclude Video Streaming: Know what this checkbox does and that it relies on App-ID.
Licensing:
- Know that basic Access Route split tunneling doesn't require extra licenses, but Domain/Application/Video split tunneling **requires an active App-ID subscription**.
Client Behavior:
- Have a conceptual understanding of how the agent modifies the endpoint's routing table (adding specific routes for Access Routes, changing default route for full tunnel).
DNS:
- Recognize the importance of DNS in split tunnel scenarios ("Split DNS").
- Understand the common configuration approach (pushing internal DNS servers that can forward external queries).
- Be able to identify DNS issues as a likely cause if users can access internal IPs but not hostnames.
Security Implications:
- Be acutely aware that traffic excluded from the tunnel **bypasses corporate security inspection**.
Troubleshooting:
- Know where to look for relevant logs (System logs for GP connection/config, Traffic logs for tunneled traffic, potentially endpoint logs).
- Common issues: Incorrect Access Routes, DNS misconfiguration, App-ID issues (for domain/app tunneling), rule precedence misunderstandings.
Scenario Application:
- Be prepared for questions that describe a scenario (e.g., "Optimize O365 traffic", "Allow access only to 10.x networks") and ask for the correct split tunnel configuration method.

     
      Study Tip:
     
     Focus on the "why" and "how" of each configuration method. Draw diagrams of traffic flow for different scenarios (e.g., Access Routes only, Access Routes + O365 Exclude). Make sure you understand what an empty Access Route list signifies.

GlobalProtect Split Tunneling - Interactive Quiz

Test your knowledge on GlobalProtect Split Tunnel configuration and concepts.

1. What is the primary function of Split Tunneling in GlobalProtect?

To encrypt all user traffic using multiple algorithms. To define which traffic goes through the VPN tunnel and which goes direct to the local network/internet. To allow multiple users to share a single VPN tunnel connection. To authenticate users based on their source IP address before tunneling.

Correct Answer: B
Split tunneling's core purpose is to selectively route traffic either through the secure corporate tunnel or directly out via the user's local connection.

2. Compared to Full Tunnel mode, what is the main security trade-off when using Split Tunneling?

Increased latency for internal resources. Higher bandwidth consumption on the corporate firewall. Difficulty accessing local network printers. Loss of security visibility and control over traffic sent directly to the internet.

Correct Answer: D
Traffic that bypasses the tunnel in split mode also bypasses corporate security inspection (Threat Prevention, URL Filtering, etc.), which is the primary security risk.

3. Where in the PAN-OS GUI are Split Tunnel settings primarily configured for GlobalProtect agents?

Network > GlobalProtect > Gateways > [Gateway] > Agent > Client Settings > Split Tunnel Tab Network > GlobalProtect > Portals > [Portal] > Agent > Split Tunnel Tab Policies > Security > [Rule] > Actions Tab Objects > Applications > [Application] > Split Tunnel Override

Correct Answer: A
Split Tunnel configurations are part of the Agent Configuration (Client Settings) applied by a specific GlobalProtect Gateway.

4. What does the "Access Routes" list in the Split Tunnel configuration define?

IP subnets that should bypass the VPN tunnel. Specific applications that should use the VPN tunnel. IP subnets that should be sent through the VPN tunnel. Domains that should be resolved by internal DNS servers.

Correct Answer: C
The Access Routes section acts as an "Include List" – traffic destined for networks listed here will be routed through the GlobalProtect tunnel.

5. If the "Access Routes" (Include List) in a Split Tunnel configuration is left completely empty, what mode does GlobalProtect typically operate in?

Split Tunnel mode with only local LAN access allowed. Full Tunnel mode (all traffic goes through the tunnel). No Tunnel mode (VPN connection fails). Split Tunnel mode allowing only DNS traffic through the tunnel.

Correct Answer: B
An empty Access Route list is the standard way to configure Full Tunnel mode, where the agent routes all traffic via the VPN interface's default gateway.

6. What is the primary purpose of configuring "Exclude Domain/Application" rules in split tunneling?

To allow traffic to specific domains/apps to bypass the tunnel for performance or bandwidth reasons. To force traffic to specific domains/apps through the tunnel for extra inspection. To block access entirely to specific domains/apps. To assign specific IP addresses to clients accessing those domains/apps.

Correct Answer: A
Exclusions are used to "punch holes" out of the tunnel, typically for trusted, high-bandwidth SaaS applications like M365 or video conferencing, allowing them direct internet access.

7. Which underlying Palo Alto Networks technology is required for reliable "Exclude/Include Application" and "Exclude Video Streaming" split tunneling?

User-ID WildFire SSL Decryption App-ID (Application Identification)

Correct Answer: D
These features rely on the firewall's ability to identify applications using App-ID signatures. This requires an App-ID subscription and content updates.

8. What is a common use case for the "Include Domain/Application" split tunnel setting?

Allowing direct access to public websites. Excluding video streaming traffic from the tunnel. Forcing traffic to a specific public cloud service through the tunnel for inspection when Access Routes only cover internal IPs. Blocking access to social media applications.

Correct Answer: C
Includes are less common but used to pull specific traffic *into* the tunnel that wouldn't normally be included based on Access Routes, often for inspection or source IP reasons.

9. Which type of split tunnel configuration requires an active App-ID (Threat Prevention) subscription?

Defining Access Routes based on IP subnets only. Excluding specific applications like 'slack-base' or 'zoom-meetings'. Leaving the Access Route list empty for Full Tunnel mode. Assigning specific DNS servers to clients.

Correct Answer: B
Any split tunneling method that relies on identifying the application (Exclude/Include Application, Exclude Video) requires the App-ID engine and its associated subscription. IP-based Access Routes do not.

10. How does the GlobalProtect agent typically modify the endpoint's routing table in Split Tunnel mode (when Access Routes are defined)?

Adds specific routes for the included Access Route networks, pointing to the GP virtual adapter. Changes the endpoint's default gateway (0.0.0.0/0) to point to the GP virtual adapter. Removes all existing routes and only adds routes for the VPN. Creates static routes for excluded domains.

Correct Answer: A
In split tunnel mode, the agent adds more specific routes for the tunneled destinations, while leaving the default route pointing to the local gateway for non-tunneled traffic.

11. What is "Split DNS" in the context of GlobalProtect split tunneling?

Using two different VPN tunnels for DNS traffic. Assigning half the users to one DNS server and half to another. Encrypting DNS queries sent over the local network. The challenge of ensuring clients can resolve both internal hostnames (via VPN DNS) and external hostnames (via local/public DNS).

Correct Answer: D
Split DNS refers to the need for the client endpoint to correctly resolve names for both tunneled (internal) and non-tunneled (external) resources, which often requires careful configuration of the DNS servers pushed by GlobalProtect.

12. A common and often recommended way to handle DNS in a split tunnel scenario is to:

Push only public DNS servers (like 8.8.8.8) to the client via GlobalProtect. Do not push any DNS servers and let the client use only their local settings. Push internal corporate DNS servers via GlobalProtect, ensuring those servers can forward external queries. Configure static host file entries on each client for internal resources.

Correct Answer: C
Pushing internal DNS servers that are configured to forward requests for external domains they don't host is a common and relatively simple approach to handle split DNS requirements.

13. If a user in split tunnel mode can ping an internal server by its IP address (e.g., 10.1.1.5) but cannot access it using its hostname (e.g., fileserver.corp.local), what is the most likely cause?

The Access Route for the 10.1.1.0/24 network is missing. A DNS resolution issue; the client cannot resolve the internal hostname using the configured DNS servers. An Application Exclude rule is incorrectly routing the traffic directly. The user's GlobalProtect client needs to be updated.

Correct Answer: B
Successful IP connectivity but failed hostname connectivity almost always points to a DNS problem. The client either isn't using the right DNS server or the server isn't providing the correct internal record.

14. Consider a split tunnel configured with Access Route `192.168.0.0/16` and an Exclude rule for `*.zoom.us`. Where will traffic destined for a Zoom meeting server with IP `192.168.10.20` be routed?

Directly via the local network (Bypassing the tunnel). Through the VPN tunnel. The connection will be blocked by the agent. It depends on the application identified by App-ID.

Correct Answer: A
Domain/Application Exclusions take precedence over Access Routes. Even though the IP matches the Access Route, the domain exclusion for `*.zoom.us` forces the traffic to bypass the tunnel.

15. When troubleshooting split tunneling, besides firewall logs, what is essential to check?

The GlobalProtect Portal configuration only. The user's internet browsing history. The routing table and DNS settings on the client endpoint. The SSL certificate used by the Gateway.

Correct Answer: C
Split tunneling behavior is implemented on the client. Checking the client's actual routing table (`route print` or `ip route`) and DNS configuration (`ipconfig /all` or `cat /etc/resolv.conf`) is crucial for troubleshooting.

16. Which split tunneling method is generally preferred for optimizing access to dynamic SaaS applications like Microsoft 365?

Including specific IP ranges for Microsoft 365 in Access Routes. Including the 'microsoft-office-365' application filter in the "Include" list. Excluding the client's local subnet in Access Routes. Excluding relevant domains (e.g., *.office.com) or Application Filters (e.g., 'microsoft-office-365') in the "Exclude" list.

Correct Answer: D
Excluding SaaS applications by domain or App-ID filter allows direct access, which is usually desired for performance. Including specific IPs is difficult as they change frequently.

17. What does checking the "Exclude Video Streaming Applications" box achieve?

It blocks all UDP traffic over the VPN tunnel. It excludes traffic identified by App-ID as common video apps (e.g., YouTube, Netflix) from the tunnel. It prioritizes video traffic within the VPN tunnel using QoS. It requires users to authenticate separately for video websites.

Correct Answer: B
This checkbox is a convenience feature that uses App-ID to identify and exclude a predefined list of popular video streaming applications, sending their traffic direct.

18. If you configure an "Include Domain/Application" rule for `internal-tool.corp.cloud`, where will traffic to this destination go, assuming no matching Exclude rules exist?

Through the VPN tunnel, regardless of Access Route settings. Directly via the local network, regardless of Access Route settings. Only through the VPN tunnel if its IP matches an Access Route. Only directly if its IP does NOT match an Access Route.

Correct Answer: A
Include rules force the specified domain/application traffic into the tunnel, overriding the default behavior dictated by the presence or absence of matching Access Routes.

19. Which statement about routing table changes made by GlobalProtect is most accurate for Full Tunnel mode?

Only routes for internal networks are added. No changes are made to the routing table. Specific routes are added for common internet destinations. The default route (0.0.0.0/0 and/or ::/0) is typically modified to point to the GP virtual adapter.

Correct Answer: D
In Full Tunnel mode (achieved with an empty Access Route list), the agent usually changes the system's default route to force all non-local traffic through the VPN tunnel.

20. A potential conflict can arise in split tunneling if:

The user has multiple web browsers installed. The VPN uses a strong encryption algorithm. The user's local home network IP range overlaps with an IP range listed in the Access Routes. The user connects from a different operating system than usual.

Correct Answer: C
If the internal network range defined in the Access Routes (e.g., 192.168.1.0/24) is the same as the user's home network, the endpoint's OS may have difficulty routing traffic correctly.

21. True or False: Configuring Split Tunneling using only IP-based Access Routes requires an additional Palo Alto Networks license beyond the basic GlobalProtect subscription.

True False

Correct Answer: B
False. Basic split tunneling defined solely by the Access Route (IP Include) list is a core feature and does not typically require licenses beyond the standard GlobalProtect gateway functionality.

22. To ensure traffic to `critical-partner.com` always goes through the VPN tunnel for inspection, even if your main configuration is split tunnel for internal IPs only, which method would you use?

Add `critical-partner.com` to the "Include Domain/Application" list. Add `critical-partner.com` to the "Exclude Domain/Application" list. Add the IP address of `critical-partner.com` to the Access Routes list. Enable the "Exclude Video Streaming Applications" checkbox.

Correct Answer: A
The "Include" list is used to force specific domains/apps into the tunnel when they wouldn't normally be included by Access Routes. Adding the IP might work but is less reliable if the IP changes.

23. Which component is primarily responsible for enforcing the split tunnel rules on the user's machine?

The GlobalProtect Portal The GlobalProtect Gateway Firewall The GlobalProtect Agent software running on the endpoint The User-ID agent

Correct Answer: C
The GlobalProtect Agent receives the configuration from the Gateway and then modifies the endpoint's routing table and intercepts/steers traffic locally based on the defined rules.

24. What is a primary benefit of using Application Filters (e.g., `microsoft-office-365`) instead of individual domains in Exclude rules?

It requires less bandwidth on the client. It does not require an App-ID license. It provides stronger encryption for excluded traffic. Easier maintenance, as Palo Alto Networks updates the filter definitions to cover relevant apps/domains.

Correct Answer: D
Application Filters group multiple related applications and domains. Palo Alto Networks maintains these definitions through content updates, simplifying administration compared to manually tracking all domains for a large service like M365.

25. If you configure split tunnel Access Routes to include `10.0.0.0/8` and also check "Exclude Video Streaming Applications", where does traffic to YouTube (identified by App-ID) go?

Directly via the local network (Bypassing the tunnel). Through the VPN tunnel because its IP might be anything. It depends on the DNS server used. The connection is blocked.

Correct Answer: A
Exclusions (including the video exclusion checkbox) take precedence. Even if YouTube used an IP in the 10.x range (unlikely), the video exclusion rule would force it to bypass the tunnel.

26. A user reports that since split tunneling was enabled (excluding Office 365), they can no longer access an internal web server `intranet.corp.local`. Accessing `office.com` works fine. What should be checked first?

If the Office 365 exclusion rule is working correctly. If the internal network containing `intranet.corp.local` is correctly included in the Access Routes list AND if DNS resolution for `intranet.corp.local` is working via the VPN DNS. If the user's GlobalProtect license is still valid. If the user's local internet connection is down.

Correct Answer: B
The issue relates to accessing an *internal* resource. The primary checks are whether its network is included in the tunnel (Access Routes) and whether its name can be resolved correctly by the DNS server assigned for the VPN connection.

27. Which configuration inherently provides the most comprehensive security inspection coverage for remote user traffic?

Split Tunnel with Access Routes for internal networks only. Split Tunnel with exclusions for SaaS applications. Full Tunnel mode. Split Tunnel with includes for specific cloud applications.

Correct Answer: C
Full Tunnel mode forces *all* traffic through the corporate firewall, allowing for consistent application of all security policies (Threat Prevention, URL Filtering, WildFire, etc.) to all user traffic.

28. You want to implement split tunneling but ensure traffic to your company's public website (`www.mycompany.com`), which resolves to a public IP, always goes direct via the user's local internet. How would you typically configure this?

Define Access Routes for internal networks only; traffic to public IPs like `www.mycompany.com` will go direct by default. Add `www.mycompany.com` to the "Include Domain/Application" list. Add `www.mycompany.com` to the "Exclude Domain/Application" list. Add the public IP of `www.mycompany.com` to the Access Routes list.

Correct Answer: A
In standard split tunnel mode defined by Access Routes (include list), any traffic *not* matching the included internal routes (like traffic to a public website) will automatically go direct. No specific exclude rule is usually needed unless you started with full tunnel.

29. True or False: Changes made to the Split Tunnel configuration in the Gateway Agent Settings take effect immediately for all currently connected users without requiring them to reconnect.

True False

Correct Answer: B
False. The agent typically retrieves its configuration, including split tunnel rules, upon connection. Changes made on the Gateway usually require the client to disconnect and reconnect to receive and apply the new settings.

30. Which factor is LEAST likely to be a primary reason for choosing Split Tunnel over Full Tunnel?

Improving performance for SaaS applications like Microsoft Teams. Ensuring all user traffic is subjected to corporate DLP policies. Reducing load on the corporate internet bandwidth. Allowing users easier access to their home network printers.

Correct Answer: B
Ensuring all traffic is subject to corporate policies (like DLP, Threat Prevention, etc.) is a primary reason for using *Full Tunnel*, not Split Tunnel, as split tunneling allows some traffic to bypass these controls.