PAN-OS: Configuring GlobalProtect Split Tunneling

What is Split Tunneling?

Split Tunneling in GlobalProtect determines which network traffic originating from the remote user's endpoint is sent through the secure VPN tunnel to the corporate network, and which traffic is sent directly to the internet via the user's local network connection.

This contrasts with Full Tunnel mode, where *all* traffic (corporate and internet-bound) from the endpoint is forced through the VPN tunnel.

The choice between split and full tunnel depends on balancing security requirements (inspecting all traffic) against performance and bandwidth considerations (allowing direct internet access).

Reasons for Using Split Tunnel vs. Full Tunnel

Consideration Split Tunnel Full Tunnel
Security Visibility & Control Less visibility; only corporate-bound traffic inspected by firewall. Direct internet traffic bypasses corporate security. More visibility; all traffic inspected. Consistent policy and threat prevention applied.
Bandwidth Consumption Lower corporate bandwidth use; internet traffic uses user's local connection. Higher corporate bandwidth use; all traffic traverses corporate links.
Performance (Internet/SaaS) Potentially better performance for internet/SaaS apps via direct connection. Performance may be impacted by latency through corporate network (hairpinning).
Local Network Access Easy access to local resources (printers, etc.). Local resource access may be blocked or require specific configuration.
Complexity Requires careful definition of included/excluded routes/apps. Can be complex to manage precisely. Simpler initial setup (all traffic goes through).
Compliance May not meet requirements if all traffic must be logged/inspected. Easier to meet strict compliance mandates requiring full traffic inspection.

Configuring Split Tunneling

Location

Split tunnel settings are configured within the Agent Client Settings of a GlobalProtect Gateway:

Key Configuration Methods:

  1. Access Routes (Include List - Network Layer):

    • Purpose: This is the primary method for defining split tunnels based on destination IP networks.
    • How it Works: You specify the IPv4 and/or IPv6 subnets that SHOULD be sent through the VPN tunnel. Any traffic destined for networks *not* listed here will be sent via the client's local gateway (direct internet).
    • Configuration: Add specific IP addresses or CIDR network ranges (e.g., 10.0.0.0/8 , 172.16.32.0/24 ).
    • Empty Access Route List = Full Tunnel: If you leave the 'Access Route' list empty, the GlobalProtect agent typically interprets this as Full Tunnel mode, installing a default route pointing to the VPN tunnel interface. 
    # Example: Access Route for Internal Networks
10.10.0.0/16
192.168.50.0/24
# Traffic to these destinations goes via VPN.
# Traffic to Google DNS (8.8.8.8) goes direct to internet.

  2. Domain and Application Exclusions/Inclusions (Layer 7):

    These provide more granular control, overriding the Access Route logic for specific domains or applications.

    • Exclude Domains/Apps:
      • Specify FQDNs (e.g., *.office365.com , zoom.us ) or select Applications/App Filters (e.g., microsoft-base , slack-base ).
      • Traffic destined for these domains/applications will bypass the tunnel and go directly via the local network, *even if* their destination IP address matches an Access Route.
      • Common Use Case: Allowing direct access to trusted, high-bandwidth SaaS applications (like Office 365, Zoom, Salesforce) for better performance, while still tunneling other corporate traffic. 
      # Example: Exclude O365 Domains (even if 10.x.x.x is an Access Route)
Exclude Domain/App: *.office.com, *.sharepoint.com, office365-base
    • Include Domains/Apps:
      • Specify FQDNs or select Applications/App Filters.
      • Traffic destined for these domains/applications MUST go through the tunnel , *even if* their destination IP address does NOT match an Access Route.
      • Less Common Use Case: Forcing specific cloud applications through the corporate network for inspection, regardless of their public IP, when default mode is split tunnel.
    • Requires accurate DNS resolution and App-ID identification on the client/firewall.

  3. Exclude Video Streaming Applications:

    • Purpose: A simple checkbox to exclude a predefined list of common video streaming applications (maintained by Palo Alto Networks) from the tunnel.
    • Benefit: Easily prevents high-bandwidth consumer video traffic from using VPN resources without needing to list every domain or App-ID manually.

How Split Tunneling Works on the Client

When the GlobalProtect agent receives the split tunnel configuration from the Gateway:

  1. It modifies the endpoint's routing table .
  2. Specific routes are added for each network defined in the Access Route (Include List) , pointing to the virtual network adapter associated with the GlobalProtect tunnel.
  3. If Access Routes are defined (Split Tunnel mode), the endpoint's default gateway typically remains pointing to the user's local physical network adapter gateway.
  4. If Access Routes are empty (Full Tunnel mode), the agent typically sets the default gateway to point to the GlobalProtect tunnel interface, forcing all traffic through the VPN.
  5. The agent intercepts network traffic and uses the Access Routes, Domain/App Excludes/Includes, and Video Exclude settings to decide whether to send traffic via the tunnel adapter or the physical adapter. 
graph TD
    A[User Traffic] --> B{GP Agent Intercepts};
    B --> C{Check Split Tunnel Rules};
    C -- Dest Matches Access Route (10.0.0.0/8)? --> D[Route via VPN Tunnel Interface];
    C -- Dest Does NOT Match Access Route? --> E{Check Domain/App Includes};
    E -- Matches Include Rule? --> D;
    E -- No Match --> F{Check Domain/App/Video Excludes};
    F -- Matches Exclude Rule? --> G[Route via Physical Adapter Interface];
    F -- No Match --> G; 
    %% Default for non-included/non-excluded traffic in split mode
    D --> H((Corporate Firewall));
    G --> I((Internet / Local Network));

    style D fill:#d5f5e3,stroke:#58d68d,stroke-width:1px
    style G fill:#fdebd0,stroke:#f5b041,stroke-width:1px
Simplified Client-Side Routing Decision Logic.

Gotchas and Caveats

Best Practices

PCNSE Exam Focus

For the PCNSE exam, regarding Split Tunneling:

GlobalProtect Split Tunnel Quiz

1. What does "Split Tunnel" mode in GlobalProtect allow a client to do?

Split tunneling selectively routes traffic: specified destinations go via the VPN, while everything else uses the client's normal internet path.

2. Where are Split Tunnel settings primarily configured in PAN-OS?

Split Tunnel behavior, including Access Routes and Excludes/Includes, is defined within the Client Settings pushed down by the specific Gateway the client connects to.

3. What does the "Access Routes" list within the Split Tunnel configuration define?

Access Routes function as an "include list" – only traffic destined for the networks specified here will be routed via the VPN tunnel when split tunneling is active.

4. If the "Access Routes" list in the Split Tunnel configuration is left empty, what mode does GlobalProtect typically operate in?

An empty Access Route list is the standard way to configure Full Tunnel mode. The client agent interprets this as needing to send all traffic, including internet traffic, via the tunnel (usually by setting the default route).

5. An administrator wants internal traffic (10.0.0.0/8) to go through the VPN, but wants Microsoft Office 365 traffic to go directly to the internet for better performance. How should this be configured?

You define the internal network (10.0.0.0/8) as traffic to *include* in the tunnel via Access Routes. Then, you specifically *exclude* Office 365 traffic using domain or application exclusions to allow it direct internet access.

6. What is a significant security consideration when implementing split tunneling?

When traffic goes direct to the internet via the user's local connection, it is not inspected by the corporate Palo Alto Networks firewall, potentially exposing the endpoint (and subsequently the corporate network upon reconnection) to threats encountered online.

7. How does the GlobalProtect agent modify the endpoint's networking when split tunneling via Access Routes is configured?

The agent manipulates the host OS routing table, adding routes for the specific subnets defined in the Access Routes list, directing traffic for those destinations to the virtual network adapter created by GlobalProtect.

8. The "Exclude Video Streaming Applications" checkbox in the Split Tunnel configuration primarily helps achieve which goal?

This option provides a simple way to prevent high-bandwidth, often non-business-critical video streams from consuming potentially limited corporate WAN bandwidth by excluding them from the VPN tunnel.

9. What potential issue needs careful consideration when implementing split tunneling, especially regarding name resolution?

Clients in split tunnel mode need to resolve names for resources reached via the tunnel *and* resources reached directly. This often requires careful configuration of the DNS servers pushed by the gateway (Split DNS) to handle both internal and external lookups correctly.

10. An administrator defines 192.168.1.0/24 in the Access Routes (Include List) and adds `*.google.com` to the Domain Exclude List. What happens to traffic destined for a Google server with IP 172.217.160.142?

Domain/Application Exclusions take precedence over the basic IP-based Access Routes. Even though the destination IP (172.217.160.142) doesn't match the Access Route (192.168.1.0/24), the traffic is identified as belonging to the excluded `*.google.com` domain and is therefore sent direct, bypassing the tunnel.

GlobalProtect Split Tunneling Resources