Split Tunnel to Exclude by Access Route

You can now exclude specific destination IP subnet traffic from being sent over the VPN tunnel. With this feature, you can send latency sensitive or high bandwidth consuming traffic outside of the VPN tunnel while all other traffic is routed through the VPN for inspection and policy enforcement by the GlobalProtect gateway.
Now, the routes you send through the VPN tunnel can be defined either as the routes you include in the tunnel, or as routes that you exclude from the tunnel, or a combination of both. For example, you can set up split tunneling to allow remote users to access the internet without going through the VPN tunnel. More specific routes take precedence over less-specific routes. If you don’t include or exclude routes, every request is routed through the tunnel (no split tunneling).
split-tunnel-excludes.png
  1. Configure the GlobalProtect gateway .
    • Select the gateway you want to modify, or add a new gateway.
    • Enable tunneling and configure the tunnel parameters for an agent configuration.
  2. On the GlobalProtect Gateway Configuration dialog, select AgentClient Settings to add or modify client settings for the agent.
  3. Select Client SettingsSplit Tunnel to define a split tunnel configuration for the client.
    With a split tunnel, you can define the traffic that flows through the VPN by including routes, excluding routes, or both. In some cases, it can be easier to specify the routes you want the client to exclude, rather than specifying all the routes you want to include. For example, if you want to tunnel everything except one or two class C networks, you can exclude these few networks rather than compiling a long list of the networks you want to include.
    If you only exclude routes, all other routes are included by default. If you only include routes, all other routes are excluded by default. In the case of a conflict between included and excluded routes, the more specific route configuration will be honored.
  4. Make sure No direct access to local network is disabled. This setting disables split tunneling for networks on Windows and Mac OS.
  5. (Optional) In the Includes area, Add the destination subnets or address object (of type IP Netmask) to route only some traffic—likely traffic destined for your LAN—to GlobalProtect.
    These are the routes the gateway pushes to the remote users’ endpoint and thereby determines what traffic the users’ endpoint can send through the VPN connection.
  6. (Optional) In the Excludes area, Add the destination subnets or address object (of type IP Netmask) that you want the client to exclude.
    These routes will be sent through the endpoint’s physical adapter rather than through the virtual adapter (the tunnel). Excluded routes should be more specific than the included routes; otherwise, you may exclude more traffic than you intended.
    Excluding routes is not supported on Android. Only IPv4 routes are supported on Chrome.
  7. Save the gateway configuration.
    • Click OK twice
    • Commit your changes.

Related Documentation