>
    Host a Split Tunnel Configuration File on a Web Server
    Focus
    Download PDF
    Focus
    1. Home
    2. GlobalProtect
    3. GlobalProtect Gateways
    4. Host a Split Tunnel Configuration File on a Web Server
    Download PDF
    GlobalProtect

    Host a Split Tunnel Configuration File on a Web Server

    Table of Contents

    Host a Split Tunnel Configuration File on a Web Server

    Host a split tunnel configuration file on a local web server for expanded support for domains, access routes and applications that you can update dynamically.
    Where Can I Use This?What Do I Need?
    • Prisma Access
    • GlobalProtect Subscription
    • Prisma Access Mobile Users license (for use with Prisma Access)
    • GlobalProtect app version 6.2 or later for Windows and macOS
    • Content release version 8699-7991 or later
    You can either define your split tunnel configuration on the GlobalProtect gateway, or you can host it in a Split Tunnel configuration file that you host on a web server in your environment. In order to push the split tunnel configuration to the endpoint:
    • Your split tunnel configuration file must parse as valid XML
    • The web server must be reachable by all endpoints configured to fetch the split tunnel configuration file
    • The server and the client must be able to mutually authenticate
    If the GlobalProtect app cannot fetch the split tunnel configuration file, it falls back to the split tunnel configuration that you have configured on the gateway.
    The following table shows the split tunnel configuration limits when the configuration is hosted on GlobalProtect vs. when it is hosted in a Split Tunnel Configuration file in your environment:
    Split Tunnel By...Configured on GlobalProtect GatewayHosted on a Web Server
    Access Route
    Include
    		10001000
    Exclude
    		2001000
    Domain
    Include
    		2001000
    Exclude
    		2001000
    Application
    Include
    		200200
    Exclude
    		200200
    1. Create and sign the split tunnel configuration file.
      1. Create your split tunnel configuration file in XML format, as in the following example.
      2. Sign the configuration file.
        For example, if the signature file name is config_signature.sha256:
        openssl dgst -sha256 -sign private_key.pem -out config_signature.sha256 config.txt
        You can optionally verify the signature:
        openssl dgst -sha256 -verify public_key.pem -signature config_signature.sha256 config.txt
        Base64 encoding signature file (no wrapping):
        openssl base64 -A -in config_signature.sha256 -out encoded_signature.txt
      3. Add the encoded digest to the configuration file.
        1. Add the encoded digest as the first line in the configuration file. It must be on a single line.
        2. Add the split tunnel configuration as the second line.
        3. If you want the traffic to be routed through GlobalProtect by default, add an <access-routes> section with the default route 0.0.0.0/0.
        The content in the file must not be terminated with a NULL character (ASCII '\0', or ^@)" ).
      4. Host the split tunnel configuration file you just created on a web server that your GlobalProtect endpoints can access.
      5. Enable mutual authentication.
        You will need the public key certificate that you use for mutual authentication for the GlobalProtect configuration.
        For example, to host the split tunnel configuration file in AWS behind the network load balancers protected by the AWS network firewall, you would do the following:
        1. Provision EC2 instances to host servers.
          • Create network load balancers (NLB) and configure listeners on TCP port 443.
          • Create Target Groups with port 443 and associate EC2 instances to the Target Groups.
          • Configure the network firewall and two stateless rule groups and associate them with the configured firewalls that you have provisioned. Configure rule 1 to drop packets to all ports and protocols from a specific IP address or subnet. Configure rule 2 to allow packets to TCP port 443.
          • Configure the VPC routing tables to forward traffic from the internet to the NLB via the network firewall.
    2. Add the public key certificate you used on your web server to the portal configuration.
      In the App Configurations area, paste the public key certificate in the Enhanced Split Tunnel Client Certificate Public Key field.
    3. Enable split tunneling and add the URL for your split tunnel configuration file.
      1. In the GlobalProtect Gateway Configuration dialog, select AgentTunnel Settings and enable Tunnel Mode
      2. Configure the tunnel parameters for the GlobalProtect app.
      3. In the GlobalProtect Gateway Configuration dialog, select AgentClient Settings and select an existing client settings configuration or add a new one.
      4. Select Split Tunnel and in the Include Domain section, add the URL of your split tunnel configuration file as the first entry in the Include Domain section.
        Only HTTPS URLs are supported.
      5. Click OK and Commit the changes.

    © 2024 Palo Alto Networks, Inc. All rights reserved.