Wednesday, June 24, 2020

Domain-based split tunnel on Palo Alto

How has everyone's experience been with domain based split tunneling on Palo Altos? I have been going nuts trying to understand why some workstations are able to do it, and some are not, on the same gateway configuration. On workstations where it doesn't work, I see the TCP SYN trying to leave my local NIC and PAN support verified the DNS query for said website is being intercepted by the gateway and sent back to the GP client as an IP exclusion, but the 3 way handshake never gets to the SYN ACK stage. As far as I can tell, there is something on non working workstations preventing the SYN from ever really leaving the local NIC as I captured upstream and never find it. PAN TAC noted that WFP (windows filtering platform) may be interfering but that is a rabbit hole I do not intend to go down. I'm ready to write it off due to inconsistent results. Thoughts?



No comments:

Post a Comment