It is a common scenario where if you have a split tunnel VPN you may want to include specific domains to have tunneled across the VPN and out the corporate network. This is often due to public IP restrictions for certain applications or when dealing with resources accessible across a site to site VPN tunnel for example. In the scenario where full tunnel VPN is used, you may want to exclude specific domains so that the traffic is sent out locally to reduce latency.
Here is the article explaining this with Palo Alto: https://live.paloaltonetworks.com/t5/globalprotect-articles/globalprotect-implement-split-tunnel-domain-and-applications/ta-p/316929
This works well as long as GlobalProtect can see your DNS traffic. If you have encrypted DNS tools on your Mac, behavior can be unpredictable and I have had to disable those tools to use DNS resolution over the GlobalProtect VPN. Also, keep in mind that many browsers now have built in encrypted DNS security features so if this isn’t working, check those settings to ensure GlobalProtect is seeing the client’s DNS requests so that the inclusions or exclusions can be used.
In this scenario, I have came across another issue specifically with MacOS. When domains are excluded, I have seen where a Windows machine connected to the same VPN, has no issues with the inclusions or exclusions being used, but on a Mac connected to the VPN, these domains inclusions or exclusions do not work.
The issue is with the need to enable a specific extension on MacOS for GlobalProtect for this functionality to work.
Here is the path:
Settings->General->Login Items and Extensions->Extensions by App->Click on Globalprotect and enable this extension here.
