Name: #paloaltofirewalltraining | Day 48 | What is split tunnel and what is full Tunnel ? how it works.
Uploaded: 2026-02-13 20:40:50
Duration: 16 min 26 s

Question 1

What is full tunnel in Palo Alto GlobalProtect VPN?

Accepted Answer

In full tunnel, I send all traffic from the client to the GlobalProtect gateway through the encrypted tunnel—even internet traffic. Then the gateway/firewall checks the security policy and decides what the user can access. You get strong control, but you need good bandwidth and sizing if many users connect.

Question 2

What is split tunnel in GlobalProtect and how does it work?

Accepted Answer

In split tunnel, I configure specific subnets (or destinations) that should go through the VPN tunnel. Only that matched traffic is encrypted and sent to the gateway; everything else goes out directly to the internet from the user’s NIC. This saves bandwidth, but you lose control over the non-tunneled traffic.

Question 3

How do I check if my GlobalProtect connection is split tunnel or full tunnel?

Accepted Answer

I check it from the GlobalProtect client settings under Troubleshooting > Advanced > Network Configuration, and then the Routing Table. If I see a default route (0.0.0.0/0) pointing to the tunnel IP, it behaves like full tunnel. If only specific routes point to the tunnel and there is no default route via tunnel, it’s split tunnel.

Question 4

Where do you configure split tunnel in Palo Alto GlobalProtect gateway?

Accepted Answer

I configure it inside the Gateway configuration under Client Settings, in the GP Client Split Tunnel section. If I don’t include anything there, it behaves as full tunnel. If I add an include network like 192.168.20.0/24 and commit, the gateway pushes that route to the client.

Question 5

What are the advantages and disadvantages of full tunnel vs split tunnel?

Accepted Answer

Full tunnel gives me complete control because every traffic is filtered by the gateway policies, but it consumes more bandwidth and gateway resources. Split tunnel reduces bandwidth usage because only defined subnets go through the gateway, so I can accommodate more users. The trade-off is less visibility and control for traffic that goes directly to the internet.

Question 6

Why would I exclude video or voice applications from a full tunnel VPN?

Accepted Answer

I exclude video/voice traffic to reduce latency and avoid call drops, especially when users work from home. If video traffic goes to the gateway first and then to the internet, it can add delay. That’s why the application exclude option is very useful in real-world scenarios.

Question 7

What happens on the client when you enable split tunnel on the gateway?

Accepted Answer

Once I commit the gateway change and reconnect the client, the gateway pushes specific routes to the endpoint. In the routing table, I can see only the included subnet pointing to the tunnel IP. The rest of the traffic uses the normal local route and goes directly to the internet.

#paloaltofirewalltraining | Day 48 | What is split tunnel and what is full Tunnel ? how it works.

🛍️ Products Mentioned (2)

Paloaltonetworks Product

For Palo Alto Documentation

About This Video

Frequently Asked Questions

🎬 More from Bikash's Tech