Expert Security Advisory

Home
About
Services
Testimonials
Palo Alto NetworksPrisma, Cortex, and Strata
Prisma AccessPrisma SD-WANCortex OperationsNetwork Security
Check PointInfinity and Quantum solutions
FortinetSecurity Fabric and FortiGate
ArchitectureZero Trust and SASE patterns
Strata SecurityNGFW and network resilience
Prisma SASECloud-delivered network security
Cortex PlatformAI-driven detection and response
Network ManagementCentralized policy orchestration
Unified MigrationFirewall config converter
Prisma Access Sizing CalculatorInteractive Prisma Access estimator
SIEM Sizing CalculatorEstimate storage, compute, and architecture
CyberQuizReal-time multiplayer cybersecurity quiz platform
AI Training ChatbotPost-training Q&A for PANW course alumni
Contact
Schedule Consultation
Back to Knowledge Base

SASE - 10 min read

Prisma Access Split Tunneling: Strategic Implementation Guide

2024-03-08

Understanding Split Tunneling in Zero Trust Contexts

Split tunneling has historically been viewed with skepticism by security teams—and for good reason. In traditional VPN architectures, split tunneling created blind spots where traffic bypassed security controls entirely.

Prisma Access fundamentally changes this equation. With proper configuration, split tunneling becomes a strategic tool that improves both security and performance.

The Case for Intelligent Split Tunneling

Performance Optimization

Routing all traffic through a central inspection point creates unnecessary latency for trusted SaaS applications. When Microsoft 365 traffic travels from a user in Singapore through a security stack in New York before reaching Azure in Singapore, the user experience suffers.

Bandwidth Efficiency

Central inspection points become bottlenecks during high-bandwidth activities. Video conferencing traffic consumes significant resources that provide limited security value when the destination is a known-trusted service.

Security Focus

By excluding verified trusted traffic, security resources concentrate on traffic that actually requires inspection. This improves detection capabilities for genuine threats.

Implementation Architecture

Domain-Based Exclusions

Prisma Access supports domain-based routing decisions. Traffic destined for specified domains routes directly to the internet while remaining traffic flows through the Prisma Access infrastructure.

Recommended exclusion categories:

  • Microsoft 365 optimization endpoints
  • Video conferencing platforms (with appropriate controls)
  • CDN endpoints for trusted applications
  • Corporate SaaS applications with native security controls

Application-Based Routing

Beyond domain matching, Prisma Access can identify applications through deep packet inspection and route accordingly. This provides more precise control than domain-based approaches.

Continuous Monitoring

Even excluded traffic generates logs and metrics. Security teams maintain visibility into connection patterns, volumes, and anomalies without inspecting payload content.

Security Considerations

Split tunneling introduces risk that must be managed deliberately.

Endpoint Security Requirements

Devices routing traffic directly to the internet must maintain robust endpoint protection:

  • Next-generation antivirus with behavioral detection
  • Endpoint detection and response capabilities
  • Host-based firewall with restrictive policies
  • Regular patch management

DNS Security

DNS queries for excluded domains still route through Prisma Access DNS security. This maintains protection against DNS-based attacks and provides visibility into resolution patterns.

Policy Governance

Exclusion lists require governance processes:

  1. Business justification for each exclusion
  2. Security review before implementation
  3. Regular audit of active exclusions
  4. Automatic expiration for temporary exclusions

Configuration Best Practices

Start Conservative

Begin with a minimal exclusion list. Add domains based on measured performance impact rather than anticipated need.

Test Thoroughly

Pilot configurations with a subset of users before broad deployment. Monitor for both performance improvements and any security impact.

Document Decisions

Maintain clear documentation of why each exclusion exists, who approved it, and when it should be reviewed.

Monitor Continuously

Establish baselines for excluded traffic patterns. Alert on significant deviations that might indicate compromise or policy violation.

Measuring Effectiveness

Track these metrics to validate split tunneling decisions:

  • User experience scores for applications before and after exclusion
  • Bandwidth utilization at Prisma Access service connections
  • Security event correlation between excluded traffic and incidents
  • Helpdesk ticket volume related to connectivity issues

Implementation Checklist for Prisma Access Teams

A production Prisma Access split-tunnel design should be handled as a controlled architecture change, not as a helpdesk workaround for performance complaints. Before changing the gateway configuration, document the business owner, the application category, the risk rating, the expected traffic volume, and the rollback condition for every exclusion. This gives the security team a defensible record when auditors or incident responders ask why a traffic class bypassed cloud inspection.

Baseline Before Exclusion

Capture at least one normal business cycle of telemetry before exclusions are enabled. Useful baseline evidence includes GlobalProtect gateway utilization, Prisma Access bandwidth consumption, user experience reports, packet loss, SaaS application latency, and the top application categories crossing the service. Without this baseline, it is difficult to prove whether split tunneling improved the user experience or simply moved visibility away from the security platform.

Prefer Application and Domain Controls

Where possible, avoid broad subnet exclusions. SaaS providers change IP ranges frequently, and large address blocks can accidentally bypass traffic that should remain inspected. A better design is to combine App-ID, verified domains, SaaS provider guidance, and explicit business justification. For Microsoft 365 and real-time collaboration tools, document whether the exclusion covers optimize endpoints only or a broader set of default or allow endpoints.

Validate the User Path

After deployment, validate from the endpoint, not only from the Prisma Access console. Confirm the GlobalProtect client route table, DNS resolution path, application behavior, and traffic logs. For excluded traffic, the expected result is direct access with no Prisma Access traffic log entry. For non-excluded traffic, the expected result is continued inspection, logging, and policy enforcement through the nearest service edge.

Risk Controls for Excluded Traffic

Every exclusion should have compensating controls. Common examples include endpoint protection, browser security, CASB controls, SaaS tenant restrictions, device posture checks, and identity conditional access. The goal is not to avoid inspection entirely; the goal is to inspect in the most effective control plane for that traffic type while preserving performance for latency-sensitive applications.

Change Review Cadence

Review split-tunnel exclusions quarterly and after major SaaS provider changes. Remove exclusions that no longer have a clear owner or measurable performance benefit. Add monitoring for sudden increases in direct traffic volume, unusual destinations, and endpoint posture failures. This keeps split tunneling aligned with Zero Trust principles instead of becoming an undocumented bypass list.

The goal is demonstrable improvement in user experience with no degradation in security posture.

Attique Bhatti

Enterprise Cloud Security Consultant and certified instructor across Palo Alto Networks, Check Point, and F5.

For architecture reviews or implementation support, email info@thecyberadviser.com.

Related tools

Prisma Access Sizing

Size Prisma Access for mobile users, branches, and ZTNA.

Unified Migration

Convert firewall configs across vendors and to Prisma Access / SCM.