Split Tunneling
  • 30 Jan 2024
  • 2 Minutes to read
  • Contributors

    Split Tunneling


      Article Summary

      Understanding Split Tunneling

      • Split Tunneling lets specific data go through the VPN, while other data accesses the internet directly.
      • Useful for accessing local resources without bypassing the VPN.

      How to Set Up Split Tunneling

      This article describes how to incorporate split tunneling into your network. 
      If you would like to select specific network subnets to go through from the client to the Harmony SASE network instead of full tunnel mode (where all the traffic is encrypted and proxied through the Harmony SASE network), you will need to manually specify which subnets you’d like to include or exclude through the tunnel.

      To change your Split Tunneling configuration, go to Networks -> Select your network, and click on the "..." button, then "Split tunneling":

      360006609179splittunneling.png

      FQDN Split Tunneling
      Split Tunneling by FQDN is available using 10.1.x agents and above. Lower-version agents will ignore Split-Tunneling settings by FQDN and revert to full tunneling if it is defined.

      Split Tunneling: Automatic

      This is the default setting, which pushes all traffic through the agent when connected. This is also called a "Full tunnel" configuration)

      360006609219splitdialog-auto.png


      Split Tunneling: Manual configuration


      Important
      The load time for Split Tunnels is determined by the availability of system resources. For example, it takes 2-3 seconds per 500 subnets in "Exclusion Mode"

      Include

      Including Subnets/Addresses in your Split Tunneling configurations will ensure that only traffic headed toward those Subnets/Addresses will go through the Harmony SASE network.
      This is commonly used when an admin doesn't want all of the local traffic to go through the tunnel and instead only sends specific traffic through Perimeter81.

      In the following example, we only want traffic headed to "my.app.local" to be sent through the Perimeter81 agent, while any other local traffic is sent to the local ISP connection:

      Exclude

      Excluding Subnets/Addresses in your Split Tunneling configurations will ensure that traffic headed toward those Subnets/Addresses will not go through the Harmony SASE network and instead go directly to the local ISP connection.
      This is commonly used to improve the latency of communication apps (such as Zoom and Webex) by excluding their IPs (and domains) from being sent via the Harmony SASE network.

      In the following example, we want all local traffic except traffic headed to IPs that belong to Zoom to be sent through the Perimeter81 agent. Meaning traffic headed to the Zoom web conferencing application will be sent to the local ISP connection directly without going through the VPN:

      Recommendations

      • Identify the IPs and IP ranges you want to bypass before using Split Tunneling.
      • Periodically check your configuration settings for accuracy.

      Troubleshooting

      If you encounter issues during or after the setup, try reviewing your settings to ensure everything matches the instructions. In particular, check the IP addresses and other details you entered during setup. If issues persist, please consult our dedicated support.

      Support Contacts

      If you have any difficulties or questions, don't hesitate to contact Harmony SASE's support team. We offer 24/7 chat support on our website at Perimeter81.com, or you can email us at support@perimeter81.com. We're here to assist you and ensure your VPN tunnel setup is a success.


      Was this article helpful?

      What's Next