SplitTunnel with GlobalProtect
How per-app routing works alongside GlobalProtect on macOS
Key Takeaways
SplitTunnel works alongside GlobalProtect in VPN-only mode without modifying its configuration
Not compatible when GlobalProtect deploys a SASE system extension via MDM
Apps routed through VPN get the same GlobalProtect tunnel protection as before
GlobalProtect can operate in two modes: VPN-only (compatible with SplitTunnel) and SASE mode with a system extension deployed via MDM (not compatible). If your organization uses GlobalProtect with a managed system extension, SplitTunnel will display a red error banner indicating the conflict. See the compatibility section below to check which mode you're using.
How SplitTunnel Works with GlobalProtect
Palo Alto GlobalProtect creates a VPN tunnel between your Mac and your organization's firewall. SplitTunnel operates at a different layer of the macOS networking stack, managing which applications send traffic through that tunnel and which connect directly over your physical interface.
The two work independently. GlobalProtect manages the tunnel — encryption, authentication, and the secure connection to your corporate network. SplitTunnel manages per-app routing decisions at the OS level.
What Per-App Routing Means
Traditional VPN routing works at the network level — all traffic to certain IP ranges goes through the tunnel. Per-app routing works at the application level — you choose which apps use VPN and which connect directly.
- •
Apps routed through VPN get full GlobalProtect tunnel protection
- •
Apps routed direct connect over your physical network interface
- •
GlobalProtect stays connected and unmodified throughout
- •
Routing rules persist across VPN reconnections
How It Works
SplitTunnel runs as an approved macOS system extension, giving it the ability to manage per-app routing without modifying your VPN connection.
- •
Runs as a macOS system extension (not a kernel extension)
- •
Requires explicit user permission to install
- •
Manages routing decisions per application
- •
Does not inspect, log, or modify packet contents
SplitTunnel never modifies your GlobalProtect configuration, certificates, or connection settings. It operates separately from your VPN client.
Setting Up SplitTunnel with GlobalProtect
Install SplitTunnel and grant the system permission when prompted
Connect to GlobalProtect as you normally would
Open SplitTunnel from the menu bar and set routing rules for your apps
Apps route according to your rules — VPN or direct
Example Configuration
Route Through VPN
- •
Work browser (Chrome profile or separate browser)
- •
Microsoft Teams, Slack
- •
Internal corporate apps
- •
Email client
Route Direct
- •
Spotify, Apple Music
- •
Netflix, YouTube
- •
Personal browser
- •
FaceTime, personal video calls
Verifying the Setup
Confirm GlobalProtect shows Connected in its status
Open SplitTunnel and check app routing status
Test a work app — should reach internal resources normally
Test a direct app — should reflect your physical connection speed
Confirm GlobalProtect remains connected throughout
VPN-Only vs SASE Mode
GlobalProtect can operate in two distinct modes. SplitTunnel is only compatible with VPN-only mode.
VPN-Only Mode (Compatible)
In VPN-only mode, GlobalProtect creates a standard VPN tunnel interface. SplitTunnel works alongside it the same way it works with any VPN client.
SASE Mode with System Extension (Not Compatible)
In newer enterprise deployments, GlobalProtect installs a macOS system extension via MDM to inspect and control all network traffic. Because this extension is deployed by your IT department through a managed profile, it takes priority over SplitTunnel — making the two incompatible.
How to Check Which Mode You're Using
Open System Settings → General → Login Items & Extensions
Look for "Network Extensions" or "System Extensions"
If you see a GlobalProtect system extension listed and enabled, your organization is using SASE mode — SplitTunnel will not be able to route traffic
If no GlobalProtect system extension is listed, you're using VPN-only mode and SplitTunnel will work normally
If SplitTunnel detects an active GlobalProtect system extension, it will display a red error banner in the app indicating the conflict. This is a hard limitation of macOS — MDM-deployed extensions always take priority over user-installed ones.
Always-On VPN Compatibility
Some GlobalProtect deployments use always-on VPN in VPN-only mode. SplitTunnel is fully compatible with this configuration:
- •
Works whether GlobalProtect auto-connects or not
- •
Routing rules apply regardless of connection timing
- •
Rules persist across GlobalProtect reconnections
Compatibility Notes
- •
Tested with GlobalProtect 5.x and 6.x on macOS in VPN-only mode
- •
Works with both user-initiated and always-on configurations
- •
Compatible with GlobalProtect's DNS and proxy settings
- •
No interaction with Palo Alto firewall policies — SplitTunnel operates locally on your Mac
- •
Not compatible with GlobalProtect when a SASE system extension is deployed via MDM
Troubleshooting
Internal resources unreachable
Verify the app is set to route through VPN in SplitTunnel. Check that GlobalProtect still shows a connected status.
Direct apps still slow
Confirm the app is set to direct in SplitTunnel. Some apps use helper processes — you may need to add those as well.
GlobalProtect reconnects frequently
This is normal for some GlobalProtect configurations. SplitTunnel handles reconnections automatically — your routing rules persist.
Frequently Asked Questions
Works Alongside GlobalProtect
Per-app routing at the macOS level. Your GlobalProtect connection stays untouched.
7-day free trial · Cancel anytime