Yep, I tested the same, worked fine.

Andy

Strange indeed, here is mine

Just accept it and see if policy works.

Andy

Fails immediately. 

The names of groups don't line up between your screenshot and the validation error, so I feel like I'm missing something.

Are you nesting the earlier "VPN" group under the "Encryption.Domain" referenced in the validation error? 

See screenshots below.

Make sure group you are adding has name exclusions_

Andy

The Remote Access encryption domain is a group with exclusions;

This group looks as follows;

And the main group (non excluded) looks like this;

Just do how @CaseyB  did it. I did it same way and it worked.

Andy

The problem is that's how we do traditional IP based split tunneling, which I don't want to break. 

You can leave the gateway encryption domain as is.

• Make a new group that has all the IP addresses in it for RemoteAccess that you want
• Add the exclusions_ group to that
• Use the granular encryption domain for the RemoteAccess community

This will only effect stuff using that RemoteAccess community.

You could just clone the group you are using already and just remove the objects you are doing the exclude on.

So what's the difference between these two settings? I always thought they did the same thing;

I am using my screenshot below for reference.

• Section 1 - This is the default VPN domain for the gateway. RemoteAccess VPNs and IPsec VPNs will use this by default. It is a shared pool.
• Section 2 - This is where you can create a more specific VPN domain for that IPsec VPN or RemoteAccess VPN. I highlighted objects that say, "According to the gateway", that means those VPNs use the encryption domain from section 1. Everything else is using their own specific group with a much more defined encryption domain.

Based on your new screenshots, you should just be able to add your "exclusions_" group to the group "VPN_Exclusion_Domain".

Thats exactly how I tested it as well.

Andy

Just getting back to testing this again, and I was wondering if the object (domain or updatable) should be reflected in the routing table on the client once connected. For instance, if I added a domain entry for a simple website like www.recorder.ca (small town newspaper), and added it to the exclusions_ group, should that then be evident in the client route table (not there in order words)? Same with all objects associated with an Updatable object?

If its NOT full tunnel, it works 100%. I confirmed this with guy from Israel office and also tested with 2 customers, no issues. Yes, you would see it in route print.

Andy

When you say "If its NOT full tunnel", what does that mean?

Here is a good example:

FULL TUNNEL -> user connects from home and ALL their connections go through CP gateway, including Internet

SPLIT TUNNEL -> ONLY local connections go through the gateway, Internet goes through local users ISP provider

Makes sense? 🙂

Andy

We're not using hub mode, which I guess would count as full tunnel. Our encryption domain basically says all-internet though, which basically does the same thing. I don't see the entries showing up in the client routing table, so I guess it's not working as expected. I've got an open call with TAC, hopefully they can figure it out. 

Thats right, hub mode is considered full tunnel. Btw, for what its worth, MAKE SURE if users ever have issue that what I attached is selected, so they can access things locally fine.

Andy

For what its worth, most people dont use full tunnel. I remember once when I attended Palo Alto conference, people were having discussion about it...the way I personally look at it is that hey, if users want to access questionable websites, let them do it at their own risk through their own ISP. 

Some companies do have requirement to use full tunnel, but if not, I would stick with the split one.

Andy

Full Tunnel I assume refers to Hub Mode.
It's "allowed" in the gateway object here:

You can require your clients to use it here:

As far as I know Updatable, Dynamic, or Domain can ONLY be used in this exclusions_ group and ONLY when Hub Mode is used (as configured above).
The only item in your RemoteAccess Encryption Domain is this exclusions_ group and not other objects (i.e. the stuff you want the client to access directly without being routed through the VPN tunnel).

When you are not using Hub Mode, then you must manually specify what hosts are in your encryption domain using standard Network and Host objects (not Updatable, Dynamic, or Domain objects as you're trying to do).

Second screenshot looks scary, since it's something that might affect all gateways, not just the one I'm testing with. lol

Its a global setting lol

Andy

We're not using hub mode, so I guess that might be the issue?