Enabling split tunneling with the “Both Network Traffic and DNS” option in a GlobalProtect configuration allows for precise control over DNS resolution. This feature, often referred to as DNS-based split tunneling, directs the GlobalProtect agent to intercept all DNS queries on the endpoint. If a query matches a domain specified in the split-tunnel include list, the agent forwards it to the corporate DNS servers assigned by the VPN gateway. All other DNS queries for domains not on the list are forwarded to the endpoint's locally configured DNS servers. This ensures that internal corporate resources are resolved correctly by internal servers, while general internet traffic is resolved locally, optimizing performance and reducing load on the corporate network.

A. This is incorrect. The feature is not about primary versus secondary DNS server logic for redundancy, but about routing DNS queries to either the VPN's DNS or the local DNS based on the domain name.

B. This describes a use case known as split-brain DNS, which this feature can facilitate. However, the direct function of the setting is to control the DNS resolution path, not to manage FQDN-to-IP mappings based on location.

C. This misrepresents the feature's purpose. While it could potentially be misused to bypass local DNS filtering, its intended function is to correctly route corporate versus public traffic, not to circumvent security policies.

1. Palo Alto Networks PAN-OS® Administrator’s Guide 10.2

"GlobalProtect > Configure Split Tunneling for the GlobalProtect Apps".

In the section "Split Tunneling Based on the Domain and Application

" the documentation states: "When you configure split tunneling based on domain

the GlobalProtect app on the endpoint intercepts all DNS requests. The app then compares the domain in the request to the domains in the split tunnel include list. If the domain in the request matches a domain in the include list

the app forwards the request to the private DNS server for resolution. If the domain in the request does not match a domain in the include list

the app forwards the request to the public DNS server for resolution." This directly supports the mechanism described in answer D.

2. Palo Alto Networks PAN-OS® Administrator’s Guide 11.0

"GlobalProtect > Configure Split Tunneling for the GlobalProtect Apps".

The section "DNS-Based Split Tunneling" explains: "To ensure that the app can resolve the IP addresses of the applications that you want to access through the tunnel

you must also configure the app to direct DNS queries for the specified domains to the private DNS server." This confirms that the configuration is about specifying which domains are resolved by which set of DNS servers (VPN-assigned vs. local).