(Optional) Configure Dynamic Split Tunneling

Dynamic split tunneling allows you to fine-tune split tunneling based on DNS domain names. You can configure domains that must be included or excluded in the remote access VPN tunnel. Excluded domains are not blocked. Instead, traffic to those domains is kept outside the VPN tunnel. For example, you could send traffic to Cisco WebEx on the public Internet, thus freeing bandwidth in your VPN tunnel for traffic that is targeted to servers within your protected network. For more information about configuring this feature, see Configure AnyConnect Dynamic Split Tunnel on FTD Managed by FMC.

Before you begin

You can configure this feature using the management center and threat defense from versions 7.0 or later. If you have an older version of the management center, you can configure it using FlexConfig as instructed in the Advanced AnyConnect VPN Deployments for Firepower Threat Defense with FMC.

Procedure

Step 1

Configure the group policy to use Dynamic Split Tunnel.

  1. Choose Devices > Remote Access.

  2. Click Edit on the remote access VPN policy for which you want to configure dynamic split tunneling.

  3. Click Edit on the required connection profile.

  4. Click Edit Group Policy.

Step 2

Configure the Secure Client custom attribute in the Add/Edit Group Policy dialog box.

  1. Click the Secure Client tab.

  2. Click Custom Attributes and click +.

  3. Choose Dynamic Split Tunneling from the Secure Client Attribute drop-down list.

  4. Click + to create a new custom attribute object.

  5. Enter the name for the custom attribute object.

  6. Include domains—Specify domain names that will be included in the remote access VPN tunnel.

    You can include domains in the tunnel that will be excluded based on IP addresses.

  7. Exclude domains—Specify domain names that will be excluded from the remote access VPN.

    Excluded domains are not blocked, traffic to these domains is kept outside the VPN tunnel.

  8. Click Save.

  9. Click Add.

Step 3

Verify the configured custom attribute and click Save to save the group policy.

Step 4

Click Save to save the connection profile.

Step 5

Click Save to save the remote access VPN policy.

What to do next

  1. Deploy the configuration to threat defense.

  2. Verify the configured dynamic split tunnel configuration on the threat defense and the Secure Client. For more information, see Verify Dynamic Split Tunneling Configuration.