FQDN resource and IPv4/IPv6 resource-based Split Tunneling Conflict

FQDN resource preference is based on the applied FQDN rule, in case of the conflict between FQDN resource and IPv4 resource.

Administrator can provide FQDN resource precedence over IPv4 resource, in case of the conflict, with the following configuration.

To configure the FQDN resource precedence over IPv4 resource, perform the following steps:

1.Go to System > Configurations > VPN Tunneling.

The following screen appears:

Prefer FQDN resources over IP resources in case of a split tunneling conflict

2.Select the Prefer FQDN resources over IP resources in case of a split tunneling conflict check box.

If the check box is not checked, IPv4/IPv6 resource will be given preference over FQDN resource.

The above check box is to give precedence for FQDN resource over IPv4/IPv6 resource only in case of conflict between FQDN resource and IPv4/IPv6 resource.

In case of conflict between FQDN resource and IPv4/IPv6 resource, FQDN takes the preference, by default.

The following table describes the different conflicting scenarios for FQDN based split tunneling with respect to the IPv4 resources on all platfoms and IPv6 resources on Windows only.

For all platforms and IPv4 resources, FQDN resource www.google.com resolves to the IPv4 address 1.1.1.1.

Include Policy/ Exclude Policy

IPv4/IPv6

FQDN

Client New Behavior

Case 1 –

“Prefer FQDN resources over IP resources in case of a split tunneling conflict” check box is checked; hence FQDN resource is given preference over IP resource.

Scenario - 1

Include Policy

 

www.google.com

www.google.com will go through the tunnel.

 

Exclude Policy

1.1.1.1

 

Scenario - 2

Include Policy

1.1.1.1

 

www.google.com will not go through the tunnel.

 

Exclude Policy

 

www.google.com

Case 2 –

“Prefer FQDN resources over IP resources in case of a split tunneling conflict” check box is un-checked; hence IP resource is given preference over FQDN resource.

Scenario - 1

Include Policy

1.1.1.1

 

www.google.com will go through the tunnel.

 

Exclude Policy

 

www.google.com

Scenario - 2

Include Policy

 

www.google.com

www.google.com will not go through the tunnel.

 

Exclude Policy

1.1.1.1

 

 

For Windows platform and when using IPv6 resources, FQDN resource www.google.com resolves to the IPv6 address 2600::1.

Include Policy/ Exclude Policy

IPv6/IPv4

FQDN 

Client New Behavior 

Case 1 – “Prefer FQDN resources over IP resources in case of a split tunneling conflict” check box is checked;

hence FQDN resource is given preference over IP resource.

Scenario - 1 

Include Policy 

 

Google

Google will go through the tunnel. 

Exclude Policy 

2600::1

 

Scenario - 2 

Include Policy 

2600::1

 

Google will not go through the tunnel. 

Exclude Policy 

 

Google

Scenario - 3 (If Google resolves to the 1.1.1.1 and 2600::1)

Include Policy 

1.1.1.1

Google

Google will go through the tunnel. 

Exclude Policy 

2600::1

 

Scenario - 4 (If Google resolves to the 1.1.1.1 and 2600::1)

Include Policy 

2600::1

 

Google will not go through the tunnel. 

Exclude Policy 

1.1.1.1

Google

Case 2 – “Prefer FQDN resources over IP resources in case of a split tunneling conflict” check box is un-checked;

hence IP resource is given preference over FQDN resource.

Scenario - 1 

Include Policy 

2600::1

 

Google will go through the tunnel. 

Exclude Policy 

 

Google

Scenario - 2 

Include Policy 

 

Google

Google will not go through the tunnel. 

Exclude Policy 

2600::1

 

Scenario - 3 (If Google resolves to the 1.1.1.1 and 2600::1)

Include Policy 

2600::1

 

Google will go through the tunnel. 

Exclude Policy 

1.1.1.1

Google

Scenario - 4 (If Google resolves to the 1.1.1.1 and 2600::1)

Include Policy 

1.1.1.1

Google

Google will not go through the tunnel. 

Exclude Policy 

2600::1

 

In scenarios 3 and 4 of Case 2, IPv6 is always preferred and if FQDN resolves to both IPv4 and IPv6 IPs, then user needs to configure both IPv4 and IPv6 IPs in split tunnel rules.