In reply to a post by jchamier:

In reply to a post by dect:

Not sure what VPN client you are using but the corporate ones I have used like the ones from Cisco have typically forced all network traffic down the VPN tunnel, that not to say yours is like that.

Its down to the IT department and security decisions.

Some organisations traditionally had very few people at home, and majority in the office, so it made sense to have all home workers access the internet via the VPN and through the same security plans as the office workers.

However with the majority at home, there may not be sufficient internet bandwidth into the office to handle both the inbound VPN and the outbound internet connections to cloud services. So many companies have reconfigured VPNs to be "split tunnel".

Cisco Anyconnect supports both, as does OpenVPN and many others.

Do you know if this is difficult to achieve a split tunnel, and if it's PCI compliant?

I would love to recommend this solution to the company I work for (as we use Anyconnect), and the VPN sometime suffers as they don't have ideal bandwidth to support the amount of users and provide a decent throughput.

Hi Gary,

I can confirm that Palo Alto Global Protect can do split tunnelling on protocol and application type, however I believe the company firewalls must also the Palo Alto branded for this to work.

In reply to a post by gary333:

Do you know if this is difficult to achieve a split tunnel, and if it's PCI compliant?

You can achieve a split tunnel anytime you want on the client with any VPN solution you pick. You just need to change the routing table on the client after the VPN tunnel is up. I guess a VPN client could keep a watch on the routing table and change it back, but I have not seen one that does that, and with a client on Linux one could put a stop to that.

As there is absolutely nothing you can do to stop split tunnels, then if it's not PCI compliant the people who wrote the standard need a good thrashing with a clue stick.