How to block wish.com email

Situation: some spam email keeps changing their email address. For example they may send email to you yesterday using 12345@mail.wish.com and abcde@mail.wish.com. To block these spam email, create a rule to block the domain instead of the email address. Here is how.

1.Right-click on the email you want to block.

2.Select Rule>Create rule.

3. Click Advanced Option.

4. Check from…..

5. Click blue text with the email address.

6. Enter the email domain or sub-domain name, for example mail.wish.com. Then click on OK.

7. Click Cancel, if you received (No Suggestions) popup

8. The from should be mail.wish.com. Click Next.

9. In What do you want to do with the message, check move it to the specified folder or delete it.

10. In Are there any exceptions? check any exception you want and then click Next.

11. That will process the rule and remove the email from the inbox. Click Finish.

All emails sent from mail.wosh.com should be removed. Please view this step by step video:

Please view this step by step video:

Add untrusted computers to SCOM 2019 – Part 2: Install Certificates and SCOM Agent on Untrusted Computer

To add untrusted computers to SCOM 2019 for monitoring, you need deploy CA and Client Certificate on a domain server. Then install Certificates and SCOM Agent on Untrusted Computers. This article will show you how to install SCOM Client Certificate on a untrusted computer.

A. Export and import Certificate of CA

In some situations, you may need to export and import certificate of CA. For example, when you install Microsoft System Center Operation Manager (SCOM) Agent on untrusted computers, you need to add the certificates to SCOM, gateway servers (communication between management servers and untrusted computers), untrusted computers so that they can trust each other.

Step 1: Deploy Microsoft Windows Server Active Directory Certificate Services (AD CS) Certificate Authority (CA) on a domain server. Please refer to this video: How to install a Trusted Root CA certificate on Windows – https://www.youtube.com/watch?v=Ddsrk68TGI0 or How to install Certification Authority in Windows Server 2019

Step 2: Export Certificates of CA

1. Login the server which acts as Issuing CA.

2. On the Server Manger, click Tools and then Certification Authority.

3. Right click on the Certification Authority name and select Properties.

4. In the Certification Authority Properties page click View Certificate button.

5. In the Certificate properties page, click on Details tab.

6. Click Copy to file… button

7. In the Welcome to the Certificate Export Wizard click Next.

8. In the Export File Format page, check Cryptographic Message Syntax Standard – PKCS #7 Certificate (.P7B) and Include all certificates in the certification path if possible.

9. In the File to Export page,  specify path and file name you want to export, and then click Next.

10. In the Completing the Certificate Export Wizard page, review your export settings. If they are correct, click Finish.

11. In Completing the Certificate Export Wizard, click Finish.

12. If exporting is successful, you will see The export was successful. Click Ok to close Certification Authority.

Step 3: Import Certificates of CA

Note: You need to import the Certificate of CA to each managed and untrusted computers. 

1.Login managed or untrusted computer.

2.Type mmc in Search bar and click mmc icon to open it .

3. In the Console1 page, click File, and then Add/Remove Snap-in.

4. Highlight Certificates, and then click Add.

5. Check Computer account, and then click Next.

6. With Local computer: (the computer this console is running on) selected, and then click Finish.

7. Click OK to close Add or Remove Snap-ins.

8. In the Console1 page, navigate to Certificates (Local Computer)>Trusted Root Certification Authorities.

9. Right-click Certificates, select All Tasks, and then click Import.

10. In the Certificate Import Wizard, click Next.

11. On the File to Import page, browse the CA certificates file you exported before, and then click Next.

12. On the Certificate Store page, check Place all certificates in the following store and make sure that Trusted Root Certification Authorities appears in the Certificate store box, and then click Next.

13. On the Completing the Certificate Import Wizard page, click Finish.

14. When The Import was successful message popup, click OK.

Note: You may not see the CA under Trusted Root Certification Authority immediately. It takes a few minutes or re-open MMC to see it.

15. Re-open MMC to check the status of the CA.

16. You ca double click on it to check the certificate status.

B. Generate SCOM Client Certificate and install it on all managed server and Untrusted computer(s)

To trust an untrusted computer, we need to create the client Certificate for both managed server and untrusted computer.

Step 1: Request and Enroll New Certificate

1.On the Managed or SCOM Server, go to MMC>Certificate (local computer)>Personal.

2.Right click on Certificate and select All Tasks>Request New Certificate.

3. In Certificate Enrollment, highlight the Policy, and click on Next.

4. In Request Certificates, click blue text under the policy, CA02 in our example.

5. On the Certificate Properties window under the Subject page, select Common Name and DNS name and add your server’s name, in my case “W2019-02”

6. Select the General Page and add your server’s name there as well.

7. Click OK, then finish the wizard with defaults

8. Highlight the Active Directory Enrollment Policy and click Enroll.

9. The Status should shows Succeeded. Click on Finish

9. Under Personal Certificates you should now have a certificate named after your server’s name, in my case “W2019-02”

10. Double click on the Certificate you juts enrolled to check the status.

Step 2: Export Client Certificate for Untrusted Computer

1. Right click the certificate you just enrolled and click export

2. Select Yes, export the private key, and then click Next.

3. In Export File Format, check Personal Information Exchange – PKCS #12(.PFX) with Enable certificate privacy. Others are the options.

4. In Security, enter the password, and then click on Next.

5. Save it somewhere that is accessible from the untrusted server.

6. Click Finish.

Step 3: import SCOM Client Certificate to Untrusted Computer

1.On the untrusted computer, copy the certificate you just created to the local computer.

2.Open MMC and load the Certificates snapin for local computer.

3.On Personal right click and select All Tasks -> Import

5. Browse and select the certificate you just exported on Managed Server.

6. Select Next and enter your password on the Private key protection.

7. Check Place All Certificates in the following Store, and make sure Certificate store is Personal.

8. Click Finish on Completing the Certificate Import wizard.

9. You should have the Certificate installed. Double click on it to check the status. 

C. Install SCOM Agent to untrusted computer

Assuming you have imported CA and client certificates on the managed server and untrusted computers.

Step 1: Install SCOM Agent on the untrusted computer

1.Copy Momagent.msi from SCOM installation location or DVD into the untrusted computer.

2.Run Momagent.msi, and click Next on Welcome to the Microsoft Monitoring Agent Setup Wizard.

3. Click Agree on Important Notice.

4. Click Next on Destination Folder.

5. Check Connect the agent to System Center Operation Manager and click Next.

6. Enter your Management Group Name and your FQDN of your Management Server.

7. Check Local System and then click Next.

8. Click Install.

9. Click on Finish.

Step 2: import SCOM Certificate using MomcertimportTool.exe on the untrusted computer .

1.Copy the Momcertimporttool.exe from the Support Tools folder on the SCOM installation media to the untrusted computer.

2.Open a command prompt as administrator and change the directory to the folder where MomcertimportTool.exe is located.

3.Run this command:

momcertimportool.exe /subjectname yourservername, for example,

momcertimport.exe /subjectname W2019-02

Or

MOMCertImport /SubjectName %computername%

4. Restart SCOM services and check the status of Agent Monitoring on SCOM Server.

Please view this step by step video:

Add untrusted computers to SCOM 2019 – Part 1: Configure CA and Client Certificate on Managed Server

To add untrusted computers to SCOM 2019 for monitoring, you need deploy CA and Client Certificate on a domain server. Then install Certificates and SCOM Agent on Untrusted Computers. This article will show you how to  Configure CA and Client Certificate on Managed (SCOM in our example) Server.

A. Install Certification Authority in Windows Server 2019 

Situation: when attempting to open Certification Authority in Windows MMC, you don’t see  Certification Authority and Certificate Templates.

Step 1: Install certification Authority

1.With the Server Manager open, go to Dashboard.

2.Click Add roles and features.

3. Click Next.

4. Make sure Role-based or feature-based Installation is checked, and click Next.

5. Select the server which will be installed Certification Authority.

6. Check Active Directory Certificate Services.

7. In the popup, click Add features and the follow the wizard to complete the installation.

Step 2: Post-deployment Configuration

1. Click yellow exclaim icon

2. Click Configure Active Directory Certificate Services.

3. Specify credentials to configure role services.

4. In Select Role Services to configure, check Certification Authority.

5. Specify the setup type of the CA, Enterprise CA in our example.

6. Specify the type of the CA, Root CA in our example.

7. Specify the type of private key, Create a new private key.

8. Specify the cryptographic options, keep the default and click on Next

9. Specify the name of the CA, keep the default and click on Next

10. Specify the validity period, 10 in our example.

11. Specify the database locations, keep the default and click on Next

12. To confirm the settings, click Configure

13. You will see Configuration succeeded after the configuring.  Click Close.

You should have Certification Authority and Certificate Templates in MMC

B. Create a certificate template and import it on all the managed Server and untrusted computers

When you install Microsoft System Center Operation Manager (SCOM) Agent on untrusted computers, you do not only need to add the CA to SCOM Server, Gateway Servers (communication between management servers and untrusted computers), untrusted computers, but also create a Certificate Template for them so that you can install Client Certificate to the managed server and the untrusted computer.

Step 1: Create a Certificate Template

1.Log on to the server which acts as an Issuing Enterprise Certification Authority, in our case it is SCOM server.

2.Type mmc in Search bar and click mmc icon to open it .

3. In the Console1 page, click File, and then Add/Remove Snap-in.

4. Highlight Certificates Templates, and then click Add.

5. In the Certificate Templates, locate the template named Computer.

6. Right-click on Computer and select Duplicate Template

7. In Properties of New Template page, click in General and type template name.

8. Click on Subject Name tab and check Supply in the request.

9. In Security tab, assign Read and Enroll permissions to Certification Authority managers or Certification Authority administrators.

10. Click Ok to save changes to the template and close Certificate Templates window.

Step 2: Enable new template to Issuing Enterprise CA

1. Log on to the server which acts as Issuing Enterprise CA.

2. Go to Server Manager>Tools and select Certification Authority

3. Expand your Certification Authority name and right click on Certificate Templates>New>Certificate Template to Issue.

4. In the Enable Certificate Templates page, locate custom template you just created (CA02 in out example) and click Ok.

Step 3: Request Certificate Template

1.Log on to the server which acts as Issuing Enterprise CA.

2.Type notepad in Search bar and open it.

3. Paste the following info with the managed server name and template name into the notepad:

[NewRequest]

Subject=”CN=scomsvr.mydomain.com”

KeyLength=2048

KeySpec=1

KeyUsage=0xf0

MachineKeySet=TRUE

[RequestAttributes]

CertificateTemplate=“CA02″

4. Save the file with an .inf file name extension, for example CA02.inf.

5. Run Command Prompt as administrator by typing cmd in the Search bar.

6. In the Command Prompt window run the following command:

CertReq -New -f path\savedconfig.inf path\OpsMgr_%computername%.req

7. Close Command Prompt window.

8. You should see created OpsMgr_%computername%.req file in the folder you saved.

Step 4: Submit the request file to Enterprise Certification Authority

1.Log on to the server which acts as Issuing Enterprise CA.

2.Go to Server Manager>Tools and select Certification Authority

3. In the Certification Authority page, right on Certification Authority name, click All Tasks and then Submit new request.

4. In the Open request file, locate CA02.req file created previously and click Open.

5. Save Certificate page will appear. Save certificate to a file, for example CA02.cer.

Step 5: Install issued certificate to managed computer

1.Log on to the server which acts as Issuing Enterprise CA.

2.Run Command Prompt as administrator by typing cmd in the Search bar.

3. In the Command Prompt window run the following command:

Certreq -accept path\%computername%_cert.cer

In our example

Certreq -accept c:\temp\CA02.cer

4. Copy MOMCertImport.exe from SCMO SupportTool\i386 folder to the CA02.cer location, Temp folder in our example..

5. Then run this command:

MOMCertImport /SubjectName %computername%

6. To confirm that it imported successfully, open Regedit. Go to HKLM>Software>Microsoft>Microsoft Operations Manager>3.0>Machine Settings. The ChannelCertificateSerialNumber will be reversed pairs of the Personal>Certificate in the MMC console

C. Generate SCOM Client Certificate and install it on all managed server and Untrusted computer(s)

To trust an untrusted computer, we need to create the client Certificate for both managed server and untrusted computer.

Step 1: Request and Enroll New Certificate

1.On the Managed or SCOM Server, go to MMC>Certificate (local computer)>Personal.

2.Right click on Certificate and select All Tasks>Request New Certificate.

3. In Certificate Enrollment, highlight the Policy, and click on Next.

4. In Request Certificates, click blue text under the policy, CA02 in our example.

5. On the Certificate Properties window under the Subject page, select Common Name and DNS name and add your server’s name, in my case “W2019-02”

6. Select the General Page and add your server’s name there as well.

7. Click OK, then finish the wizard with defaults

8. Highlight the Active Directory Enrollment Policy and click Enroll.

9. The Status should shows Succeeded. Click on Finish

9. Under Personal Certificates you should now have a certificate named after your server’s name, in my case “W2019-02”

10. Double click on the Certificate you juts enrolled to check the status.

Step 2: Export Client Certificate for Untrusted Computer

1. Right click the certificate you just enrolled and click export

2. Select Yes, export the private key, and then click Next.

3. In Export File Format, check Personal Information Exchange – PKCS #12(.PFX) with Enable certificate privacy. Others are the options.

4. In Security, enter the password, and then click on Next.

5. Save it somewhere that is accessible from the untrusted server.

6. Click Finish.

Step 3: import SCOM Client Certificate to Untrusted Computer

1.On the untrusted computer, copy the certificate you just created to the local computer.

2.Open MMC and load the Certificates snapin for local computer.

3.On Personal right click and select All Tasks -> Import

5. Browse and select the certificate you just exported on Managed Server.

6. Select Next and enter your password on the Private key protection.

7. Check Place All Certificates in the following Store, and make sure Certificate store is Personal.

8. Click Finish on Completing the Certificate Import wizard.

9. You should have the Certificate installed. Double click on it to check the status. 

Please view this step by step video:

How to Install SCOM Agent to untrusted computer

Assuming you have imported CA and client certificates on the managed server and untrusted computers. This video shows you how to install SCOM Agent on untrusted computer.

Step 1: Install SCOM Agent on the untrusted computer

1.Copy Momagent.msi from SCOM installation location or DVD into the untrusted computer.

2.Run Momagent.msi, and click Next on Welcome to the Microsoft Monitoring Agent Setup Wizard.

3. Click Agree on Important Notice.

4. Click Next on Destination Folder.

5. Check Connect the agent to System Center Operation Manager and click Next.

6. Enter your Management Group Name and your FQDN of your Management Server.

7. Check Local System and then click Next.

8. Click Install.

9. Click on Finish.

Step 2: import SCOM Certificate using MomcertimportTool.exe on the untrusted computer .

1.Copy the Momcertimporttool.exe from the Support Tools folder on the SCOM installation media to the untrusted computer.

2.Open a command prompt as administrator and change the directory to the folder where MomcertimportTool.exe is located.

3.Run this command:

momcertimportool.exe /subjectname yourservername, for example,

momcertimport.exe /subjectname W2019-02

or

MOMCertImport /SubjectName %computername%

4. Restart SCOM services and check the status of Agent Monitoring on SCOM Server.

Please view this step by step video:

Generate SCOM Client Certificate and install it on all managed server and Untrusted computer(s)

To trust an untrusted computer, we need to create the client Certificate for both managed server and untrusted computer. This video shows how to do so. 

Step 1: Request and Enroll New Certificate

1.On the Managed or SCOM Server, go to MMC>Certificate (local computer)>Personal.

2.Right click on Certificate and select All Tasks>Request New Certificate.

3. In Certificate Enrollment, highlight the Policy, and click on Next.

4. In Request Certificates, click blue text under the policy, CA02 in our example.

5. On the Certificate Properties window under the Subject page, select Common Name and DNS name and add your server’s name, in my case “W2019-02”

6. Select the General Page and add your server’s name there as well.

7. Click OK, then finish the wizard with defaults

8. Highlight the Active Directory Enrollment Policy and click Enroll.

9. The Status should shows Succeeded. Click on Finish

9. Under Personal Certificates you should now have a certificate named after your server’s name, in my case “W2019-02”

10. Double click on the Certificate you juts enrolled to check the status.

Step 2: Export Client Certificate for Untrusted Computer

1. Right click the certificate you just enrolled and click export

2. Select Yes, export the private key, and then click Next.

3. In Export File Format, check Personal Information Exchange – PKCS #12(.PFX) with Enable certificate privacy. Others are the options.

4. In Security, enter the password, and then click on Next.

5. Save it somewhere that is accessible from the untrusted server.

6. Click Finish.

Step 3: import SCOM Client Certificate to Untrusted Computer

1.On the untrusted computer, copy the certificate you just created to the local computer.

2.Open MMC and load the Certificates snapin for local computer.

3.On Personal right click and select All Tasks -> Import

5. Browse and select the certificate you just exported on Managed Server.

6. Select Next and enter your password on the Private key protection.

7. Check Place All Certificates in the following Store, and make sure Certificate store is Personal.

8. Click Finish on Completing the Certificate Import wizard.

9. You should have the Certificate installed. Double click on it to check the status. 

Please view this step by step video:

Create a certificate template and import it on all the managed Server and untrusted computers

When you install Microsoft System Center Operation Manager (SCOM) Agent on untrusted computers, you do not only need to add the CA to SCOM Server, Gateway Servers (communication between management servers and untrusted computers), untrusted computers, but also create a Certificate Template for them so that you can install Client Certificate to the managed server and the untrusted computer. This video shows how do so.

Step 1: Create a Certificate Template

1.Log on to the server which acts as an Issuing Enterprise Certification Authority, in our case it is SCOM server.

2.Type mmc in Search bar and click mmc icon to open it .

3. In the Console1 page, click File, and then Add/Remove Snap-in.

4. Highlight Certificates Templates, and then click Add.

5. In the Certificate Templates, locate the template named Computer.

6. Right-click on Computer and select Duplicate Template

7. In Properties of New Template page, click in General and type template name.

8. Click on Subject Name tab and check Supply in the request.

9. In Security tab, assign Read and Enroll permissions to Certification Authority managers or Certification Authority administrators.

10. Click Ok to save changes to the template and close Certificate Templates window.

Step 2: Enable new template to Issuing Enterprise CA

1. Log on to the server which acts as Issuing Enterprise CA.

2. Go to Server Manager>Tools and select Certification Authority

3. Expand your Certification Authority name and right click on Certificate Templates>New>Certificate Template to Issue.

4. In the Enable Certificate Templates page, locate custom template you just created (CA02 in out example) and click Ok.

Step 3: Request Certificate Template

1.Log on to the server which acts as Issuing Enterprise CA.

2.Type notepad in Search bar and open it.

3. Paste the following info with the managed server name and template name into the notepad:

[NewRequest]

Subject=”CN=scomsvr.mydomain.com”

KeyLength=2048

KeySpec=1

KeyUsage=0xf0

MachineKeySet=TRUE

[RequestAttributes]

CertificateTemplate=“CA02″

4. Save the file with an .inf file name extension, for example CA02.inf.

5. Run Command Prompt as administrator by typing cmd in the Search bar.

6. In the Command Prompt window run the following command:

CertReq -New -f path\savedconfig.inf path\OpsMgr_%computername%.req

7. Close Command Prompt window.

8. You should see created OpsMgr_%computername%.req file in the folder you saved.

Step 4: Submit the request file to Enterprise Certification Authority

1.Log on to the server which acts as Issuing Enterprise CA.

2.Go to Server Manager>Tools and select Certification Authority

3. In the Certification Authority page, right on Certification Authority name, click All Tasks and then Submit new request.

4. In the Open request file, locate CA02.req file created previously and click Open.

5. Save Certificate page will appear. Save certificate to a file, for example CA02.cer.

Step 5: Install issued certificate to managed computer

1.Log on to the server which acts as Issuing Enterprise CA.

2.Run Command Prompt as administrator by typing cmd in the Search bar.

3. In the Command Prompt window run the following command:

Certreq -accept path\%computername%_cert.cer

In our example

Certreq -accept c:\temp\CA02.cer

4. Copy MOMCertImport.exe from SCMO SupportTool\i386 folder to the CA02.cer location, Temp folder in our example..

5. Then run this command:

MOMCertImport /SubjectName %computername%

6. To confirm that it imported successfully, open Regedit. Go to HKLM>Software>Microsoft>Microsoft Operations Manager>3.0>Machine Settings. The ChannelCertificateSerialNumber will be reversed pairs of the Personal>Certificate in the MMC console

Please view this step by step video:

How to export and import Certificate of CA

In some situations, you may need to export and import certificate of CA. For example, when you install Microsoft System Center Operation Manager (SCOM) Agent on untrusted computers, you need to add the certificates to SCOM, gateway servers (communication between management servers and untrusted computers), untrusted computers so that they can trust each other. This video shows how do so.

Step 1: Deploy Microsoft Windows Server Active Directory Certificate Services (AD CS) Certificate Authority (CA) on a domain server. Please refer to this video: How to install a Trusted Root CA certificate on Windows – https://www.youtube.com/watch?v=Ddsrk68TGI0 or How to install Certification Authority in Windows Server 2019

Step 2: Export Certificates of CA

1. Login the server which acts as Issuing CA.

2. On the Server Manger, click Tools and then Certification Authority.

3. Right click on the Certification Authority name and select Properties.

4. In the Certification Authority Properties page click View Certificate button.

5. In the Certificate properties page, click on Details tab.

6. Click Copy to file… button

7. In the Welcome to the Certificate Export Wizard click Next.

8. In the Export File Format page, check Cryptographic Message Syntax Standard – PKCS #7 Certificate (.P7B) and Include all certificates in the certification path if possible.

9. In the File to Export page,  specify path and file name you want to export, and then click Next.

10. In the Completing the Certificate Export Wizard page, review your export settings. If they are correct, click Finish.

11. In Completing the Certificate Export Wizard, click Finish.

12. If exporting is successful, you will see The export was successful. Click Ok to close Certification Authority.

Step 3: Import Certificates of CA

Note: You need to import the Certificate of CA to each managed and untrusted computers. 

1.Login managed or untrusted computer.

2.Type mmc in Search bar and click mmc icon to open it .

3. In the Console1 page, click File, and then Add/Remove Snap-in.

4. Highlight Certificates, and then click Add.

5. Check Computer account, and then click Next.

6. With Local computer: (the computer this console is running on) selected, and then click Finish.

7. Click OK to close Add or Remove Snap-ins.

8. In the Console1 page, navigate to Certificates (Local Computer)>Trusted Root Certification Authorities.

9. Right-click Certificates, select All Tasks, and then click Import.

10. In the Certificate Import Wizard, click Next.

11. On the File to Import page, browse the CA certificates file you exported before, and then click Next.

12. On the Certificate Store page, check Place all certificates in the following store and make sure that Trusted Root Certification Authorities appears in the Certificate store box, and then click Next.

13. On the Completing the Certificate Import Wizard page, click Finish.

14. When The Import was successful message popup, click OK.

Note: You may not see the CA under Trusted Root Certification Authority immediately. It takes a few minutes or re-open MMC to see it.

15. Re-open MMC to check the status of the CA.

16. You ca double click on it to check the certificate status.

Please view this step by step video:

How to add and monitor a untrusted computer on SCOM 2019

Situation: The client has Microsoft System Center 2019 running. They would like to monitor some untrusted computers located on workgroup and DMZ.

Part 1: Install Certification Authority in Windows Server 2019 . Please refer to this post:

How to install Certification Authority in Windows Server 2019

Part 2: Export and import Certificate of CA . Please refer to this post:

Note: You need to import the certificate to Trusted Root Certification Authorities on each untrusted computer .

Part 3: Create a certificate template and import it on all the managed Server and untrusted computers. Please refer to this post:

Part 4: Generate SCOM Client certificate and import it on all the managed Server and untrusted computers. Please refer to this post:

Part 5: How to install SCOM Agent to untrusted computer. Please refer to this post:

How to test Paloalto Firewall HA

Situation: The client configured HA on two PA-850 units. They would like to know how to test it?

Resolution 1: Go to Device>High Availability> Operation Commands. Click on Suspend local device. Here are the example.

It takes 1 to 2 seconds to switch.

Resolution 2: If you want to disconnect a cable for the test, you can add a interface in Link Group. Go to Device>High Availability>Link and Path Monitoring. Add the Interface, for example trusted interface. You can unplug the trusted interface to test it.

If the cable is disconnected, it take about 15 seconds to switch to standby unit.

Configure Paloalto Firewall to allow VPN users accessing another IPSec Tunnel

Situation: The company configures GloablProtect VPN on Paloalto Firewall for home users accessing Office network. They also have site-to site VPN to AWS. The office computers can access the AWS but Home users. This video shows how to configure Paloalto Firewall to allow GloablProtect VPN accessing AWS.

Step 1: Add IPSec Tunnel IP addresses to GlableProtect Gateway

1. Login Paloalto Firewall.

2. Go to Network>GloableProtect>Gateways.

3. Click on the GloablProtect Gateway.

4. Go to Agent>Client Settings.

5. Click on configure name, end-users in our example.

6. In Configure, click Split Tunnel tab.

7. Click Add.

8. Add the AWS Tunnel IP address subnet.

9. Click Oks to save the settings.

Step 2: Modify Security Policy

1.Go to Policies>Security.

2.Click the Security policy you want to modify, AWS Traffic-3-4 in our example.

3. In Security Policy Rule, click on Source tab.

4. Click Add to add source zoon, for example GlobaleProtect.

5. Click Destination tab.

6. Click Add to add the GloableProtect zoon.

Step 3: Commit.

Click Commit to save the configuration.

Please view this step by step video: