When the endpoint has an active VPN connection, and split tunneling is enabled for the role, the Pulse server adds or modifies routes on the endpoint so that traffic meant for specific subnets uses the VPN tunnel, and all other traffic goes through the local physical adapter. You specify the subnets that are excluded from access or accessible through the VPN tunnel by defining split tunneling resource policies. In a case where you have identically numbered subnets on both the local network and the tunnel network, (that is, the specified split-tunnel subnet conflicts with an existing endpoint route), the route precedence setting determines the traffic path. The route monitoring option, when enabled, enhances network security by terminating the VPN tunnel if another process on the endpoint makes a change to the routing table.
The traffic enforcement option enables you to decide whether the split tunneling configuration can be bypassed. When traffic enforcement is enabled, Pulse creates rules on the endpoint’s firewall (Mac and Win) that ensure that all traffic conforms to the split tunneling configuration. For example, a local program might bypass the routing tables and bind traffic to the physical interface instead of allowing it to go through the Pulse virtual interface. If you enable traffic enforcement, you ensure that all traffic is bound by the split tunneling configuration.