ok can we just say www.outlook.com to break out locally and remaining internet traffic to go to HO via tunnel in all the sites or even that's not possible?

Hi @Aamir 

I believe the understanding is

We can have a FULL Tunnel / SPLIT Tunnel. [We may send All / only the Remote Subnet Traffic via the Tunnel]

Tunneling

There are two tunneling modes available for MX-Z appliances configured as a Spoke:

• Split tunnel (no default route): Send only site-to-site traffic, meaning that if a subnet is at a remote site, the traffic destined for that subnet is sent over the VPN. However, if traffic is destined for a network that is not in the VPN mesh (for example, traffic going to a public web service such as www.google.com), the traffic is not sent over the VPN. Instead this traffic is routed using another available route, most commonly being sent directly to the Internet from the local MX device. Split tunneling allows for the configuration of multiple hubs.
• Full tunnel (default route): The configured Exit hub(s) advertise a default route over Auto VPN to the spoke MX. Traffic destined for subnets that are not reachable through other routes will be sent over VPN to the Exit hub(s). Exit hubs' default routes will be prioritized in descending order.

thanks a lot.