How to Exclude Application and Video Traffic from the GlobalProtect VPN Tunnel
Objective
GlobalProtect supports Split Domain & Applications and Exclude Video Traffic features which can be configured to either exclude or include the traffic across the GlobalProtect VPN tunnel. The objective of this document is to provide enterprise administrators with information about these features and configurations. The document specifically focuses on implementing these features to exclude certain bandwidth clogging applications and domains to help enterprises with business continuity and prioritizing business application traffic during the high Work From Home (WFH) season.
The solution described in this document is specifically targeted for Windows and MAC OS. To achieve split-tunnel for iOS, Android and Windows UWP users can utilize app level VPN configured via MDM.
Environment
- Prisma Access/GlobalProtect Subscription
- PAN-OS 8.1+
- GlobalProtect App 4.1+
- Windows 7 Service Pack 2 & later
- macOS 10.10+
Procedure
- To configure exclude domains and applications on the firewall, navigate to Network > GlobalProtect > Gateways > "Select Gateway" > Agent > Client Settings > "Select client config" > Split Tunnel > Domain and Application
- Specify the domains for which you want to exclude the traffic outside of your VPN tunnel under the Exclude Domain option.
Note: In the configuration snapshot below, we have excluded traffic for both the *.zoom.us and *.zoom.com domains
- Similarly specify the complete path of the application process for which you would like to exclude the traffic outside your VPN tunnel under Exclude Client Application Process Name
Note: In the configuration snapshot below, we have excluded traffic for the Zoom application from VPN tunnel for both Windows and MAC using the following paths:
- /Applications/zoom.us.app/Contents/MacOS/zoom.us
- %AppData%\Roaming\Zoom\bin\Zoom.exe
- Once configured click OK and commit the configuration on the firewall. Above configuration is pushed on the GlobalProtect once it is connected to the gateway
- To configure exclude video traffic from the tunnel (Windows and macOS only), navigate to Network > GlobalProtect > Gateways > "Select Gateway" > Agent > Video Traffic
- Here, check the "Exclude video traffic from the tunnel (Windows and macOS only)" checkbox and add the applications for which you want to exclude video traffic from your VPN tunnel.
Note: In the configuration snapshot below, the following applications are excluded:
- hulu-base
- netflix-streaming
- youtube-streaming
- Once configured click OK and commit the configuration on the firewall.
Additional Information
- It is essential to correctly identify the content to be video and exclude. If there is a media file, like mp3, swf etc downloaded then that should not be split tunneled and must go through the tunnel and inspected as these could be threat vehicles.
- It is essential to have ssl-decryption enabled on the gateway to exclude the streams which are utilizing https. More information on the same can be found here.
- More information regarding license and activation can be found here.
- Optimized Split Tunneling for GlobalProtect