How to Exclude Application and Video Traffic from the GlobalProtect VPN Tunnel

How to Exclude Application and Video Traffic from the GlobalProtect VPN Tunnel

11780
Created On 03/23/20 18:54 PM - Last Modified 11/05/20 16:23 PM


Objective

GlobalProtect supports Split Domain & Applications and Exclude Video Traffic features which can be configured to either exclude or include the traffic across the GlobalProtect VPN tunnel. The objective of this document is to provide enterprise administrators with information about these features and configurations. The document specifically focuses on implementing these features to exclude certain bandwidth clogging applications and domains to help enterprises with business continuity and prioritizing business application traffic during the high Work From Home (WFH) season.

The solution described in this document is specifically targeted for Windows and MAC OS. To achieve split-tunnel for iOS, Android and Windows UWP users can utilize app level VPN configured via MDM.



Environment
  • Prisma Access/GlobalProtect Subscription
  • PAN-OS 8.1+
  • GlobalProtect App 4.1+
  • Windows 7 Service Pack 2 & later
  • macOS 10.10+


Procedure
  1. To configure exclude domains and applications on the firewall, navigate to Network > GlobalProtect > Gateways > "Select Gateway" > Agent > Client Settings > "Select client config" > Split Tunnel > Domain and Application
  2.  Specify the domains for which you want to exclude the traffic outside of your VPN tunnel under the Exclude Domain option.

Note: In the configuration snapshot below, we have excluded traffic for both the *.zoom.us and *.zoom.com domains

Snapshot displaying the split tunnel domain dialog box
 

  1.  Similarly specify the complete path of the application process for which you would like to exclude the traffic outside your VPN tunnel under Exclude Client Application Process Name 

Note: In the configuration snapshot below, we have excluded traffic for the Zoom application from VPN tunnel for both Windows and MAC using the following paths:

  •  /Applications/zoom.us.app/Contents/MacOS/zoom.us
  • %AppData%\Roaming\Zoom\bin\Zoom.exe
Snapshot displaying the split tunnel domain dialog box
  1.  Once configured click OK and commit the configuration on the firewall. Above configuration is pushed on the GlobalProtect once it is connected to the gateway
  2.  To configure exclude video traffic from the tunnel (Windows and macOS only), navigate to Network > GlobalProtect > Gateways > "Select Gateway" > Agent > Video Traffic
  3. Here, check the "Exclude video traffic from the tunnel (Windows and macOS only)" checkbox and add the applications for which you want to exclude video traffic from your VPN tunnel.
Note: If administrators enable this option but do not exclude specific video-streaming applications from the VPN tunnel, all video-streaming traffic is excluded.

Note: In the configuration snapshot below, the following applications are excluded:
  • hulu-base
  • netflix-streaming
  • youtube-streaming
Snapshot displaying the exclude video traffic dialog box
 
  1. Once configured click OK and commit the configuration on the firewall.

 



Additional Information
  • It is essential to correctly identify the content to be video and exclude. If there is a media file, like mp3, swf etc downloaded then that should not be split tunneled and must go through the tunnel and inspected as these could be threat vehicles.
  • It is essential to have ssl-decryption enabled on the gateway to exclude the streams which are utilizing https. More information on the same can be found here.
  • More information regarding license and activation can be found here.
  • Optimized Split Tunneling for GlobalProtect


Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PPDSCA4&lang=en_US%E2%80%A9&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language