How to exclude the Youtube video traffic from the GlobalProtect tunnel

How to exclude the Youtube video traffic from the GlobalProtect tunnel

29013
Created On 11/19/21 21:29 PM - Last Modified 06/26/25 20:30 PM


Objective


How to exclude the Youtube traffic from the GlobalProtect (GP) tunnel?

Environment

Procedure


Here is the steps on how to exclude the Youtube traffic from the GP tunnel:

  1. Configure SSL decryption.
  2. Create the GP portal and gateway agent configurations.
  3. Enable Exclude video traffic from the tunnel (Windows and macOS only) from the gateway agent configuration.

GUI: Network > GlobalProtect > Gateways > [gateway-name] > Agent > Video Traffic

           User-added image

Note: If you enable this option and do not exclude specific video streaming applications from the VPN tunnel, all video streaming traffic will be excluded.

      Additional Information


      Firewall Verification

      • The first connection to Youtube will go through the firewall to identify the App-ID as youtube-streaming and send a redirect.
      • The session created on the firewall for this video traffic will indicate that it is being excluded with the tracker stage firewall: split tunnel.

      Firewall CLI ->

      > show session id 211021
Session     211021
    c2s flow:
        source:   10.10.10.1 [L3-Trust]
        dst:     74.125.170.124
        proto:    6
        sport:    50326      dport:   443
        state:    INIT      type:    FLOW
        src user:  admin
        dst user:  unknown
    s2c flow:
        source:   74.125.170.124 [L3-Untrust]
        dst:     10.46.42.49
        proto:    6
        sport:    443       dport:   19738
        state:    INIT      type:    FLOW
        src user:  unknown
        dst user:  admin
    Slot                 : 1
    DP                  : 0
    index(local):            : 211021
    start time              : Mon Nov 8 14:29:30 2021
    timeout               : 90 sec
    total byte count(c2s)        : 2733
    total byte count(s2c)        : 50993
    layer7 packet count(c2s)       : 10
    layer7 packet count(s2c)       : 40
    vsys                 : vsys1
    application             : youtube-streaming  
    rule                 : Trust-to-Untrust
    service timeout override(index)   : False
    session to be logged at end     : True
    session in session ager       : False
    session updated by HA peer      : False
    address/port translation       : source
    nat-rule               : Trust-NAT(vsys1)
    layer7 processing          : enabled
    URL filtering enabled        : True
    URL category             : streaming-media, low-risk
    session via syn-cookies       : False
    session terminated on host      : False
    session traverses tunnel       : True
    session terminate tunnel       : False
    captive portal session        : False
    ingress interface          : tunnel.10
    egress interface           : ethernet1/3
    session QoS rule           : N/A (class 4)
    tracker stage firewall        : split tunnel
    end-reason              : aged-out

      GUI Detailed Traffic Log View ->

      User-added image

       

      GP App Verification

      • PanGPS.log will show the following logs:
      (T21876) 09/08/21 14:29:30:389 Debug(1603): SP set exclude ip 74.125.170.201, port 443 for video redirect
      Other users also viewed:
      Actions
      • Print
      • Copy Link

        https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000oMmgCAE&lang=en_US%E2%80%A9&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

      Choose Language