Domain-based split tunneling does not work for any internal websites using HTTP/3 (UDP)

Domain-based split tunneling does not work for any internal websites using HTTP/3 (UDP)

5941
Created On 09/23/22 19:49 PM - Last Modified 06/28/24 20:53 PM


Symptom


  • Domain-based split tunneling does not work for any internal websites using HTTP/3 (UDP) on Windows devices.
  • The same works correctly on macOS systems.
  • Accessing internal websites using developer tools "Chrome browser > Developer Tools > Network"
    • "GET https://domain.com/robots.txt HTTP/3.0" does not work.
    • "GET https://domain.com/robots.txt HTTP/2.0" works correctly.

Environment


  • Palo Alto firewalls
  • Supported PAN-OS
  • GlobalProtect (GP) App
  • Domain-based Split tunneling
  • Windows clients
  • HTTP/3 (UDP) 

Cause


HTTP/3 uses UDP and UDP traffic is not supported in domain-based split tunneling on Windows.

Resolution


  1. Disable QUIC on browser to fix this issue OR
  2. Turn off HTTP/3 on server side. Refer the appropriate vendor documentation.

Additional Information


  • The main difference between HTTP 2.0 and HTTP 3.0 is the employed transport layer protocol.
  • In HTTP 2.0, we have TCP connections with or without TLS (HTTPS and HTTP).
  • HTTP 3.0, in turn, is designed over QUIC (Quick UDP Internet Connections).
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000wldkCAA&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language