Exclude Domains From GlobalProtect Tunnel

Exclude Domains From GlobalProtect Tunnel

16574
Created On 04/16/20 03:37 AM - Last Modified 11/03/20 23:17 PM


Symptom
This document describes how to effectively exclude domains from a GlobalProtect tunnel.
Youtube will serve as an example for this illustration.

Under Network > GlobalProtect > Gateways > Client Setting > Configs > Split Tunnel > Domain and Application > Add www.youtube.com

User-added image

However, in the traffic logs, the firewall still receives YouTube streaming traffic from connected GlobalProtect clients:

User-added image

 


Environment
  • PAN-OS 8.1 and above.
  • Palo Alto Firewall.
  • GlobalProtect configured.


Cause
  • YouTube loads content from other sources and just not youtube.com. 
  • To verify, before accessing YouTube, On the client system GlobalProtect Agent, navigate to:
           GlobalProtect > Settings > Troubleshooting > Logging Level > Dump > Start:
 
User-added image
  • The logging dump level on the GlobalProtect agent displays the content being loaded from googlevideo.com as well.


Resolution
  1. Add dynamic googlevideo content (*.googlevideo.com) to the "Exclude Domain" list:
User-added image
 
  1. Commit the changes. Now the streaming traffic should now be redirected to the correct connection other than the tunnel.


Additional Information
  • Important: Stop the "Logging Level: Dump" once debugging is done as this could fill up the logs and overwrite important logs saved on disk. 
  • Alternatively, the interesting traffic (streaming-media in this case) can be decrypted/inspected on the firewall. This will reveal any additional content that will require tunnel exclusion.
  • The article assumes knowledge of GlobalProtect configuration.


Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/kcSArticleDetail?id=kA10g000000PPdp&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FkcSArticleDetail

Attachments
Choose Language