Exclude Domains From GlobalProtect Tunnel

Exclude Domains From GlobalProtect Tunnel

Created On 04/16/20 03:37 AM - Last Modified 11/03/20 23:17 PM

This document describes how to effectively exclude domains from a GlobalProtect tunnel.
Youtube will serve as an example for this illustration.

Under Network > GlobalProtect > Gateways > Client Setting > Configs > Split Tunnel > Domain and Application > Add www.youtube.com

User-added image

However, in the traffic logs, the firewall still receives YouTube streaming traffic from connected GlobalProtect clients:

User-added image


  • PAN-OS 8.1 and above.
  • Palo Alto Firewall.
  • GlobalProtect configured.

  • YouTube loads content from other sources and just not youtube.com. 
  • To verify, before accessing YouTube, On the client system GlobalProtect Agent, navigate to:
           GlobalProtect > Settings > Troubleshooting > Logging Level > Dump > Start:
User-added image
  • The logging dump level on the GlobalProtect agent displays the content being loaded from googlevideo.com as well.

  1. Add dynamic googlevideo content (*.googlevideo.com) to the "Exclude Domain" list:
User-added image
  1. Commit the changes. Now the streaming traffic should now be redirected to the correct connection other than the tunnel.

Additional Information
  • Important: Stop the "Logging Level: Dump" once debugging is done as this could fill up the logs and overwrite important logs saved on disk. 
  • Alternatively, the interesting traffic (streaming-media in this case) can be decrypted/inspected on the firewall. This will reveal any additional content that will require tunnel exclusion.
  • The article assumes knowledge of GlobalProtect configuration.

  • Print
  • Copy Link


Choose Language