Exclude Domains From GlobalProtect Tunnel
40851
Created On 04/16/20 03:37 AM - Last Modified 11/03/20 23:17 PM
Symptom
This document describes how to effectively exclude domains from a GlobalProtect tunnel.
Youtube will serve as an example for this illustration.
Under Network > GlobalProtect > Gateways > Client Setting > Configs > Split Tunnel > Domain and Application > Add www.youtube.com
However, in the traffic logs, the firewall still receives YouTube streaming traffic from connected GlobalProtect clients:
Environment
- PAN-OS 8.1 and above.
- Palo Alto Firewall.
- GlobalProtect configured.
Cause
- YouTube loads content from other sources and just not youtube.com.
- To verify, before accessing YouTube, On the client system GlobalProtect Agent, navigate to:
GlobalProtect > Settings > Troubleshooting > Logging Level > Dump > Start:
- The logging dump level on the GlobalProtect agent displays the content being loaded from googlevideo.com as well.
Resolution
- Add dynamic googlevideo content (*.googlevideo.com) to the "Exclude Domain" list:
- Commit the changes. Now the streaming traffic should now be redirected to the correct connection other than the tunnel.
Additional Information
- Important: Stop the "Logging Level: Dump" once debugging is done as this could fill up the logs and overwrite important logs saved on disk.
- Alternatively, the interesting traffic (streaming-media in this case) can be decrypted/inspected on the firewall. This will reveal any additional content that will require tunnel exclusion.
- The article assumes knowledge of GlobalProtect configuration.