Exclude Domains From GlobalProtect Tunnel

Exclude Domains From GlobalProtect Tunnel

31402
Created On 04/16/20 03:37 AM - Last Modified 11/03/20 23:17 PM


Symptom


This document describes how to effectively exclude domains from a GlobalProtect tunnel.
Youtube will serve as an example for this illustration.

Under Network > GlobalProtect > Gateways > Client Setting > Configs > Split Tunnel > Domain and Application > Add www.youtube.com

User-added image

However, in the traffic logs, the firewall still receives YouTube streaming traffic from connected GlobalProtect clients:

User-added image

 

Environment


  • PAN-OS 8.1 and above.
  • Palo Alto Firewall.
  • GlobalProtect configured.

Cause


  • YouTube loads content from other sources and just not youtube.com. 
  • To verify, before accessing YouTube, On the client system GlobalProtect Agent, navigate to:
           GlobalProtect > Settings > Troubleshooting > Logging Level > Dump > Start:
 
User-added image
  • The logging dump level on the GlobalProtect agent displays the content being loaded from googlevideo.com as well.

Resolution


  1. Add dynamic googlevideo content (*.googlevideo.com) to the "Exclude Domain" list:
User-added image
 
  1. Commit the changes. Now the streaming traffic should now be redirected to the correct connection other than the tunnel.

Additional Information


  • Important: Stop the "Logging Level: Dump" once debugging is done as this could fill up the logs and overwrite important logs saved on disk. 
  • Alternatively, the interesting traffic (streaming-media in this case) can be decrypted/inspected on the firewall. This will reveal any additional content that will require tunnel exclusion.
  • The article assumes knowledge of GlobalProtect configuration.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/kcSArticleDetail?id=kA10g000000PPdp&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FkcSArticleDetail

Choose Language