https://live.paloaltonetworks.com/t5/globalprotect-articles/troubleshoot-split-tunnel-domain-amp-applications-and-exclude/ta-p/321075 <H2 class="lia-align-center"><STRONG>GlobalProtect&nbsp;</STRONG><STRONG>Troubleshooting Tips</STRONG><STRONG>: <BR /></STRONG><STRONG>Split Tunnel Domain &amp; Applications </STRONG><STRONG>and Exclude Video Traffic Features</STRONG></H2> <P>&nbsp;</P> <P>&nbsp;</P> <H2><STRONG>Background</STRONG></H2> <P>GlobalProtect with on-premise firewall is utilized by employees to securely connect to their enterprise environment and access their corporate applications. GlobalProtect supports <STRONG>Split Tunnel Domain &amp; Applications and Exclude Video Traffic features</STRONG> to exclude certain bandwidth clogging applications and domains to help enterprises with business continuity during high Work From Home (WFH) scenarios because of a COVID-19 pandemic or any other type of calamity.</P> <P>&nbsp;</P> <DIV class="alert alert-warning" align="left"><STRONG>NOTE:</STRONG> Split-tunnel traffic is not inspected by next-generation firewall and, therefore, does not have the threat-protection offered by Palo Alto Networks. Hence, customers are advised to carefully review before enabling this feature and then decide whether the split tunnel meets their environment needs.</DIV> <P>&nbsp;</P> <H2><STRONG>Objective</STRONG></H2> <P>The objective of this document is to provide enterprise administrators with troubleshooting tips and tricks related to <STRONG>Split Tunnel Domain &amp; Applications and Exclude Video Traffic features. </STRONG>This will help administrators during implementation and operational maintenance of these features. For a configuration guide of this feature, refer to&nbsp;<A title="Optimized Split Tunneling for GlobalProtect | TechDocs | Palo Alto Networks" href="https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-new-features/globalprotect-features/split-tunnel-for-public-applications.html" target="_blank" rel="noopener">Optimized Split Tunneling for GlobalProtect</A> and&nbsp;<A title="Implement Split Domain and Applications | LIVEcommunity | Palo Alto Networks" href="https://live.paloaltonetworks.com/t5/Prisma-Access-Articles/GlobalProtect-Implement-Split-Domain-and-Applications/ta-p/316929" target="_self">GlobalProtect: Implement Split Tunnel Domain and Applications</A>.</P> <P>&nbsp;</P> <P>&nbsp;</P> <H2><STRONG>Verification and Troubleshooting</STRONG></H2> <P>&nbsp;</P> <P>The following verification and troubleshooting steps are written with consideration of the configuration specified in <A title="GlobalProtect Split Domain, Applications, Video Traffic | LIVEcommunity | Palo Alto Networks" href="https://live.paloaltonetworks.com/t5/General-Articles/GlobalProtect-Implement-Split-Domain-and-Applications/ta-p/316929" target="_self">GlobalProtect: Implement Split Tunnel Domain, Applications, Exclude Video Traffic Configuration</A>&nbsp;and applies to any such configurations.</P> <P>&nbsp;</P> <H3><STRONG>Split Tunnel Domain &amp; Application</STRONG></H3> <P>To verify and troubleshoot the split tunnel domain and application traffic features, you can utilize the following steps:<BR /><BR /></P> <OL> <LI>First step is to verify whether the configuration on the gateway for ‘Split Tunnel Domain’ or ‘Split Application’ has been pushed correctly on the GlobalProtect app or not. This can be verified by collecting GlobalProtect logs. For steps on collecting GlobalProtect logs refer to:&nbsp;<A title="Collect Logs From GlobalProtect | Knowledge Base | Palo Alto Networks" href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClaLCAS" target="_blank" rel="noopener">How to Collect Logs From GlobalProtect Clients</A>.</LI> <LI>Within GlobalProtect logs bundle, review <STRONG>PanGPS.log</STRONG> and verify that based on the configuration on the gateway GlobalProtect receives:</LI> <OL class="lia-list-style-type-lower-alpha"> <LI>‘Split Tunnel’ configuration:<BR /><LI-CODE lang="markup">&lt;exclude-split-tunneling-domain&gt; &lt;member&gt;*.ringcentral.com&lt;/member&gt; &lt;/exclude-split-tunneling-domain&gt;​</LI-CODE> <P>&nbsp;</P> </LI> <LI>‘Split Application' configuration:<BR /><LI-CODE lang="markup">&lt;exclude-split-tunneling-application&gt; &lt;member&gt;%AppData%\Local\RingCentral\SoftPhoneApp\Softphone.exe&lt;/member&gt; &lt;member&gt;%AppData%\Local\RingCentral\SoftPhoneApp\SoftPhoneMapiBridge.exe&lt;/member&gt; &lt;member&gt;/Applications/RingCentral for Mac.app/Contents/MacOS/Softphone&lt;/member&gt; &lt;/exclude-split-tunneling-application&gt;​</LI-CODE> <P>&nbsp;</P> </LI> </OL> <LI>Within the GlobalProtect logs bundle, also review gpsplit.log (the equivalent file on the macOS is PanNExt.log) and see the split tunnel and application rules applied. In the logs below, we can see that ‘.ringcentral.com’ application is bound to physical interface en0. Thus, traffic for the RingCentral application will be excluded from the VPN tunnel. Here, Rule 0 to 3 corresponds to the IP address of the domain and application we have configured on the gateway.<BR /><LI-CODE lang="markup">gpsplit [0x52bc2520] :860 Rule 0: 1TCP v4 50.239.202.198 0 &gt; 2PHY (83115) gpsplit [0x52bc2520] :860 Rule 1: 3APP %AppData%\Local\RingCentral\SoftPhoneApp\SoftPhoneMapiBridge.exe &gt; 2PHY (0) gpsplit [0x52bc2520] :860 Rule 2: 3APP %AppData%\Local\RingCentral\SoftPhoneApp\Softphone.exe &gt; 2PHY (0) gpsplit [0x52bc2520] :860 Rule 3: 3APP /Applications/RingCentral for Mac.app/Contents/MacOS/Softphone &gt; 2PHY (0) gpsplit [0x5fd50a40] :933 0x59bc4620 binding to interface en0, index 3</LI-CODE><STRONG>NOTE:</STRONG> If an FQDN resolves to multiple IP addresses, all the IP addresses will be added to the exclude rules.<BR /><BR /></LI> <LI><SPAN style="font-family: inherit;">Change the debug level to “Dump”, to make sure that PanGPS.log will contain the details related to split-tunnel functionality (Settings -&gt; Troubleshooting -&gt; Logging Level). Make sure to mark the time of the test (when the issue has been reproduced), along with the domain being accessed<BR /></SPAN></LI> <LI><SPAN style="font-family: inherit;">You can also verify the connection table on the client machine and confirm that specific application connections are going via physical interface and not the tunnel interface. On macOS, use&nbsp;<FONT face="courier new,courier">‘netstat -arn’</FONT>&nbsp;or <FONT face="courier new,courier">'lsof -n -i | grep &lt;application&gt;'</FONT> command, and on a Windows machine, this&nbsp;<FONT face="courier new,courier">‘netstat -anob’</FONT> command can be used.<BR /></SPAN></LI> <LI>We can also utilize 'whois' lookup utility to find the public IP address associated with specific domains or ISPs.&nbsp;<BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="whois lookup for IP address" style="width: 378px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/25011i34D4EB16B28E78E6/image-size/large?v=v2&amp;px=999" role="button" title="whois lookup for IP address.png" alt="whois lookup for IP address" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">whois lookup for IP address</span></span><BR /><BR /></LI> <LI><SPAN style="font-family: inherit;">For application visibility on Windows platforms, Microsoft Network Monitor can also be utilized. More information can be found in this article:&nbsp;</SPAN><A style="font-family: inherit; background-color: #ffffff;" title="Network Monitor 3 | Microsoft Window Support" href="https://support.microsoft.com/en-us/help/933741/information-about-network-monitor-3" target="_blank" rel="noopener">Information about Network Monitor 3</A><SPAN style="font-family: inherit;">.<BR /></SPAN></LI> <LI>To track traffic for a specific domain, enable wireshark (or tcpdump) packet captures on the client machine on the physical and tunnel (utun) interface. This is considered the most reliable method to track the traffic for specific domains. Always take packet captures for both physical and tunnel interface when reporting split-tunnel issues to Palo Alto Networks support. <BR />On macOS, use tcpdump: <FONT face="courier new,courier">sudo tcpdump -i all -k INP -w gptest.pcapng</FONT><BR />Wireshark can be used for capturing the same on Windows<BR /><STRONG>NOTE:&nbsp;</STRONG>Make sure to mark the time of the test (when the issue has been reproduced), along with the domain being accessed<BR /><BR /></LI> <LI>To find an IP address for a specific domain, resolve the IP address of the specific domain using nslookup as shown below. Apply the resulting IP address as a filter in wireshark.<BR /><FONT face="courier new,courier">$ nslookup ringcentral.com</FONT><BR /><FONT face="courier new,courier">Non-authoritative answer:</FONT><BR /><FONT face="courier new,courier">Name: ringcentral.com</FONT><BR /><FONT face="courier new,courier">Address: 216.146.46.11</FONT><BR /><FONT face="courier new,courier">Name: ringcentral.com</FONT><BR /><FONT face="courier new,courier">Address: 216.146.46.10<SPAN style="font-family: inherit;">.<BR /><BR /></SPAN></FONT></LI> <LI>Verify that split-tunnel configuration is working as per the order of operation below where <STRONG>application exclude</STRONG> takes precedence over <STRONG>application include</STRONG> followed by <STRONG>domain exclude</STRONG> take precedence over <STRONG>domain include</STRONG>, and then Network traffic is excluded or included based on the specific access route.<BR /><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="GlobalProtect split tunnel order" style="width: 586px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/26837i6DD7A5E086588EC9/image-dimensions/586x274?v=v2" width="586" height="274" role="button" title="GlobalProtect split tunnel order.png" alt="GlobalProtect split tunnel order" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">GlobalProtect split tunnel order</span></span></LI> <LI>Split-tunneling rules only apply to TCP/UDP traffic, so ICMP/ping is not subject to split-tunneling rules. Do not use ping to test whether split-tunnel rules are applied</LI> <LI>For detailed Windows Kernel side logs, which allows us to see the interaction between GlobalProtect filter driver and the kernel, use DebugView, which can be found here:&nbsp;<A href="https://docs.microsoft.com/en-us/sysinternals/downloads/debugview" target="_self">debugview</A>&nbsp; <BR />Run dbgview.exe as Administrator<BR />"Enable Verbose Kernel Output" and Start "Capture Kernel" (Ctrl + K) <BR /><STRONG>NOTE:</STRONG> This can generate large amount of logs and may also impact endpoint performance. Please enable this only when requested by Palo Alto TAC or engineering teams.</LI> <LI>On macOS: please also check whether GlobalProtect system extension is active using<BR /><FONT face="courier new,courier">$ systemextensionsctl list</FONT><BR /><FONT face="courier new,courier">--- com.apple.system_extension.network_extension</FONT><BR /><FONT face="courier new,courier">enabled active teamID bundleID (version) name [state]</FONT><BR /><FONT face="courier new,courier">* * PXPZ95SK77 com.paloaltonetworks.GlobalProtect.client.extension (5.2.5-66/1) GlobalProtectExtension [activated enabled]</FONT><BR />Run <FONT face="courier new,courier">sudo launchctl list | grep palo</FONT> command to confirm the presence of <FONT face="courier new,courier">NetworkExtension.com.paloaltonetworks.GlobalProtect.client.extension</FONT></LI> </OL> <H3><STRONG>3rd Party Interoperability:</STRONG></H3> <UL> <LI>Check if there is a 3rd party product which can prevent GlobalProtect from properly using filters/extensions to perform split-tunnel operations. Most of the times, conflicts are found with DLP (Data Loss Prevention), AV/AM (Anti-Virus/Anti-Malware) and other VPN types of software. In these cases we need to investigate whether the issue is on the GlobalProtect side or 3rd party vendor.</LI> <LI>Application based exclusion will only affect the traffic generated directly by the named application. If the application is using another (system) process (for example through IPC) to facilitate a connection (such as svchost.exe), GlobalProtect filter will not capture it. Excluding such (system) a process is not advisable as it may be utilized by another non-related application, which can cause unintended consequences.&nbsp;In these cases we can take one of the two approaches: <UL> <LI>Check if the traffic bypassing the rules, we aren’t capturing due to aforementioned reasons with the Application based exclusion, needs DNS resolution before transmission. If this is the case, we may be able to exclude the leaking traffic using domain-based exclusions</LI> <LI>In case we can’t use domain-based exclusion (no corresponding DNS transaction), we have to rely on route exclusion; This implies that the application is using well-known IP subnets as a destination (depending on the application, list may be found on the Internet)</LI> <LI>Such behavior has been noted for some applications such as MS Teams, Skype etc. Please refer to&nbsp;<A href="https://live.paloaltonetworks.com/t5/General-Articles/GlobalProtect-Optimizing-Office-365-Traffic/ta-p/319669" target="_self">GlobalProtect: Optimizing Office 365 Traffic</A>&nbsp;for additional information</LI> </UL> </LI> <LI>macOS: Some applications are having connection issues when split-tunnel rules are applied using the new Apple System Extensions framework. Starting with GlobalProtect 5.1.4 and macOS 10.15.4 GlobalProtect switched, as a best practice, from legacy KEXT (Kernel Extensions) to the new System Extension framework. Apple is deprecating KEXT starting with the macOS Big Sur release (ref. <A href="https://support.apple.com/en-us/HT210999" target="_self">About system extensions and macOS</A>&nbsp; and <A href="https://developer.apple.com/support/kernel-extensions/" target="_self">Deprecated Kernel Extensions and System Extension Alternatives</A>&nbsp;). Please confirm with the 3rd party vendors on their support for the new Apple framework.</LI> </UL> <H3><STRONG><BR />Exclude Video Traffic</STRONG></H3> <P>To verify and troubleshoot exclude video traffic from the tunnel (Windows and macOS only) feature, you can utilize following steps:</P> <P>&nbsp;</P> <OL> <LI>Verify whether the configuration you have on your gateway for ‘Exclude video traffic from the tunnel (Windows and macOS only)’ has been pushed correctly on the GlobalProtect or not. This can be verified by collecting GlobalProtect logs. For steps on collecting GlobalProtect logs, refer to this knowledge article:&nbsp;<A title="Collect Logs From GlobalProtect | Knowledge Base | Palo Alto Networks" href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClaLCAS" target="_blank" rel="noopener">How to Collect Logs From GlobalProtect Clients</A>.</LI> <LI>Within the GlobalProtect logs bundle, you can review <STRONG>PanGPS.log</STRONG> and verify that ‘Exclude video traffic from the tunnel (Windows and macOS only)’ configuration is received from the gateway as shown below:<BR /><LI-CODE lang="markup">&lt;exclude-video-redirect&gt;yes&lt;/exclude-video-redirect&gt;​</LI-CODE> <P>&nbsp;</P> </LI> <LI>The firewall will send a redirect message to GlobalProtect once it understands that the specific video application needs to be excluded from the VPN tunnel. In our example, we are excluding YouTube traffic. It determines the application as video based on the initial http/https request from the client, and it also matches the destination domain in the request with the one configured. Review of PanGPS.log file within the GlobalProtect logs bundle will confirm the video redirect message received by GlobalProtect client from the gateway. Same can be seen in the logs below:<BR /><FONT face="courier new,courier">Split tunneling is enabled: 0 include app, 2 exclude app, 0 include domain, 3 exclude domain, <STRONG>video-redirect yes</STRONG></FONT><BR /><FONT face="courier new,courier">Debug(1732): SP set exclude ip 74.125.166.167, port 443 for video redirect</FONT><BR /><FONT face="courier new,courier">Debug(1732): SP set exclude ip 173.194.167.166, port 443 for video redirect</FONT><BR /><FONT face="courier new,courier">Debug(1732): SP set exclude ip 173.194.167.166, port 443 for video redirect</FONT><BR /><BR /></LI> <LI>On the firewall, you can filter the session based on a specific application by using command <STRONG><FONT face="courier new,courier">‘show session all filter application &lt;application-name&gt;’</FONT></STRONG>. The example below is filtering <FONT face="courier new,courier">‘youtube-base’</FONT> application:<BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Admin view of PA-3260 in show session all filter application command" style="width: 512px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/24964iFDD21623758DFCA3/image-size/large?v=v2&amp;px=999" role="button" title="Admin view of PA-3260 in show session all filter application command.png" alt="Admin view of PA-3260 in show session all filter application command" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Admin view of PA-3260 in show session all filter application command</span></span><BR /><BR /></LI> <LI><SPAN style="font-family: inherit;">Review the specific session details based on the output from Step 4 by using command <STRONG><FONT face="courier new,courier">‘show session id &lt;session id&gt;’</FONT></STRONG>. Look for <STRONG><FONT face="courier new,courier">'tracker stage firewall: split tunnel'</FONT></STRONG> in the session detail output, which confirms that the traffic is being excluded from the VPN tunnel.<BR /></SPAN></LI> <LI>Browser verification can also be performed for HTTP 302 redirect response received from the gateway for the URL or video application, which we have excluded. In Chrome, Firefox, or Internet Explorer, you can utilize the Web Developer/Developer tools and Network option within them for such verification. HTTP 302 URL redirect message is seen under the status or result column when the gateway sends a redirect message. The below snapshot provides an example for Firefox Web Developer tool where under status column 302 redirect received from the gateway is seen for video playback.&nbsp;<BR /><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Example of the Firefox Web Developer tool showing status column 302 results" style="width: 512px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/24965iDFDAC82D6AE265F5/image-size/large?v=v2&amp;px=999" role="button" title="Example of the Firefox Web Developer tool showing status column 302 results.png" alt="Example of the Firefox Web Developer tool showing status column 302 results" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Example of the Firefox Web Developer tool showing status column 302 results</span></span></LI> </OL> Thu, 14 Jan 2021 19:24:08 GMT nnaik 2021-01-14T19:24:08Z https://live.paloaltonetworks.com/t5/globalprotect-articles/troubleshoot-split-tunnel-domain-amp-applications-and-exclude/ta-p/321075 <P>Find troubleshooting tips and tricks related to Split Tunnel Domain &amp; Applications and Exclude Video Traffic features.</P> Thu, 14 Jan 2021 19:24:08 GMT https://live.paloaltonetworks.com/t5/globalprotect-articles/troubleshoot-split-tunnel-domain-amp-applications-and-exclude/ta-p/321075 nnaik 2021-01-14T19:24:08Z https://live.paloaltonetworks.com/t5/globalprotect-articles/troubleshoot-split-tunnel-domain-amp-applications-and-exclude/tac-p/396875#M26 <P>Recently ringcentral has changed where their directories reside. What was under %appdata% is now under %program files%. I noticed this after a number of users started complaining that ringcentral meetings would not work. I tried adding the following lines below to exclude from tunnel but still facing same issue. This article configuration worked well for the past year until recently after the folder relocation. If I remove exclusions from split tunnel it works great. Any ideas? Do I need a globalprotect license for this to work properly?</P><P>&nbsp;</P><P>%programfiles%\RingCentral\RingCentral.exe<BR />%programfiles(x86)%\RingCentralMeetings\bin\RingCentral_launcher.exe<BR />%programfiles(x86)%\RingCentralMeetings\bin\RingCentralMeetings.exe</P> Fri, 09 Apr 2021 14:09:41 GMT https://live.paloaltonetworks.com/t5/globalprotect-articles/troubleshoot-split-tunnel-domain-amp-applications-and-exclude/tac-p/396875#M26 Retired Member 2021-04-09T14:09:41Z https://live.paloaltonetworks.com/t5/globalprotect-articles/troubleshoot-split-tunnel-domain-amp-applications-and-exclude/tac-p/443300#M31 <P><SPAN>In the GlobalProtect Log bundle, we don't have gpsplit.log -- just wondering where specifically is this file</SPAN></P><P><SPAN>"Within the GlobalProtect logs bundle, also review gpsplit.log (the equivalent file on the macOS is PanNExt.log) "</SPAN></P> Tue, 26 Oct 2021 00:33:03 GMT https://live.paloaltonetworks.com/t5/globalprotect-articles/troubleshoot-split-tunnel-domain-amp-applications-and-exclude/tac-p/443300#M31 rajjair 2021-10-26T00:33:03Z https://live.paloaltonetworks.com/t5/globalprotect-articles/troubleshoot-split-tunnel-domain-amp-applications-and-exclude/tac-p/445706#M32 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/119812">@rajjair</a>,</P><P>&nbsp;</P><P>Comments in the following page can be helpful for you.</P><P><A href="https://live.paloaltonetworks.com/t5/general-topics/globalprotect-working-from-home-prisma-access-and-covid-19/td-p/316122/page/4" target="_blank">https://live.paloaltonetworks.com/t5/general-topics/globalprotect-working-from-home-prisma-access-and-covid-19/td-p/316122/page/4</A></P><P>&nbsp;</P><P>######</P><P>Thanks for the feedback. Actually gpsplit.log file is available as part of GlobalProtect logs bundle before GlobalProtect client 5.1.4 for macOS. After GlobalProtect client 5.1.4 and later, based on your macOS version you will either see gpsplit.log or PanNext.log [macOS 10.15.4 + GP 5.1.4 onwards]. For windows you can review PanGPS.log file. I will also update the document which you referred with this most current information.&nbsp;</P><P>&nbsp;</P><P>Thanks,</P><P>Nehal</P><P>######</P> Fri, 05 Nov 2021 08:01:32 GMT https://live.paloaltonetworks.com/t5/globalprotect-articles/troubleshoot-split-tunnel-domain-amp-applications-and-exclude/tac-p/445706#M32 taksato 2021-11-05T08:01:32Z https://live.paloaltonetworks.com/t5/globalprotect-articles/troubleshoot-split-tunnel-domain-amp-applications-and-exclude/tac-p/469824#M35 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/71992">@nnaik</a>&nbsp;,</P><P>You sure Domain-based split tunneling is supposed to work for UDP traffic?</P><P>Same for the process based.</P><P>I did split-tunnel a domain, can see from the logs that an exception is added</P><P>&nbsp;</P><P>""(P12804-T13544)Dump ( 797): 03/02/22 17:31:50:960 SP added an exclude ip 40.76.167.50, port 0, ttl 10 for domain GLOBAL.G.NSSVC.NET, original ttl=10, infinite ttl=no""</P><P>&nbsp;</P><P>However UDP traffic still goes through the tunnel interface.</P><P>&nbsp;</P><P>If I generate some random TCP traffic to the same domain (telnet on random port) I can confirm this TCP traffic goes through the physical interface.</P> Wed, 02 Mar 2022 16:02:55 GMT https://live.paloaltonetworks.com/t5/globalprotect-articles/troubleshoot-split-tunnel-domain-amp-applications-and-exclude/tac-p/469824#M35 rjovanovski 2022-03-02T16:02:55Z https://live.paloaltonetworks.com/t5/globalprotect-articles/troubleshoot-split-tunnel-domain-amp-applications-and-exclude/tac-p/471533#M38 <P>These added domains, include or exclude, *.ringcentral.com, how does the client machine identifies it as to exit locally or go through the tunnel ?</P><P>&nbsp;</P><P>One issue found is, when added a single domain in a split tunnel, some other domain traffic also starts coming through the tunnel.</P> Wed, 09 Mar 2022 05:41:03 GMT https://live.paloaltonetworks.com/t5/globalprotect-articles/troubleshoot-split-tunnel-domain-amp-applications-and-exclude/tac-p/471533#M38 sambhusarath 2022-03-09T05:41:03Z https://live.paloaltonetworks.com/t5/globalprotect-articles/troubleshoot-split-tunnel-domain-amp-applications-and-exclude/tac-p/472576#M39 <P>Thank you for correcting this article in regards to the log files and providing the details very helpful.</P><P>&nbsp;</P><P>However, we seem to be running into an issue with this feature I am just wondering if this has been tested with a recent version of clients and if you guys have a link to try this feature out to confirm this is working as expected to not. In our environment we can see in the pangps.log we can see the video redirect being logged and the session on the firewall also shows the tracker stage of the split-tunnel occurring. However, the video errors out on the browser and the user are not able to play the content, based on the article there is 302 redirect but I don't see that occurring for us on the web trace, this video link is embedded on the site so wondering if this feature works with embedded videos or not.. Any information would help.. I have opened a ticket with support also on this</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="rajjair_0-1647144038150.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/39613i2BB473F447DADD71/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="rajjair_0-1647144038150.png" alt="rajjair_0-1647144038150.png" /></span></P><P>&nbsp;</P><P>I also tried to copy the URL and what I noticed on the first try was it fails on the second try it works after I refresh the browser.. but there is no 302 redirect as mentioned in the article above. below is a complete web trace when I have copied the original URL of the video and tried to play it.</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="rajjair_1-1647144173573.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/39614i5276DCB00CD677B7/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="rajjair_1-1647144173573.png" alt="rajjair_1-1647144173573.png" /></span></P><P>Thanks for any info anybody can share...</P><P>Raj</P><P>&nbsp;</P> Sun, 13 Mar 2022 04:04:33 GMT https://live.paloaltonetworks.com/t5/globalprotect-articles/troubleshoot-split-tunnel-domain-amp-applications-and-exclude/tac-p/472576#M39 rajjair 2022-03-13T04:04:33Z https://live.paloaltonetworks.com/t5/globalprotect-articles/troubleshoot-split-tunnel-domain-amp-applications-and-exclude/tac-p/1248807#M159 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/71992">@nnaik</a>&nbsp;I really appreciate this post. What're the chances we see revisions in 2026 and beyond?</P> Mon, 23 Feb 2026 19:53:43 GMT https://live.paloaltonetworks.com/t5/globalprotect-articles/troubleshoot-split-tunnel-domain-amp-applications-and-exclude/tac-p/1248807#M159 asciikeyboard 2026-02-23T19:53:43Z