https://live.paloaltonetworks.com/t5/globalprotect-discussions/exclude-video-traffic-global-protect/m-p/352316#M453 <P>For the exclude video feature to work, SSL decryption is required. Please make sure that the sessions are being decrypted via the traffic logs.<BR />I also noticed that this is an HTTP2 parent session that timed out. Is this happening with HTTP2 sessions only?&nbsp;<BR />If the session is being decrypted, have you tried to strip ALPN under Client Extensions under the decryption profile? This will force the session to use HTTP1.1&nbsp;&nbsp;<BR /><BR />Please have a look at this doc:&nbsp;<A href="https://live.paloaltonetworks.com/t5/general-articles/troubleshoot-split-tunnel-domain-amp-applications-and-exclude/ta-p/321075" target="_blank" rel="noopener">https://live.paloaltonetworks.com/t5/general-articles/troubleshoot-split-tunnel-domain-amp-applications-and-exclude/ta-p/321075</A><BR /><BR />You can also check the PanGPS.log on the client-side to see if exclude video feature is being applied. Look for the line below</P><PRE>&lt;exclude-video-redirect&gt;yes&lt;/exclude-video-redirect&gt;</PRE><P><BR />Hope that helps!&nbsp;&nbsp;</P> Fri, 25 Sep 2020 23:36:26 GMT khans 2020-09-25T23:36:26Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/exclude-video-traffic-global-protect/m-p/351357#M435 <P>Hi there,</P><P>&nbsp;</P><P>We've setup our global protect to exclude all video traffic, using this guide:&nbsp;<A href="https://docs.paloaltonetworks.com/globalprotect/9-1/globalprotect-admin/globalprotect-gateways/split-tunnel-traffic-on-globalprotect-gateways/exclude-video-traffic-from-the-globalprotect-vpn-tunnel.html" target="_blank">https://docs.paloaltonetworks.com/globalprotect/9-1/globalprotect-admin/globalprotect-gateways/split-tunnel-traffic-on-globalprotect-gateways/exclude-video-traffic-from-the-globalprotect-vpn-tunnel.html</A></P><P>&nbsp;</P><P>The firewall has all the relevant licenses required (GP Portal/Gateway license)</P><P>&nbsp;</P><P>Here is a session that should have been excluded but as you can see by the 'tracker stage firewall: Age out', this should be 'tracker stage firewall: split tunnel' to my knowledge. All reference to 'anon' below is because i desensitized the content.</P><P>&nbsp;</P><PRE>anon@PA-3020-ha1(active)&gt; show session id 223050 Session 223050 c2s flow: source: 172.16.6.7 [global-protect] dst: anon proto: 6 sport: 1079 dport: 443 state: INIT type: INNR src user: anon dst user: unknown qos node: ethernet1/3, qos member N/A Qid 0 s2c flow: source: anon [anon] dst: anon proto: 6 sport: 443 dport: 22186 state: INIT type: INNR src user: unknown dst user: anon qos node: tunnel.5, qos member N/A Qid 0 start time : Tue Sep 22 15:05:12 2020 timeout : 3600 sec total byte count(c2s) : 2470 total byte count(s2c) : 899 layer7 packet count(c2s) : 2 layer7 packet count(s2c) : 3 vsys : vsys1 application : youtube-base rule : Allow-Safe-Streaming-Services service timeout override(index) : False session to be logged at end : True session in session ager : False session updated by HA peer : False http/2 stream : True address/port translation : source nat-rule : (vsys1) layer7 processing : enabled URL filtering enabled : True URL category : streaming-media, low-risk parent session : 222905 refresh parent session : True session via syn-cookies : False session terminated on host : False session traverses tunnel : True session terminate tunnel : False captive portal session : False ingress interface : tunnel.5 egress interface : ethernet1/3 session QoS rule : GP-Users-Streaming-Temp-Bypass-1 (class 2) tracker stage firewall : Aged out end-reason : aged-out</PRE><P>&nbsp;Does anyone have any ideas on why this traffic isnt being excluded? From what I can tell the configuration is correct, but when we try to watch a youtube video for example, it simply attempts to load and never finishes.</P> Wed, 23 Sep 2020 09:37:59 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/exclude-video-traffic-global-protect/m-p/351357#M435 KyranMendoza 2020-09-23T09:37:59Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/exclude-video-traffic-global-protect/m-p/352316#M453 <P>For the exclude video feature to work, SSL decryption is required. Please make sure that the sessions are being decrypted via the traffic logs.<BR />I also noticed that this is an HTTP2 parent session that timed out. Is this happening with HTTP2 sessions only?&nbsp;<BR />If the session is being decrypted, have you tried to strip ALPN under Client Extensions under the decryption profile? This will force the session to use HTTP1.1&nbsp;&nbsp;<BR /><BR />Please have a look at this doc:&nbsp;<A href="https://live.paloaltonetworks.com/t5/general-articles/troubleshoot-split-tunnel-domain-amp-applications-and-exclude/ta-p/321075" target="_blank" rel="noopener">https://live.paloaltonetworks.com/t5/general-articles/troubleshoot-split-tunnel-domain-amp-applications-and-exclude/ta-p/321075</A><BR /><BR />You can also check the PanGPS.log on the client-side to see if exclude video feature is being applied. Look for the line below</P><PRE>&lt;exclude-video-redirect&gt;yes&lt;/exclude-video-redirect&gt;</PRE><P><BR />Hope that helps!&nbsp;&nbsp;</P> Fri, 25 Sep 2020 23:36:26 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/exclude-video-traffic-global-protect/m-p/352316#M453 khans 2020-09-25T23:36:26Z