Bypass video traffic exclusion

kalolu — Fri, 10 Jul 2020 07:55:03 GMT

Hello,

We have GP set up and one of the settings include "Exclude video traffic from the tunnel". However, we have come across an issue that private site for developers hosted in 10.0.0.0/8 network includes internally hosted videos (http-video app-id) needed for work. So when user tries to connect to website while connected to GlobalProtect, it times out, because traffic is being pushed through physical network adapter rather than via virtual tunnel and well, 10/8 network isn't helping in this case.

My question is and I really couldn't find the answer anywhere, is there anything that takes precedence before the "Exclude video traffic from the tunnel" option gets evaluated?

One option would be to enable video traffic generally and exclude tens and hundreds of apps and domains that shouldn't be going via GP, but that is not very convenient/efficient. Is there a way how to include just one specific app-id or one specific IP/domain that would bypass this rule and go via GP even though video traffic is present?

In GP GW configuration - Agent - Video traffic, there is no way to include specifics, only to exclude all/specifics.

When we tried to adjust client settings config in Split Tunnel options and included required network in Access Route under Include, it still did not work as if Video traffic setting was evaluated first and traffic has been pushed via physical link.

Any ideas?

Thanks in advance

Re: Bypass video traffic exclusion

RamprakashRT — Fri, 31 Jul 2020 16:30:28 GMT

Hi ,

Try creating a application override policy where source as GP client ips destination as 10.0.0.0/8 subnets on required ports . So the firewall not process this traffic for app identification . Try and let me know.

Thanks,

Ram

topic Re: Bypass video traffic exclusion in General Topics

Bypass video traffic exclusion

Re: Bypass video traffic exclusion