GlobalProtect Troubleshooting Tips: Split Tunnel Domain & Applications and Exclude Video Traffic Features
GlobalProtect with on-premise firewall is utilized by employees to securely connect to their enterprise environment and access their corporate applications. GlobalProtect supports Split Tunnel Domain & Applications and Exclude Video Traffic features to exclude certain bandwidth clogging applications and domains to help enterprises with business continuity during high Work From Home (WFH) scenarios because of a COVID-19 pandemic or any other type of calamity.
To verify and troubleshoot the split tunnel domain and application traffic features, you can utilize the following steps:
First step is to verify whether the configuration on the gateway for ‘Split Tunnel Domain’ or ‘Split Application’ has been pushed correctly on the GlobalProtect app or not. This can be verified by collecting GlobalProtect logs. For steps on collecting GlobalProtect logs refer to: How to Collect Logs From GlobalProtect Clients.
Within GlobalProtect logs bundle, review PanGPS.log and verify that based on the configuration on the gateway GlobalProtect receives:
<member>/Applications/RingCentral for Mac.app/Contents/MacOS/Softphone</member>
Within the GlobalProtect logs bundle, also review gpsplit.log and see the split tunnel and application rules applied. In the logs below, we can see that ‘.ringcentral.com’ application is bound to physical interface en0. Thus, traffic for the RingCentral application will be excluded from the VPN tunnel. Here, Rule 0 to 3 corresponds to the IP address of the domain and application we have configured on the gateway.
NOTE: If an FQDN resolves to multiple IP addresses, all the IP addresses will be added to the exclude rules.
You can also verify the connection table on the client machine and confirm that specific application connections are going via physical interface and not the tunnel interface. On macOS, use ‘netstat -arn’ command, and on a Windows machine, this ‘netstat -anob’ command can be used.
We can also utilize 'whois' lookup utility to find the public IP address associated with specific domains or ISPs. whois lookup for IP address
For application visibility on Windows platforms, Microsoft Network Monitor can also be utilized. More information can be found in this article: Information about Network Monitor 3.
To track traffic for a specific domain, enable wireshark packet captures on the client machine on the physical and tunnel (gpd0) interface. This is considered the most reliable method to track the traffic for specific domains. To find an IP address for a specific domain, resolve the IP address of the specific domain using nslookup as shown below. Apply the resulting IP address as a filter in wireshark. $ nslookup ringcentral.com Non-authoritative answer: Name: ringcentral.com Address: 220.127.116.11 Name: ringcentral.com Address: 18.104.22.168
Exclude Video Traffic
To verify and troubleshoot exclude video traffic from the tunnel (Windows and macOS only) feature, you can utilize following steps:
Verify whether the configuration you have on your gateway for ‘Exclude video traffic from the tunnel (Windows and macOS only)’ has been pushed correctly on the GlobalProtect or not. This can be verified by collecting GlobalProtect logs. For steps on collecting GlobalProtect logs, refer to this knowledge article: How to Collect Logs From GlobalProtect Clients.
Within the GlobalProtect logs bundle, you can review PanGPS.log and verify that ‘Exclude video traffic from the tunnel (Windows and macOS only)’ configuration is received from the gateway as shown below:
The firewall will send a redirect message to GlobalProtect once it understands that the specific video application needs to be excluded from the VPN tunnel. In our example, we are excluding YouTube traffic. It determines the application as video based on the initial http/https request from the client, and it also matches the destination domain in the request with the one configured. Review of PanGPS.log file within the GlobalProtect logs bundle will confirm the video redirect message received by GlobalProtect client from the gateway. Same can be seen in the logs below: Split tunneling is enabled: 0 include app, 2 exclude app, 0 include domain, 3 exclude domain, video-redirect yes Debug(1732): SP set exclude ip 22.214.171.124, port 443 for video redirect Debug(1732): SP set exclude ip 126.96.36.199, port 443 for video redirect Debug(1732): SP set exclude ip 188.8.131.52, port 443 for video redirect
On the firewall, you can filter the session based on a specific application by using command ‘show session all filter application <application-name>’. The example below is filtering ‘youtube-base’ application: Admin view of PA-3260 in show session all filter application command
Review the specific session details based on the output from Step 4 by using command ‘show session id <session id>’. Look for 'tracker stage firewall: split tunnel' in the session detail output, which confirms that the traffic is being excluded from the VPN tunnel.
Browser verification can also be performed for HTTP 302 redirect response received from the gateway for the URL or video application, which we have excluded. In Chrome, Firefox, or Internet Explorer, you can utilize the Web Developer/Developer tools and Network option within them for such verification. HTTP 302 URL redirect message is seen under the status or result column when the gateway sends a redirect message. The below snapshot provides an example for Firefox Web Developer tool where under status column 302 redirect received from the gateway is seen for video playback. Example of the Firefox Web Developer tool showing status column 302 results