Exclude all Zoom traffic from GlobalProtect VPN

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Exclude all Zoom traffic from GlobalProtect VPN

L3 Networker

We have been trying to exclude all Zoom-related traffic from the GlobalProtect VPN tunnel.

 

So far we have tried with: "*.zoom.us" exclusion configured directly on the GP gateway as a domain in:

Network --> GlobalProtect --> Gateways --> GW NAME --> Agent --> CLient Settings --> Split tunnel --> Domain and Application

 

But this seems to not completely do the trick as Zoom use some AWS default domains, not under *.zoom.us.

 

What approaches will work that does not involve having to manually exclude all the IP ranges as defined here?

https://support.zoom.us/hc/en-us/articles/201362683-Network-Firewall-or-Proxy-Server-Settings-for-Zo...

 

The Zoom binary path seems to be this one, but I'm not sure PA supports wildcards on the path like this:

C:\Users\*\AppData\Roaming\Zoom\bin\Zoom.exe

 

59 REPLIES 59

Hi,

 

This config is working just fine for me.

Screen Shot 2020-03-23 at 11.05.49 AM.png

 

The config was tested on PAN-OS 0.04 and PAN-OS 9.0.6 and it's working in both cases.

Thanks.

What GlobalProtect version are you using?

 

We did some more tests and we conclude with: Win10 and:

 

- With Global Protect 5.1 is working fine

- We are not yet sure about GlobalProtect 5.0

- With GlobalProtect 4.1 is not working

We are using  GlobalProtect client version  5.0.2

Thanks

.

Hi,

 

Did you get  the feature exclude  video traffic from vpn tunnel to work?

For me, I'm sure we are using the correct config and we upgraded the GlobalProtect Gateway appliance to PAN-OS 9.0.6 ( the issue was fixed in this release) but still no positive result.

I went through debug and dump logs. Checked the monitoring tab in the PA and I'm still seeing the video streaming traffic go across the tunnel (dailymotion for example).

I opened a case with support but still no answer yet.

Any help will be appreciated.

In case we find a solution with the support team I will share it here

 

@RamiAkermi ,

 

Try configuring both the "Exclude Video Application" option on agent and also domain name under exclude domains. Can you share a screenshot of config

 

https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-new-features/globalprotect-features/split-tunnel...

 


~ Sai Srivastava Tumuluri ~

Hi @Sai_Tumuluri 

Please find attached screenshots of the config.

Screen Shot 2020-03-24 at 2.20.06 PM.pngScreen Shot 2020-03-24 at 2.21.03 PM.png

The simple trick I use is following

Method 1

  1. Go to URL logs and filter the traffic of interest
  2. The domain the URL logs, is the domain I would recommend to match

Method  2

Wireshark capture

 

Following is the screenshot I saw for youtube, try adding regex around Youtube

 

youtube.png


~ Sai Srivastava Tumuluri ~

L1 Bithead

Hi,

Same issue here GP version 5.1.1-12 

 

Have added both the Program files and AppData paths to the exclude client apps but udp 8801 is still traversing the VPN.   ALso if i add *.zoom.us to teh exclude domains and open a web browser the site errors as below.    take it out and good to go again. 

 

Any ideas?

gone.jpg

gp client.PNG

 

Hello Everyone,

 

I have tested this on 5.0.8 and 5.1.1 and got a successful result.

When tested, I closed the zoom app before connecting to Prisma Access VPN, upon connecting, I opened the zoom client and join a meeting.

 

Here is an example of the "netstat -anob" output from my windows machine:

Screen Shot 2020-03-27 at 4.00.55 PM.png

10.10.11.3 is my Prisma Access GP IP and 10.55.80.54 is my local (physical interface) IP.

 

This is how my configuration looks like:

Screen Shot 2020-03-27 at 3.25.14 PM.png

I also tried adding the 0.0.0.0 on the include list, and the result was the same.

Screen Shot 2020-03-27 at 3.25.07 PM.png

If you are still having issues, please open up a tac case and a member of our team will be more than happy to assist troubleshooting this issue.

Everyone,

 

Can you start a zoom meeting with screen sharing and video ON. Add at least 2 people with video

 

While on meeting run - netstat -aenob

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClQjCAK

 

Also, for IPs in the traffic logs, enable host lookup, by checking the box at the bottom. Resolve hostname. And share the screenshot again. The above link will help

 

 

========================

 

You can open tac case with the above information or update it here


~ Sai Srivastava Tumuluri ~

Did some more tests and I can see that all traffic going through the tunnel is:

 

                 ( addr.dst in 3.125.86.104 )

                 ( addr.dst in 34.250.58.96 )

                 ( addr.dst in 3.248.169.175 )

                 ( addr.dst in 3.11.161.246 )

                 ( addr.dst in 3.127.185.62 )

                 ( addr.dst in 52.211.174.178 )

 

The screenshots you were asking for: most of them resolves as amazonaws.com domain, but some other resolves as zoom.us domain too:

logs1.pnglogs2.png

I am trying setting up to split zoom traffic via physical adapter following the link. All traffic goes thru tunnel except zoom.

I am not able to get it work without adding route in excluded access route. We have Gateway subscription license but not portal license.

 

Just want to confirm if we follow the following link (not mention adding route in excluded tab), Link says it needs Global protect license, Is it portal license or just gateway subscription license

 

Thank you

 

https://live.paloaltonetworks.com/t5/Prisma-Access-Articles/GlobalProtect-Implement-Split-Domain-and...

Hi Daniel Li,

 

You need a GlobalProtect subscription for the following feature:

Split tunneling based on destination domain, client process, and video streaming application.

https://docs.paloaltonetworks.com/globalprotect/9-1/globalprotect-admin/globalprotect-overview/about...

 

Excluding routes does not require an additional license.

Thank you SuperMario for the reply.

 

I have installed 90 days trial Global protect gateway. Is that enough ?  It does not work after following the link.  tracert  zoom.us on Window 10 shows going thru tunnel interface, not physical one  ( restart GP service a few time, no access route configured ), I use GP 5.1 for window client. Any suggestion is appreciated

 

Configuration is used in the link

https://live.paloaltonetworks.com/t5/Prisma-Access-Articles/GlobalProtect-Implement-Split-Domain-and...

 

Gplicense.JPG

 

 

HI Sai

 

I installed 90 days trial Global protect gateway. Is that enough ?  It does not work after following the link.  tracert  zoom.us on Window 10 shows going thru tunnel interface, not physical one  ( restart GP service a few time, no access route configured ), I use GP 5.1 for window client. if add route in excluded access route. it works but zoom.us IP is changing sometime. Any suggestion is appreciated

 

Configuration is used in the link

https://live.paloaltonetworks.com/t5/Prisma-Access-Articles/GlobalProtect-Implement-Split-Domain-and...

 

Gplicense.JPG

 

  • 53464 Views
  • 59 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!