We have been trying to exclude all Zoom-related traffic from the GlobalProtect VPN tunnel.
So far we have tried with: "*.zoom.us" exclusion configured directly on the GP gateway as a domain in:
Network --> GlobalProtect --> Gateways --> GW NAME --> Agent --> CLient Settings --> Split tunnel --> Domain and Application
But this seems to not completely do the trick as Zoom use some AWS default domains, not under *.zoom.us.
What approaches will work that does not involve having to manually exclude all the IP ranges as defined here?
The Zoom binary path seems to be this one, but I'm not sure PA supports wildcards on the path like this:
The simple trick I use is following
Following is the screenshot I saw for youtube, try adding regex around Youtube
Same issue here GP version 5.1.1-12
Have added both the Program files and AppData paths to the exclude client apps but udp 8801 is still traversing the VPN. ALso if i add *.zoom.us to teh exclude domains and open a web browser the site errors as below. take it out and good to go again.
I have tested this on 5.0.8 and 5.1.1 and got a successful result.
When tested, I closed the zoom app before connecting to Prisma Access VPN, upon connecting, I opened the zoom client and join a meeting.
Here is an example of the "netstat -anob" output from my windows machine:
10.10.11.3 is my Prisma Access GP IP and 10.55.80.54 is my local (physical interface) IP.
This is how my configuration looks like:
I also tried adding the 0.0.0.0 on the include list, and the result was the same.
If you are still having issues, please open up a tac case and a member of our team will be more than happy to assist troubleshooting this issue.
Can you start a zoom meeting with screen sharing and video ON. Add at least 2 people with video
While on meeting run - netstat -aenob
Also, for IPs in the traffic logs, enable host lookup, by checking the box at the bottom. Resolve hostname. And share the screenshot again. The above link will help
You can open tac case with the above information or update it here
Did some more tests and I can see that all traffic going through the tunnel is:
( addr.dst in 184.108.40.206 )
( addr.dst in 220.127.116.11 )
( addr.dst in 18.104.22.168 )
( addr.dst in 22.214.171.124 )
( addr.dst in 126.96.36.199 )
( addr.dst in 188.8.131.52 )
The screenshots you were asking for: most of them resolves as amazonaws.com domain, but some other resolves as zoom.us domain too:
I am trying setting up to split zoom traffic via physical adapter following the link. All traffic goes thru tunnel except zoom.
I am not able to get it work without adding route in excluded access route. We have Gateway subscription license but not portal license.
Just want to confirm if we follow the following link (not mention adding route in excluded tab), Link says it needs Global protect license, Is it portal license or just gateway subscription license
Hi Daniel Li,
You need a GlobalProtect subscription for the following feature:
Split tunneling based on destination domain, client process, and video streaming application.
Excluding routes does not require an additional license.
Thank you SuperMario for the reply.
I have installed 90 days trial Global protect gateway. Is that enough ? It does not work after following the link. tracert zoom.us on Window 10 shows going thru tunnel interface, not physical one ( restart GP service a few time, no access route configured ), I use GP 5.1 for window client. Any suggestion is appreciated
Configuration is used in the link
I installed 90 days trial Global protect gateway. Is that enough ? It does not work after following the link. tracert zoom.us on Window 10 shows going thru tunnel interface, not physical one ( restart GP service a few time, no access route configured ), I use GP 5.1 for window client. if add route in excluded access route. it works but zoom.us IP is changing sometime. Any suggestion is appreciated
Configuration is used in the link
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!