Exclude all Zoom traffic from GlobalProtect VPN

Reply
Highlighted
L0 Member

Re: Exclude all Zoom traffic from GlobalProtect VPN

Same type of behavior on my end, so I went ahead an added the Zoom IP blocks listed for port 8801:

https://support.zoom.us/hc/en-us/articles/201362683-Network-Firewall-or-Proxy-Server-Settings-for-Zo...

 

Which came out to be 57 entries. Doing this seems to have helped, somewhat, while doing 1-on-1 tests, I wouldn't see traffic show up in the firewall logs, even testing with other users, however we now have ~3,000+ employees working remotely, so I am starting to see these logs appear but it seems not as much as you would think. I have a case open with Palo Alto, they are able to replicate but unable to provide a solution.

 

On top of adding the IP blocks, we are excluding the domains,

*.zoom.us

 

and application processes for both PC and macOS

 

Macintosh HD/Applications/Zoom.app
C:\Program Files (x86)\Zoom\bin\Zoom.exe

 

https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-new-features/globalprotect-features/split-tunnel...

This article gives great instructions but doesn't obviously seem to work.

 

I am also attempting the same with BOX and will see how things go in the coming days.

 

Highlighted
Cyber Elite

Re: Exclude all Zoom traffic from GlobalProtect VPN

Hello,

You might want to check your companies policy and regulations regarding split tunnels as most dont allow it. I'm sure there is a reason for the request, however why would you want to lose that viability?

 

Regards,

Highlighted
L2 Linker

Re: Exclude all Zoom traffic from GlobalProtect VPN

Thanks for the feedback, seems you are facing the exact same scenario.

 

In our case, we want to avoid add the network ranges as it's something we would need to keep updated as they add/remove ranges, plus we would need to do manual configurations in multiple gateways. The API could be an option to automate this, but anyway we would need to keep an eye at Zoom article while their add/remove them.

Highlighted
L2 Linker

Re: Exclude all Zoom traffic from GlobalProtect VPN

There is not much added value on sending Zoom traffic through the VPN when Zoom is classified as a low-risk app by applipedia, it's an allowed application meaning no need to block/restrict, we want to give this application the best performance due to the current situation (and send it through the VPN is for sure not the way to achieve this). The only thing we might lose here is the ability to see&block files transfers as they flow through the Zoom sharing connection, but that's something we accept.

Highlighted
L4 Transporter

Re: Exclude all Zoom traffic from GlobalProtect VPN

Can you start a zoom meeting with screen sharing and video ON. Add at least 2 people with video

 

While on meeting run - netstat -aenob

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClQjCAK

 

Also, for IPs in the traffic logs, enable host lookup, by checking the box at bottom. Resolve hostname. And share the screenshot again. Above link will help

 

 

https://support.zoom.us/hc/en-us/articles/201362683-Network-Firewall-or-Proxy-Server-Settings-for-Zo...

 


~ Sai Srivastava Tumuluri ~
Highlighted
L1 Bithead

Re: Exclude all Zoom traffic from GlobalProtect VPN

Hi,

 

This config is working just fine for me.

Screen Shot 2020-03-23 at 11.05.49 AM.png

 

The config was tested on PAN-OS 0.04 and PAN-OS 9.0.6 and it's working in both cases.

Thanks.

Highlighted
L2 Linker

Re: Exclude all Zoom traffic from GlobalProtect VPN

What GlobalProtect version are you using?

 

We did some more tests and we conclude with: Win10 and:

 

- With Global Protect 5.1 is working fine

- We are not yet sure about GlobalProtect 5.0

- With GlobalProtect 4.1 is not working

Highlighted
L1 Bithead

Re: Exclude all Zoom traffic from GlobalProtect VPN

We are using  GlobalProtect client version  5.0.2

Thanks

.

Highlighted
L1 Bithead

Re: Exclude all Zoom traffic from GlobalProtect VPN

Hi,

 

Did you get  the feature exclude  video traffic from vpn tunnel to work?

For me, I'm sure we are using the correct config and we upgraded the GlobalProtect Gateway appliance to PAN-OS 9.0.6 ( the issue was fixed in this release) but still no positive result.

I went through debug and dump logs. Checked the monitoring tab in the PA and I'm still seeing the video streaming traffic go across the tunnel (dailymotion for example).

I opened a case with support but still no answer yet.

Any help will be appreciated.

In case we find a solution with the support team I will share it here

 

Highlighted
L4 Transporter

Re: Exclude all Zoom traffic from GlobalProtect VPN

@RamiAkermi ,

 

Try configuring both the "Exclude Video Application" option on agent and also domain name under exclude domains. Can you share a screenshot of config

 

https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-new-features/globalprotect-features/split-tunnel...

 


~ Sai Srivastava Tumuluri ~
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!