this semi coincides with the zoom discussion
I've setup Split tunnel and added a bunch of domains *.whatever.com into the split tunnel include domain tab. This works half the time and the other half not at all. I've tested on mac and windows.
I'm also seeing zoom traffic across my vpn tunnel even though I have excluded the domain names and zoom app in my exclude list.
My only resolve is to add the ip addresses to the include or exclude list which solves the issue. But I'm sure many of you are aware with AWS and Cloudfront that is a big chunk of the internet if you are trying to access specific hostnames that are supposed to be coming from your corporate IP address.
At this point the domain include/exclude and application include or exclude is not trustworthy.
After 3 days PA still doesn't know why its happening. So I'm bringing it to the forums to see if anyone here has any ideas or work arounds that I haven't thought of.
firstly i would run with wireshark and capture all DNS requests as the app may be making a call to somewhere unexpected.
also note that *.whatever.com will not include whatever.com
are you using the zoom app. if so then try using the exclude application option.
this will need to be something like...
i use this for teams...
yup. I have the applications defined the same and like the other zoom forum request i could still see traffic traversing my IP on port 8801.
Also I have wiresharked the DNS and do see it hit the tunnel. even the global protect logs show it hitting the tunnel and creating the entry in the backend. Then it skips all logic and uses the physical interface.
Day 4 of the TAC case. worked with a senior engineer last night for an hour and a half and he couldn't explain it.
I do have the same issue with teams. It has been added to the app list and most goes via direct but some is still via tunnel.
its not a showstopper for me as just using this to reduce strain on company internet pipes and with over 5k laptops it makes a big difference. The users connection, video and sound experience is superb but you are correct in saying its not 100% reliable.
what is even more strange is that i have a small app session logger and even that shows the app as teams .exe with connection via tunnel ip.
i will update as and when....
I didn't make any changes to my client machines.
I did make the hard but necessary decision to start using the IP routes includes and excludes as opposed to depending upon the domain-include and application include or exclude. Because of global protect driver that can pick and choose whenever it wants to function; I think traditional network may make more sense at the end of the day. I also have IPv6 turned off just for your information.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!