GloablProtect WFH Split Tunnel Domain-Include issue

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

GloablProtect WFH Split Tunnel Domain-Include issue

L1 Bithead

this semi coincides with the zoom discussion  

I've setup Split tunnel and added a bunch of domains *.whatever.com into the split tunnel include domain tab. This works half the time and the other half not at all. I've tested on mac and windows. 

I'm also seeing zoom traffic across my vpn tunnel even though I have excluded the domain names and zoom app in my exclude list. 


My only resolve is to add the ip addresses to the include or exclude list which solves the issue. But I'm sure many of you are aware with AWS and Cloudfront that is a big chunk of the internet if you are trying to access specific hostnames that are supposed to be coming from your corporate IP address. 

 

At this point the domain include/exclude and application include or exclude is not trustworthy.

 

After 3 days PA still doesn't know why its happening. So I'm bringing it to the forums to see if anyone here has any ideas or work arounds that I haven't thought of.

8 REPLIES 8

L7 Applicator

firstly i would run with wireshark and capture all DNS requests as the app may be making a call to somewhere unexpected.

also note that *.whatever.com will not include whatever.com

 

are you using the zoom app.  if so then try using the exclude application option.

 

this will need to be something like...

 

%LOCALAPPDATA%\Roaming\Zoom\bin\Zoom.exe

 

i use this for teams...

yup. I have the applications defined the same and like the other zoom forum request i could still see traffic traversing my IP on port 8801. 

 

Also I have wiresharked the DNS and do see it hit the tunnel. even the global protect logs show it hitting the tunnel and creating the entry in the backend. Then it skips all logic and uses the physical interface. 

Day 4 of the TAC case. worked with a senior engineer last night for an hour and a half and he couldn't explain it. 

Finally got an engineer that was able to shed some light on the subject. The technical response is the windows os doesn't use the driver of the vpn so tracert's are actually inaccurate. 

I do have the same issue with teams. It has been added to the app list and most goes via direct but some is still via tunnel.

 

its not a showstopper for me as just using this to reduce strain on company internet pipes and with over 5k laptops it makes a big difference. The users connection, video and sound experience is superb but you are correct in saying its not 100% reliable.

 

what is even more strange is that i have a small app session logger and even that shows the app as teams .exe with connection via tunnel ip.

 

i will update as and when....  

In my case , I can't see any traffic log for including domain on PAN.

 

All traffic goes through Home internet , not ipsec tunnel.

 

Any configuration need to be added on end user PC ? Mine is windows 10 and GP client is 5.1.1-12

I didn't make any changes to my client machines. 
I did make the hard but necessary decision to start using the IP routes includes and excludes as opposed to depending upon the domain-include and application include or exclude. Because of global protect driver that can pick and choose whenever it wants to function; I think traditional network may make more sense at the end of the day. I also have IPv6 turned off just for your information. 

 

 

Hi,

 

I see the same issue. I configured split for zoom app using domain and apps tab. I can see traffic in port 8801 reaching the tunnel. Any way to split this 8801port traffic?

L1 Bithead

did you find any solution for this? We also have the problem that UDP 8801 traffic from zoom client goes over tunnel although application path and domains are excluded. 

  • 6295 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!