09-23-2020 02:37 AM
Hi there,
We've setup our global protect to exclude all video traffic, using this guide: https://docs.paloaltonetworks.com/globalprotect/9-1/globalprotect-admin/globalprotect-gateways/split...
The firewall has all the relevant licenses required (GP Portal/Gateway license)
Here is a session that should have been excluded but as you can see by the 'tracker stage firewall: Age out', this should be 'tracker stage firewall: split tunnel' to my knowledge. All reference to 'anon' below is because i desensitized the content.
anon@PA-3020-ha1(active)> show session id 223050
Session 223050
c2s flow:
source: 172.16.6.7 [global-protect]
dst: anon
proto: 6
sport: 1079 dport: 443
state: INIT type: INNR
src user: anon
dst user: unknown
qos node: ethernet1/3, qos member N/A Qid 0
s2c flow:
source: anon [anon]
dst: anon
proto: 6
sport: 443 dport: 22186
state: INIT type: INNR
src user: unknown
dst user: anon
qos node: tunnel.5, qos member N/A Qid 0
start time : Tue Sep 22 15:05:12 2020
timeout : 3600 sec
total byte count(c2s) : 2470
total byte count(s2c) : 899
layer7 packet count(c2s) : 2
layer7 packet count(s2c) : 3
vsys : vsys1
application : youtube-base
rule : Allow-Safe-Streaming-Services
service timeout override(index) : False
session to be logged at end : True
session in session ager : False
session updated by HA peer : False
http/2 stream : True
address/port translation : source
nat-rule : (vsys1)
layer7 processing : enabled
URL filtering enabled : True
URL category : streaming-media, low-risk
parent session : 222905
refresh parent session : True
session via syn-cookies : False
session terminated on host : False
session traverses tunnel : True
session terminate tunnel : False
captive portal session : False
ingress interface : tunnel.5
egress interface : ethernet1/3
session QoS rule : GP-Users-Streaming-Temp-Bypass-1 (class 2)
tracker stage firewall : Aged out
end-reason : aged-outDoes anyone have any ideas on why this traffic isnt being excluded? From what I can tell the configuration is correct, but when we try to watch a youtube video for example, it simply attempts to load and never finishes.
09-25-2020 04:36 PM
For the exclude video feature to work, SSL decryption is required. Please make sure that the sessions are being decrypted via the traffic logs.
I also noticed that this is an HTTP2 parent session that timed out. Is this happening with HTTP2 sessions only?
If the session is being decrypted, have you tried to strip ALPN under Client Extensions under the decryption profile? This will force the session to use HTTP1.1
Please have a look at this doc: https://live.paloaltonetworks.com/t5/general-articles/troubleshoot-split-tunnel-domain-amp-applicati...
You can also check the PanGPS.log on the client-side to see if exclude video feature is being applied. Look for the line below
<exclude-video-redirect>yes</exclude-video-redirect>
Hope that helps!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
