We've setup our global protect to exclude all video traffic, using this guide: https://docs.paloaltonetworks.com/globalprotect/9-1/globalprotect-admin/globalprotect-gateways/split...
The firewall has all the relevant licenses required (GP Portal/Gateway license)
Here is a session that should have been excluded but as you can see by the 'tracker stage firewall: Age out', this should be 'tracker stage firewall: split tunnel' to my knowledge. All reference to 'anon' below is because i desensitized the content.
anon@PA-3020-ha1(active)> show session id 223050 Session 223050 c2s flow: source: 172.16.6.7 [global-protect] dst: anon proto: 6 sport: 1079 dport: 443 state: INIT type: INNR src user: anon dst user: unknown qos node: ethernet1/3, qos member N/A Qid 0 s2c flow: source: anon [anon] dst: anon proto: 6 sport: 443 dport: 22186 state: INIT type: INNR src user: unknown dst user: anon qos node: tunnel.5, qos member N/A Qid 0 start time : Tue Sep 22 15:05:12 2020 timeout : 3600 sec total byte count(c2s) : 2470 total byte count(s2c) : 899 layer7 packet count(c2s) : 2 layer7 packet count(s2c) : 3 vsys : vsys1 application : youtube-base rule : Allow-Safe-Streaming-Services service timeout override(index) : False session to be logged at end : True session in session ager : False session updated by HA peer : False http/2 stream : True address/port translation : source nat-rule : (vsys1) layer7 processing : enabled URL filtering enabled : True URL category : streaming-media, low-risk parent session : 222905 refresh parent session : True session via syn-cookies : False session terminated on host : False session traverses tunnel : True session terminate tunnel : False captive portal session : False ingress interface : tunnel.5 egress interface : ethernet1/3 session QoS rule : GP-Users-Streaming-Temp-Bypass-1 (class 2) tracker stage firewall : Aged out end-reason : aged-out
Does anyone have any ideas on why this traffic isnt being excluded? From what I can tell the configuration is correct, but when we try to watch a youtube video for example, it simply attempts to load and never finishes.
For the exclude video feature to work, SSL decryption is required. Please make sure that the sessions are being decrypted via the traffic logs.
I also noticed that this is an HTTP2 parent session that timed out. Is this happening with HTTP2 sessions only?
If the session is being decrypted, have you tried to strip ALPN under Client Extensions under the decryption profile? This will force the session to use HTTP1.1
Please have a look at this doc: https://live.paloaltonetworks.com/t5/general-articles/troubleshoot-split-tunnel-domain-amp-applicati...
You can also check the PanGPS.log on the client-side to see if exclude video feature is being applied. Look for the line below
Hope that helps!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!