Exclude Video Traffic - Global Protect

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L0 Member

Exclude Video Traffic - Global Protect

Hi there,

 

We've setup our global protect to exclude all video traffic, using this guide: https://docs.paloaltonetworks.com/globalprotect/9-1/globalprotect-admin/globalprotect-gateways/split...

 

The firewall has all the relevant licenses required (GP Portal/Gateway license)

 

Here is a session that should have been excluded but as you can see by the 'tracker stage firewall: Age out', this should be 'tracker stage firewall: split tunnel' to my knowledge. All reference to 'anon' below is because i desensitized the content.

 

anon@PA-3020-ha1(active)> show session id 223050

Session          223050

        c2s flow:
                source:      172.16.6.7 [global-protect]
                dst:         anon
                proto:       6
                sport:       1079            dport:      443
                state:       INIT            type:       INNR
                src user:    anon
                dst user:    unknown
                qos node:    ethernet1/3, qos member N/A Qid 0

        s2c flow:
                source:      anon [anon]
                dst:         anon
                proto:       6
                sport:       443             dport:      22186
                state:       INIT            type:       INNR
                src user:    unknown
                dst user:    anon
                qos node:    tunnel.5, qos member N/A Qid 0

        start time                           : Tue Sep 22 15:05:12 2020
        timeout                              : 3600 sec
        total byte count(c2s)                : 2470
        total byte count(s2c)                : 899
        layer7 packet count(c2s)             : 2
        layer7 packet count(s2c)             : 3
        vsys                                 : vsys1
        application                          : youtube-base
        rule                                 : Allow-Safe-Streaming-Services
        service timeout override(index)      : False
        session to be logged at end          : True
        session in session ager              : False
        session updated by HA peer           : False
        http/2 stream                        : True
        address/port translation             : source
        nat-rule                             : (vsys1)
        layer7 processing                    : enabled
        URL filtering enabled                : True
        URL category                         : streaming-media, low-risk
        parent session                       : 222905
        refresh parent session               : True
        session via syn-cookies              : False
        session terminated on host           : False
        session traverses tunnel             : True
        session terminate tunnel             : False
        captive portal session               : False
        ingress interface                    : tunnel.5
        egress interface                     : ethernet1/3
        session QoS rule                     : GP-Users-Streaming-Temp-Bypass-1 (class 2)
        tracker stage firewall               : Aged out
        end-reason                           : aged-out

 Does anyone have any ideas on why this traffic isnt being excluded? From what I can tell the configuration is correct, but when we try to watch a youtube video for example, it simply attempts to load and never finishes.

Highlighted
L2 Linker

For the exclude video feature to work, SSL decryption is required. Please make sure that the sessions are being decrypted via the traffic logs.
I also noticed that this is an HTTP2 parent session that timed out. Is this happening with HTTP2 sessions only? 
If the session is being decrypted, have you tried to strip ALPN under Client Extensions under the decryption profile? This will force the session to use HTTP1.1  

Please have a look at this doc: https://live.paloaltonetworks.com/t5/general-articles/troubleshoot-split-tunnel-domain-amp-applicati...

You can also check the PanGPS.log on the client-side to see if exclude video feature is being applied. Look for the line below

<exclude-video-redirect>yes</exclude-video-redirect>


Hope that helps!  

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!