Global Protect - exclude video traffic not working

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Global Protect - exclude video traffic not working

L1 Bithead

Hello,

 

Did somebody successfully implement this feature ?

I'm working on GP 5.0.7 and PANOS 8.1, also we have a Global Protect Gateway license active.

 

I want to exclude video traffic from the VPN tunnel. So I go to my external gateway, and enable exclude video traffic. The tunnel mode is enabled, and also in the agent config, the split tunneling is enabled (ie the option "no direct access to local network" is disabled).

 

When I add application like dailymotion or netflix-streaming, I still can see such application going through the firewall.

When I let the application panel empty, expectation is that ALL video streaming traffic is excluded from VPN. But that is not working either.

 

So I'll be glad if someone encountered the same issue and resolved it 🙂

 

In parrallel, I'm using standard split tunneling via subnet IPs, and this is working well so far. But I want to make video traffic exclusion work.

7 REPLIES 7

L1 Bithead

Hello,

I just tested for Netflix and it works but I had to add also on the "Agent/client Settings/Split Tunnel/Domain and Application" the following exclude domains entries:

*.netflix.com                    443

*.nflxvideo.net                 443

Capture.JPG

Hi,

 

Yes, that's the point, so you are using domain exclusion.

It means that if you go back to your gateway configuration, Video Traffic tab and deactivate the feature to bypass video, then it will continue to work (ie netflix doesn't go through the tunnel).

 

What I would like is use Video Traffic feature so I don't need to add  bunch of domains and IP addresses to the exclusion list.

 

 

Hi,

I have a case open to this problem. Unfortunately I can’t execute all the plan action asked by the support at this time (waiting the “go back” to the office J ). I’ll let you know.

 I wanna just share a workaround I applied for Netflix ( 2x entries in exclude domain).

I have another challenge today: Disneyplus and Zoom. Any experience?

I too got a case open (since december even !) because we had some video exclusion issue with other sites too.

Looks like the agent still forwards some traffic through the tunnel initially which causes a break in the application.

First we could try netflix after trying the same stream multiple times again, but now it doesnt work anymore.

Tried several things, upgraded and stuff but no improvement. I'll keep you guys update whenever i get some info.

 

Yes, I think you're right. When using domains, firsts packets go through the tunnel and then pass to the direct connection. For me it's working.

For Zoom I add Exclude Client Application

My setup for Netflix + Zoom + Webex:Capture-split.JPG

L1 Bithead

Domain exclusion list for DisneyPlus for reference: 
https://support.opendns.com/hc/en-us/articles/360037591112-Domains-to-Allow-for-Disney-Plus
Depending on your region, inclusion of following domains in Exclude Domain worked: 
*.adobedtm.com
*.bam.nr-data.net
*.bamgrid.com
*.disney-plus.net
*.disneyplus.com
*.dssott.com
cdn.registerdisney.go.com

d9.flashtalking.com

L1 Bithead

Hi,

Did anyone got fresh news on that subject ? I'm actually experiencing exclusion failure with netflix too.

And adding domains one by one for every profiles and gateway configuration is not an option (risks of mistakes, time loss every time I need to had a new domain, etc).
Like MMerlier, just using the exclude video data option would be great.
Thanks all

  • 8315 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!