GlobalProtect
Exclude Video Traffic from the GlobalProtect VPN Tunnel
Table of Contents
Exclude Video Traffic from the GlobalProtect VPN Tunnel
Exclude video streaming traffic from the VPN tunnel.
You can configure a split tunnel to exclude
HTTP/HTTPS video streaming traffic to a specific domain from being
sent over the VPN tunnel. This allows video traffic to go directly
from the physical interfaces on the endpoint. The App-ID functionality
on the firewall identifies the video stream before traffic can be
split tunneled. By excluding lower risk video streaming traffic
(such as YouTube and Netflix) from the VPN tunnel, you can decrease
bandwidth consumption on the gateway.
With a GlobalProtect
license, you can enforce or apply split tunnel rules to exclude
video streaming traffic from the VPN tunnel on Windows and macOS
endpoints.
All video traffic types are redirected for
the following video-streaming applications:
- YouTube
- Dailymotion
- Netflix
If you exclude any other video-streaming
applications from the VPN tunnel, only the following video traffic
types are redirected for those applications:
- MP4
- WebM
- MPEG
Use the following steps to configure
a split tunnel to exclude video streaming traffic from the VPN tunnel.
- Before you begin:
- Follow these prerequisites:
- Supported only on endpoints with Windows 7 Service Pack 2 and later releases and macOS 10.10 and later releases.
- You must ensure that the IP pools used to assign IP addresses to the virtual network adapters on these endpoints do not include any IPv6 addresses. If the physical adapter on a Windows or macOS endpoint supports only IPv4 addresses, the endpoint user cannot access the video streaming applications that you exclude from the VPN tunnel when you configure the GlobalProtect gateway to assign IPv6 addresses to the virtual network adapters on the endpoints that connect to the gateway.
- If you exclude video streaming traffic from the VPN tunnel, do not include web browser applications, such as Firefox or Chrome, in the VPN tunnel. This ensures that there is no conflicting logic in the split tunnel configuration and that your users can stream videos from web browsers.
- To exclude Sling TV app traffic from the VPN tunnel, configure a split tunnel based on an application.
Configure a GlobalProtect gateway.Select to modify an existing gateway or add a new one.Enable a split tunnel.- In the GlobalProtect Gateway Configuration dialog, select to enable Tunnel Mode.Configure the tunnel parameters for the GlobalProtect app.(Tunnel Mode Only) Exclude HTTP/HTTPS video streaming traffic from the VPN tunnel.
- In the GlobalProtect Gateway Configuration dialog, select .Enable the option to Exclude video applications from the tunnel.If you enable this option but do not exclude specific video streaming applications from the VPN tunnel, all video streaming traffic is excluded.Excluded video traffic will not take split tunnel configuration into account for video flows.(Optional) Browse the Applications list to view all of the video streaming applications that you can exclude from the VPN tunnel. Click the add () icon for the applications that you want to exclude. For example, click the add icon for directv to exclude DIRECTV video streaming traffic from the VPN tunnel.
![]()
Add the video streaming applications that you want to exclude from the VPN tunnel using the Applications drop-down—a shortened version of the Applications list. You can add up to 200 video application entries to the list. For example, select youtube-streaming to exclude all YouTube-based video streaming traffic from the VPN tunnel.Save the gateway configuration.- Click OK to save the gateway configuration.Commit your changes.
