Sending 100% of remote user traffic through a cloud security gateway ensures absolute visibility, but it can cripple high-bandwidth, low-risk applications like Zoom and Microsoft Teams.
The Case for Split-Tunneling
In a Prisma Access deployment, the GlobalProtect agent routes traffic to the nearest Mobile User Gateway (MUG). However, Unified Communications as a Service (UCaaS) traffic is latency-sensitive and inherently encrypted. Inspecting this traffic adds milliseconds of delay and consumes massive SPN compute resources for zero security gain.
Execution Strategy
- Exclude by App-ID: Instead of relying on brittle IP-based exclusions, use Palo Alto's App-ID. Exclude applications like `ms-teams-audio`, `ms-teams-video`, and `zoom-base` directly in the GlobalProtect Gateway settings.
- Exclude by Video Domains: Create a custom URL category for streaming services (e.g., YouTube, Netflix) and apply it to the split-tunnel exclude list to prevent recreational bandwidth from saturating your Prisma licenses.
Verification
Post-deployment, instruct users to check their GlobalProtect client statistics. The "Direct Access" tab should reflect the bypassed domains, and your Prisma Access dashboard should show a significant drop in sustained throughput.