How do I exclude specific traffic (Webex, Zoom, etc) from the remote access VPN?

You can exclude specific traffic from the remote access VPN using dynamic split tunneling based on DNS domain names.

Excluded domains are not blocked. Instead, traffic to those domains is kept outside the VPN tunnel. For example, you could send traffic to Cisco WebEx on the public Internet, thus freeing bandwidth in your VPN tunnel for traffic that is targeted to servers within your protected network.

Procedure

Step 1

From the CDO home page, in the navigation bar, click Inventory.

Step 2

Find the Secure Firewall Threat Defense device you want to add this rule to. You can use the filter or search field to find the device.

Step 3

Select the device, and in the Device Management pane at the right, click Device Overview.

Step 4

Configure the group policy to use Dynamic Split Tunnel.

  1. Choose Devices > Remote Access.

  2. Click Edit on the remote access VPN policy for which you want to configure dynamic split tunneling.

  3. Click Edit on the required connection profile.

  4. Click Edit Group Policy.

Step 5

Configure the Secure Client custom attribute in the Add/Edit Group Policy dialog box.

  1. Click the Secure Client tab.

  2. Click Custom Attributes and click +.

  3. Choose Dynamic Split Tunneling from the Secure Client Attribute drop-down list.

  4. Click + to create a new custom attribute object.

  5. Enter the name for the custom attribute object.

  6. Exclude domains—Specify domain names that will be excluded from the remote access VPN.

  7. Click Save.

  8. Click Add.

Step 6

Verify the configured custom attribute and click Save.

Step 7

When you are ready to deploy this change to the device, click Deploy in the menu bar at the top of the page.