MacOS WSS Agent disconnects regularly as soon as user connects to GlobalProtect VPN
search cancel

MacOS WSS Agent disconnects regularly as soon as user connects to GlobalProtect VPN


Article ID: 251946


Updated On:


Cloud Secure Web Gateway - Cloud SWG


WSS Agent and F5 GlobalProtect VPN client running on the same host.

GlobalProtect is setup in Split tunnel mode where WSS Agent Application is bypassed from sending traffic into VPN as shown below:

                                                <member>C:\Program Files\Symantec\WSS Agent\wssad.exe</member>
                                                <member>C:\Program Files\Symantec\WSS Agent\ wssa-ui.exe</member>
                                                <member>/Applications/Symantec WSS</member>
                                                <member>/Library/Application Support/Symantec WSS Agent</member>
                                                <member>/opt/symantec/wssa/wssad|/Library/Application Support/Symantec WSS Agent</member>

WSS is also setup to bypass the GlobalProtect VPN client Application, to avoid VPN generated traffic being sent into WSS. 

With Windows based users can access both VPN and WSS protected resources without issues. 

For MacOS users, who are using GlobalProtect, WSS Agent disconnects the WSS Tunnel frequently once users connect to VPN.

Users will get connectivity errors, or messages indicating no connection to internet when this happens.


WSS Agent 8.1.1.

MacOS 12.5.

GlobalProtect 6.0.3.


WSS traffic sent into GlobalProtect VPN network (CTC traffic as well as agent traffic) and not direct to internet.


Bypass all WSS traffic from the VPN client. This can be done in a number of ways:

1. bypass the WSS Application from GlobalProtect VPN: Whilst possible, the WSS agent Application includes a random identifier (shown below) which requires wildcard support. This random identifier is the system extension path which is random - the system extension is the WSS Agent “service” and “driver” combined into one.


If the VPN client supports wildcards (GlobalProtect does not with current version), we could add the following bypass entry:



2. If The VPN client does not support wildcards, we will need to add a bypass for the CTC, and the WSS ingress IP addresses. This can be painful due to the number of WSS IP addresses available.

Additional Information

PCAPs confirm that WSS traffic is being sent into the VPN server, when it should be bypassed.

Can gather the Application path to bypass from VPN client using following command:

admin@macos Downloads % ps aux|grep wss
root               549   1.4  0.3 34234908  28452   ??  Ss   11:44AM   0:08.19 /Library/SystemExtensions/AC3C9E04-754A-4A11-87F4-92A6255D09D9/