Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Application Bypass (CLI Procedure)


Using this task configuration, you can configure application bypass feature for remote access VPN solution in the SRX Series Firewall. As an administrator, if you want the users of your organization to access certain websites without going through the remote access VPN tunnel, follow the below procedure -

  1. Identify the applications with their domain names and protocols. For example, if you want the users to be able to access enterprise applications like Zoom, Sharepoint, Salesforce, etc., without going through the VPN, then you need to specify them in the configuration as follows -

    • For Oracle cloud application suite, specify as the domain name match criteria.

    • For Salesforce CRM application and all its sub-domain names, specify the application match criteria as using the keyword wildcard. When you specify using wildcard keyword, if your main domain is, then the wildcard sub-domain names of the Salesforce application can be,, and etc. So, with this, you can bypass VPN for,, and Any left most label part of the domain name will be used with the specified matched criteria.

    • To match any domain name containing a specific value, use contains keyword. For example, for domain-name with value, specify with contains keyword. So any domain-name that contains will also bypass the VPN. This is different from wildcard match because with contains keyword, the domain name string can be anywhere in the FQDN. For example, if you use with contains keyword, it matches all conditions like,

    • For bypassing applications based on protocol, specify either tcp, udp or all.

  2. Categorize these applications based on your use case to group them with a term name. In your SRX Series Firewall, you can create multiple terms to configure multiple application bypass entries and associate them to a particular remote client's configuration parameters at the [edit security remote-access client-config] hierarchy level.

  3. Identify the remote client to which you can associate the application bypass rules.

Configuring Application Bypass

To configure application bypass feature using the command line interface:

  1. Log in to your SRX Series Firewall using the command line interface (CLI).

  2. Configure remote-access VPN in full tunnel configuration mode. See one of the following procedures based on the authentication method used -

  3. To bypass the VPN, configure the identified applications as shown in Table 1

    Table 1: Application Bypass Configuration Parameters
    Options Domain Name/Protocol Description
    fqdn Specify a cloud application.
    wildcard Covers enterprise applications like -




    contains Specify content that contains the specific domain name.
    • tcp

    • udp

    Specify TCP and UDP based applications.
    • Using domain-name as FQDN -

    • Using domain-name with wildcard keyword -

    • Using domain-name containing a value, say, -

    • Based on tcp -

    • Based on udp -

  4. When you are done configuring the feature on your device, enter commit from configuration mode.

Once Juniper Secure Connect VPN connection is established, your end users can now bypass remote-access VPN when they access these applications, thus simplifying their experience.