https://live.paloaltonetworks.com/t5/next-generation-firewall/unknown-ikev2-peer-pa1420-running-pan-os-11-0-1-h1/m-p/564079#M2043 <P>You can add security policy</P> <P>Source zone - WAN</P> <P>Destination zone - WAN</P> <P>Source IP - Your and your peer IPs that terminate IPSec</P> <P>Destination IP - Your and your peer IPs that terminate IPSec</P> <P>Application - ipsec</P> <P>&nbsp;</P> <P>And at the end of the ruleset "block any" rule.</P> <P>&nbsp;</P> <P>IPSec works because of "intrazone-default" rule permitting same zone traffic.</P> <P>&nbsp;</P> <P>Be careful when you add "block any" rule because you might have other traffic relying on this intrazone-default rule.</P> Thu, 02 Nov 2023 12:23:33 GMT Raido_Rattameister 2023-11-02T12:23:33Z https://live.paloaltonetworks.com/t5/next-generation-firewall/unknown-ikev2-peer-pa1420-running-pan-os-11-0-1-h1/m-p/563887#M2036 <P>So, i have this type of errors in my logs and i really dont know how to tackle them.</P> <P>No other info, like for example who is the peer that generates this event, like i used to get on an older PA device also running an older PANOS version</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Manu_P_0-1698843190615.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/54814i1C3ADED998DA8090/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="Manu_P_0-1698843190615.png" alt="Manu_P_0-1698843190615.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Any ideas?</P> Wed, 01 Nov 2023 12:55:10 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/unknown-ikev2-peer-pa1420-running-pan-os-11-0-1-h1/m-p/563887#M2036 Manu_P 2023-11-01T12:55:10Z https://live.paloaltonetworks.com/t5/next-generation-firewall/unknown-ikev2-peer-pa1420-running-pan-os-11-0-1-h1/m-p/563924#M2040 <P>You will get rid of noise coming from internet by permitting incoming VPN only from your peer IPs.</P> <P>&nbsp;</P> <P>To figure out what IP is trying to connect you need to look into&nbsp;ikemgr.log log by using commands below</P> <P>less mp-log ikemgr.log</P> <P>tail follow yes mp-log ikemgr.log (updates log output in real time)</P> <P>&nbsp;</P> Wed, 01 Nov 2023 17:33:38 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/unknown-ikev2-peer-pa1420-running-pan-os-11-0-1-h1/m-p/563924#M2040 Raido_Rattameister 2023-11-01T17:33:38Z https://live.paloaltonetworks.com/t5/next-generation-firewall/unknown-ikev2-peer-pa1420-running-pan-os-11-0-1-h1/m-p/564063#M2041 <P>Thanks, that did it (not doing much ike troubleshooting so i forgot about that log)</P> <P>Still, i wished PanOS to display that info in the system monitor logs</P> <P>&nbsp;</P> <P>Anyway, you said this:</P> <P><SPAN>"You will get rid of noise coming from internet by permitting incoming VPN only from your peer IPs"</SPAN></P> <P>&nbsp;</P> <P><SPAN>How? i did not set an explicit rule to allow incoming vpn - i assumed the firewall did that behind the scene</SPAN></P> <P><SPAN>Or do you mean to setup an explicit deny all incoming ike rule, with exception for an address group containing all my ike-gateways-ip-addresses?</SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> Thu, 02 Nov 2023 09:54:55 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/unknown-ikev2-peer-pa1420-running-pan-os-11-0-1-h1/m-p/564063#M2041 Manu_P 2023-11-02T09:54:55Z https://live.paloaltonetworks.com/t5/next-generation-firewall/unknown-ikev2-peer-pa1420-running-pan-os-11-0-1-h1/m-p/564079#M2043 <P>You can add security policy</P> <P>Source zone - WAN</P> <P>Destination zone - WAN</P> <P>Source IP - Your and your peer IPs that terminate IPSec</P> <P>Destination IP - Your and your peer IPs that terminate IPSec</P> <P>Application - ipsec</P> <P>&nbsp;</P> <P>And at the end of the ruleset "block any" rule.</P> <P>&nbsp;</P> <P>IPSec works because of "intrazone-default" rule permitting same zone traffic.</P> <P>&nbsp;</P> <P>Be careful when you add "block any" rule because you might have other traffic relying on this intrazone-default rule.</P> Thu, 02 Nov 2023 12:23:33 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/unknown-ikev2-peer-pa1420-running-pan-os-11-0-1-h1/m-p/564079#M2043 Raido_Rattameister 2023-11-02T12:23:33Z