topic Re: GlobalProtect authentication blocked by home firewall in General Topics

GlobalProtect authentication blocked by home firewall

bfaull — Fri, 22 Mar 2024 14:10:57 GMT

I use GlobalProtect to connect to my employer's network from my home Wifi.

However, the GP authentication requires port 8443, and this is not compatible with maintaining the highest security firewall settings on my Xfinity Gateway. Every time I connect, therefore, I have to change the Gateway firewall to a lower security setting. For personal cybersecurity reasons, I'd like to maintain the highest security firewall settings all the time. Can PaloAlto fix this problem, for example, by using port 443 rather than 8443? Is there some other way of fixing this?

Re: GlobalProtect authentication blocked by home firewall

Claw4609 — Fri, 22 Mar 2024 14:24:01 GMT

Hello,

What authentication is setup for GlobalProtect? GlobalProtects portal operates on port 443 and I don't believe this can be changed.

Also what is your personal router blocking port 8443 for? Because its a non-default port for SSL?

Re: GlobalProtect authentication blocked by home firewall

bfaull — Fri, 22 Mar 2024 17:24:06 GMT

Xfinity gives very limited options. This is the Firewall IPv4 settings for the Xfinity gateway that I have. You ca choose High, Typical, or Low security settings. Our IT support department tells me that the High setting blocks port 8443, and that this is what is causing GlobalProtect to just get stuck on the samlpost web page.

So my personal router is NOT using 8443. Rather GP is trying to use it and is getting blocked. That's all I know.

Re: GlobalProtect authentication blocked by home firewall

Claw4609 — Fri, 22 Mar 2024 17:42:26 GMT

Oh gotcha, that would be related to the saml configuration used for authentication that your login relies on then and not GlobalProtect itself. You would need to work with/look at the SAML authentication you have set up and are using for authentication to see what the options are.

Re: GlobalProtect authentication blocked by home firewall

BPry — Sat, 23 Mar 2024 03:45:45 GMT

@bfaull,

XFinity themselves don't recommend running maximum/high security for this exact reason. Unfortunately since you don't appear to be in control of the PAN side of things that you're connecting to, changing SAML to use 443 isn't going to be an option for you.

You'll either need to lower your security to Typical so that SAML can complete and you can get connected, or if you have the option on your gateway set things to custom and open what you need. There's really not a way around this since your IT department isn't going to completely change their configuration because of an option you set on your home equipment.