https://live.paloaltonetworks.com/t5/general-topics/disable-ssl-ipsec-only/m-p/26172#M19109 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>a quick one: is it possible to disable SSL VPN at GP? So users can only connect via IPSEC...</P><P></P><P>I know its possible to do it the other way but we like to have a IPSEC only portal/gateway.</P></BODY></HTML> Tue, 23 Sep 2014 13:31:02 GMT Hithead 2014-09-23T13:31:02Z https://live.paloaltonetworks.com/t5/general-topics/disable-ssl-ipsec-only/m-p/26172#M19109 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>a quick one: is it possible to disable SSL VPN at GP? So users can only connect via IPSEC...</P><P></P><P>I know its possible to do it the other way but we like to have a IPSEC only portal/gateway.</P></BODY></HTML> Tue, 23 Sep 2014 13:31:02 GMT https://live.paloaltonetworks.com/t5/general-topics/disable-ssl-ipsec-only/m-p/26172#M19109 Hithead 2014-09-23T13:31:02Z https://live.paloaltonetworks.com/t5/general-topics/disable-ssl-ipsec-only/m-p/26173#M19110 <HTML><HEAD></HEAD><BODY><P>Hello HitHead,</P><P></P><P>Portal runs on SSL, but you can configure gateway for IPsec. Please configure following settings on Gateway for IPsec.</P><P></P><P><IMG alt="IPsec.png" class="image-0 jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/15688_IPsec.png" style="height: 386px; width: 620px;" /></P><P>Regards,</P><P>Hardik Shah</P></BODY></HTML> Tue, 23 Sep 2014 13:36:06 GMT https://live.paloaltonetworks.com/t5/general-topics/disable-ssl-ipsec-only/m-p/26173#M19110 hshah 2014-09-23T13:36:06Z https://live.paloaltonetworks.com/t5/general-topics/disable-ssl-ipsec-only/m-p/26174#M19111 <HTML><HEAD></HEAD><BODY><P>thanks,</P><P>I know, but the failover mechanism is still active (if IPSEC fails, GP is trying to connect via SSL).</P></BODY></HTML> Tue, 23 Sep 2014 13:38:50 GMT https://live.paloaltonetworks.com/t5/general-topics/disable-ssl-ipsec-only/m-p/26174#M19111 Hithead 2014-09-23T13:38:50Z https://live.paloaltonetworks.com/t5/general-topics/disable-ssl-ipsec-only/m-p/26175#M19112 <HTML><HEAD></HEAD><BODY><P>Hi Hithead,</P><P></P><P>Than you can block SSL for Gateway IP address in Policy. That way failover will not take place in reality. </P><P></P><P>This will work only if portal is on another firewall.</P><P></P><P>Regards,</P><P>Hardik Shah</P></BODY></HTML> Tue, 23 Sep 2014 13:40:16 GMT https://live.paloaltonetworks.com/t5/general-topics/disable-ssl-ipsec-only/m-p/26175#M19112 hshah 2014-09-23T13:40:16Z https://live.paloaltonetworks.com/t5/general-topics/disable-ssl-ipsec-only/m-p/26176#M19113 <HTML><HEAD></HEAD><BODY><P>Hi Hithead,</P><P></P><P>Let me know if this helps, there is no inbuilt way or command to disable SSL.</P><P></P><P>I didnt find any existing Feature Request to disable SSL, I would suggest to contact Sales Engineer to open new Feature Request.</P><P></P><P>Regards,</P><P>Hardik Shah</P></BODY></HTML> Tue, 23 Sep 2014 13:48:24 GMT https://live.paloaltonetworks.com/t5/general-topics/disable-ssl-ipsec-only/m-p/26176#M19113 hshah 2014-09-23T13:48:24Z https://live.paloaltonetworks.com/t5/general-topics/disable-ssl-ipsec-only/m-p/26177#M19114 <HTML><HEAD></HEAD><BODY><P>Hi <A href="https://live.paloaltonetworks.com/u1/19490">hshah</A>,</P><P></P><P>Portal = Gateway in our installations. So not possible.</P><P></P><P>Will contact SE for a feature request. Thanks.</P></BODY></HTML> Tue, 23 Sep 2014 13:55:18 GMT https://live.paloaltonetworks.com/t5/general-topics/disable-ssl-ipsec-only/m-p/26177#M19114 Hithead 2014-09-23T13:55:18Z https://live.paloaltonetworks.com/t5/general-topics/disable-ssl-ipsec-only/m-p/26178#M19115 <HTML><HEAD></HEAD><BODY><P>only way for now, just to create GP , GW config(empty portal config) and make clients connect with cisco client,ort etc.instead of GP client.</P></BODY></HTML> Tue, 23 Sep 2014 14:36:38 GMT https://live.paloaltonetworks.com/t5/general-topics/disable-ssl-ipsec-only/m-p/26178#M19115 Retired Member 2014-09-23T14:36:38Z https://live.paloaltonetworks.com/t5/general-topics/disable-ssl-ipsec-only/m-p/26179#M19116 <HTML><HEAD></HEAD><BODY><P>Hi HitHead,</P><P></P><P>In that case you can assign loopback IP to Portal and loopback should be part of untrust network.</P><P></P><P>Now you car restrict traffic on Gateway.</P><P></P><P>Let me know if thats a good work around.</P><P></P><P>Regards,</P><P>Hardik Shah</P></BODY></HTML> Tue, 23 Sep 2014 18:53:47 GMT https://live.paloaltonetworks.com/t5/general-topics/disable-ssl-ipsec-only/m-p/26179#M19116 hshah 2014-09-23T18:53:47Z https://live.paloaltonetworks.com/t5/general-topics/disable-ssl-ipsec-only/m-p/26180#M19117 <HTML><HEAD></HEAD><BODY><P>sorry but how should that work?</P><P></P><P>(We have one public IP (gateway = portal) NATed to the Portal. At the Portal we configured the public DNS as gateway for the client config.)</P></BODY></HTML> Wed, 24 Sep 2014 08:15:36 GMT https://live.paloaltonetworks.com/t5/general-topics/disable-ssl-ipsec-only/m-p/26180#M19117 Hithead 2014-09-24T08:15:36Z https://live.paloaltonetworks.com/t5/general-topics/disable-ssl-ipsec-only/m-p/26181#M19118 <HTML><HEAD></HEAD><BODY><P>Do you have any free public IP from the pool. That can be configured on Loopback.</P><P></P><P>Thanks</P></BODY></HTML> Wed, 24 Sep 2014 08:27:55 GMT https://live.paloaltonetworks.com/t5/general-topics/disable-ssl-ipsec-only/m-p/26181#M19118 HULK 2014-09-24T08:27:55Z https://live.paloaltonetworks.com/t5/general-topics/disable-ssl-ipsec-only/m-p/26182#M19119 <HTML><HEAD></HEAD><BODY><P>No sadly not.</P><P>But I really like to know, how the loopback config works...</P><P></P><P>As I know, we have to authenticate at the Portal and Gateway with SSL (client certificate authentication). So I have to open (and NAT) SSL to the Portal/Gateway IP (IP is the same; private range). </P><P>So, and if the Portal IP is the loopback interface in a untrusted zone and my client gets the IP or DNS name of the gateway from the portal, SSL is still required for the authentication at the gateway. SSL is still open. - Hope its clear enough...? Understood my concern?</P><P></P><P>THX</P></BODY></HTML> Wed, 24 Sep 2014 08:43:01 GMT https://live.paloaltonetworks.com/t5/general-topics/disable-ssl-ipsec-only/m-p/26182#M19119 Hithead 2014-09-24T08:43:01Z https://live.paloaltonetworks.com/t5/general-topics/disable-ssl-ipsec-only/m-p/26183#M19120 <HTML><HEAD></HEAD><BODY><P><A href="https://live.paloaltonetworks.com/docs/DOC-7766">Split and Full Tunnel in GlobalProtect Causes Users to Connect Through SSL on Loopback</A></P><P></P><P>Thanks</P></BODY></HTML> Wed, 24 Sep 2014 08:45:36 GMT https://live.paloaltonetworks.com/t5/general-topics/disable-ssl-ipsec-only/m-p/26183#M19120 HULK 2014-09-24T08:45:36Z https://live.paloaltonetworks.com/t5/general-topics/disable-ssl-ipsec-only/m-p/26184#M19121 <HTML><HEAD></HEAD><BODY><P><A href="https://live.paloaltonetworks.com/u1/19491">HULK</A>,</P><P></P><P>your answer is helpful but please correct me if I'm wrong or misunderstand the configuration:</P><P></P><P>Fist, a citation: " This request can be received either by Split tunnel on the physical interface ethernet 1/1, or by Full tunnel on the loopback interface by NATing 88.88.88.88:4501 to 1.1.1.1:4501. <STRONG>Both Split and Full tunnel cannot receive the IPSec request</STRONG>."</P><P></P><P>If I will configure our Portal/Gateway with the loopback solution, the authentication against the gateway is still necessary with SSL (port doesn't matter). Ok, my clients will connect with IPSEC but the SSL failover mechanism configured at the agent is still enable and also possible, because you have to authenticate against the gateway with SSL.</P><P></P><P>So in my opinion there is no way to disable a SSL tunnel, because of the SSL failover mechanism and authentication against the gateway.</P><P></P><P>Please correct me, if I'm wrong! </P></BODY></HTML> Thu, 25 Sep 2014 08:02:30 GMT https://live.paloaltonetworks.com/t5/general-topics/disable-ssl-ipsec-only/m-p/26184#M19121 Hithead 2014-09-25T08:02:30Z