topic SSL VPN - Basic Questions in General Topics

SSL VPN - Basic Questions

shank — Thu, 22 May 2014 13:34:28 GMT

What basic steps have to be complete to allow a remote user to enter an ip address in their browser and get the ssl vpn authentication screen? We currently get an eventual timeout when we try to connect from a browser. We followed the basic GlobalProtect setup steps, but, just wondering if there is something 'dumb' that we are missing.

Thanks!

Re: SSL VPN - Basic Questions

HULK — Thu, 22 May 2014 15:25:27 GMT

Hello Shank,

Here is a good document to start initial troubleshooting: ?

You can verify the session information on the PAN firewall CLI to understand where the packet is getting dropped.

Are you trying to access the portal from inside network ( from firewall stand point) or from public internet...?

How To Access External GP Portal/GW From Inside The Firewall

Hope this helps.

Thanks

Re: SSL VPN - Basic Questions

shank — Thu, 22 May 2014 15:31:36 GMT

From the public side of the firewall.

Re: SSL VPN - Basic Questions

shank — Thu, 22 May 2014 15:32:58 GMT

Also, I get 'unauthorized' when I try to view the first link you provided. Thanks!

Re: SSL VPN - Basic Questions

HULK — Thu, 22 May 2014 15:44:18 GMT

FYI for DOC Globalprotect portal uses web-browsing ?

Globalprotect portal uses web-browsing ?

1) Are both ssl and web-browsing need to be allowed for GP portal to connect. In customer's case we needed to allow both SSL and WEB-BROWSING in order to display the GP portal page.

PA-5050

PAN-OS : 5.0.4

Tested in lab and with Pan-OS 5.0.11 and found that we need both SSL and Web-browsing to allow GP portal page to get displayed.

2) The web-browsing application that is being identified when we access the GP portal page uses port 443 instead of 80. Customer needs to to know why ?

c2s flow:

source: 115.114.47.125 [untrust]

dst: 86.36.50.9

proto: 6

sport: 15579 dport: 443

state: ACTIVE type: FLOW

src user: unknown

dst user: unknown

s2c flow:

source: 86.36.50.9 [SSL-VPN]

dst: 115.114.47.125

proto: 6

sport: 20077 dport: 15579

state: ACTIVE type: FLOW

src user: unknown

dst user: unknown

qos node: ethernet1/13, qos member N/A Qid -2

start time : Sun Apr 27 18:46:24 2014

timeout : 60 sec

time to live : 52 sec

total byte count(c2s) : 7467

total byte count(s2c) : 55677

layer7 packet count(c2s) : 79

layer7 packet count(s2c) : 45

vsys : vsys1

application : web-browsing

rule : test vpn

session to be logged at end : True

session in session ager : True

session synced from HA peer : False

address/port translation : source + destination

nat-rule : (vsys1)

layer7 processing : completed

URL filtering enabled : False

session via syn-cookies : False

session terminated on host : True

session traverses tunnel : False

captive portal session : False

ingress interface : ethernet1/13

egress interface : loopback.1

session QoS rule : N/A (class 4)

session tracker stage l7proc : proxy timer expired

3) When we access the GP portal page, the monitor logs shows DECRYPTED checked. There is no decryption policy enabled on firewall then why this session is shown as decrypted ?

ANS:

1. Re: Globalprotect portal uses web-browsing ?

1. Yes, you need to allow both ssl and web-browsing for GP page to work. This assumes you have a default deny-all policy, which is not standard. If you don't have a deny-all policy, the GP page is on the same zone as the client requesting the page (usually) and is allowed implicitly.

2. Any connection that is decrypted will show the real application (see answer below). SSL is an application only when we cannot decrypt the session and determine what is happening under the SSL transport.

3. The reason it is decrypted is because the firewall itself is handling the SSL connection. There is nothing to decode because the firewall has the private & public key.

Globalprotect portal uses web-browsing ?

Re: SSL VPN - Basic Questions

Wenar — Thu, 22 May 2014 15:45:00 GMT

The IP address of the portal has to be reachable from the internet. Do you have a destination NAT rule which already forwards traffic on the public IP address with port 443 to another host?

Do you have an Any -> Any Deny rule? This could block the traffic on your public interface to the portal.

Re: SSL VPN - Basic Questions

shank — Thu, 22 May 2014 16:04:18 GMT

We have a L3_Untrust TO L3_Untrust rule that has an action of ALLOW and currently it is any from address/user to a destination of VPN_IncomingAddress. I allowed applications of ssl and web-browsing and during this test phase, this policy is the #1 policy. When we monitor this we do see communication to port 443, with an action of allow. I do see a lot of 0 byte entries as well as 60 byte entries.

Re: SSL VPN - Basic Questions

HULK — Thu, 22 May 2014 16:09:36 GMT

Hello Shank,

Is the session details showing all the parameters i.e security policy, ingress/egress interface etc correctly.....?

Re: SSL VPN - Basic Questions

shank — Thu, 22 May 2014 16:22:26 GMT

Security rule appears correct, Detail says app=ssl, NAT source=false, NAT Destination=true.

I am actually going from a static computer to the static ip that I defined as the 'gateway web service', so, I am not sure why detail says NAT Destination= True.

Flow 1, c2s, looks good.

Flow 2 from the IP_Gateway_Web_Service back to the static computer seems ok, I can't tell what else is happening?

Re: SSL VPN - Basic Questions

HULK — Thu, 22 May 2014 16:35:38 GMT

Hello Shank,

Could you please identify the session ID for the same traffic and open it in CLI

PAN> show session id XYZ >>>>>>>> It will give you the detailed information.

Thanks

Re: SSL VPN - Basic Questions

shank — Thu, 22 May 2014 16:40:56 GMT

New device. I haven't used CLI before. It will take me a moment.

Re: SSL VPN - Basic Questions

shank — Thu, 22 May 2014 17:45:01 GMT

The screen comes up now, but, only after the following change of the GlobalProtect Gateway > Network Settings IP Address

was: 12.13.14.15/32

now: 12.13.14.15/8

So 12. addresses can bring up the authentication screen in their browser....

still confused...