https://live.paloaltonetworks.com/t5/general-topics/port-4443/m-p/86055#M43401 <P>Hihi,</P> <P>&nbsp;</P> <P>Actually your WEB GUI &nbsp;PA server switched to the port 4443 when you have GP enabled. GP running on the port 443.</P> Tue, 14 Jun 2016 15:54:16 GMT Transporter 2016-06-14T15:54:16Z https://live.paloaltonetworks.com/t5/general-topics/port-4443/m-p/86018#M43400 <P>It has been&nbsp;noted that our global protect portal is reachable from the internet using port 4443 and is presenting a self signed cert which is seen as a security vulnerability. Can you let me know if port 4443 is necessary in terms of GlobalProtect connectivity?</P> <P>&nbsp;</P> <P>The below comes to mind, but does anyone have any suggestions?</P> <P>&nbsp;</P> <P><A href="https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Access-the-WebGUI-when-GlobalProtect-Is-Enabled/ta-p/62399" target="_blank">https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Access-the-WebGUI-when-GlobalProtect-Is-Enabled/ta-p/62399</A></P> <P>&nbsp;</P> <P>Cheers</P> <P>Jack</P> <P>&nbsp;</P> Tue, 14 Jun 2016 15:29:43 GMT https://live.paloaltonetworks.com/t5/general-topics/port-4443/m-p/86018#M43400 Jack_Howells 2016-06-14T15:29:43Z https://live.paloaltonetworks.com/t5/general-topics/port-4443/m-p/86055#M43401 <P>Hihi,</P> <P>&nbsp;</P> <P>Actually your WEB GUI &nbsp;PA server switched to the port 4443 when you have GP enabled. GP running on the port 443.</P> Tue, 14 Jun 2016 15:54:16 GMT https://live.paloaltonetworks.com/t5/general-topics/port-4443/m-p/86055#M43401 Transporter 2016-06-14T15:54:16Z https://live.paloaltonetworks.com/t5/general-topics/port-4443/m-p/86056#M43402 <P>Okay, thanks for the confirmation.</P> <P>&nbsp;</P> <P>Port 4443 will be needed then, but is there anything else we could do?</P> Tue, 14 Jun 2016 15:56:21 GMT https://live.paloaltonetworks.com/t5/general-topics/port-4443/m-p/86056#M43402 Jack_Howells 2016-06-14T15:56:21Z https://live.paloaltonetworks.com/t5/general-topics/port-4443/m-p/86057#M43403 <P>Hi Jack,</P> <P>&nbsp;</P> <P>can you please clarify what exactly do you want to achieve?</P> <P>&nbsp;</P> <P>Thank,</P> <P>Mykhaylo</P> Tue, 14 Jun 2016 15:59:50 GMT https://live.paloaltonetworks.com/t5/general-topics/port-4443/m-p/86057#M43403 Transporter 2016-06-14T15:59:50Z https://live.paloaltonetworks.com/t5/general-topics/port-4443/m-p/86778#M43418 <P>Hi Mykhaylo,</P> <P>&nbsp;</P> <P>Basically, I would like to know if port 4443 is needed. I don't think it is, unless you have set the GP portal to be on the management interface, which isn't the case. If it was, I would need 4443 because that is how you get to the management instead of the portal, on the same interface/IP.</P> <P>&nbsp;</P> <P>Cheers</P> <P>Jack</P> Wed, 15 Jun 2016 10:43:18 GMT https://live.paloaltonetworks.com/t5/general-topics/port-4443/m-p/86778#M43418 Jack_Howells 2016-06-15T10:43:18Z https://live.paloaltonetworks.com/t5/general-topics/port-4443/m-p/86786#M43420 <P>I would definitely not allow firewall management from external interface.</P> <P>You can check what management profile is attached to untrust interface if you go to</P> <P>Network &gt; Interfaces and check "Management profile" column.</P> <P>&nbsp;</P> <P>Then go to</P> <P>Network &gt; Network Profiles &gt; Interface Mgmt</P> <P>And create new profile for wan side or change current one.</P> <P>&nbsp;</P> <P>If you need mgmt access from wan then at least limit it down with security policy to whitelisted IPs.</P> Wed, 15 Jun 2016 10:49:19 GMT https://live.paloaltonetworks.com/t5/general-topics/port-4443/m-p/86786#M43420 Raido_Rattameister 2016-06-15T10:49:19Z https://live.paloaltonetworks.com/t5/general-topics/port-4443/m-p/86793#M43421 <P>Hi Raido,</P> <P><BR />Thanks for your response,</P> <P>&nbsp;</P> <P>However, as said above I'm not using management on an external interface.</P> <P><BR />Cheers</P> <P>Jack</P> Wed, 15 Jun 2016 10:53:09 GMT https://live.paloaltonetworks.com/t5/general-topics/port-4443/m-p/86793#M43421 Jack_Howells 2016-06-15T10:53:09Z https://live.paloaltonetworks.com/t5/general-topics/port-4443/m-p/86796#M43423 <P>If you use globalprotect and have enabled management on same interface then management port jumps from 443 to 4443.</P> <P>Are you sure you have not attached interface management profile to untrust interface that permits management through this untrust interface?</P> <P>&nbsp;</P> Wed, 15 Jun 2016 10:58:07 GMT https://live.paloaltonetworks.com/t5/general-topics/port-4443/m-p/86796#M43423 Raido_Rattameister 2016-06-15T10:58:07Z