https://live.paloaltonetworks.com/t5/general-topics/enabling-pfs-for-gp-vpn-portal/m-p/266503#M74443 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/42784">@hshawn</a>,</P><P>How exactly are you terminating the GP Portal interface on the firewall? Do you have it configured on a Loopback interface or an actual layer3 interface on the firewall?&nbsp;</P> Tue, 04 Jun 2019 23:07:54 GMT BPry 2019-06-04T23:07:54Z https://live.paloaltonetworks.com/t5/general-topics/enabling-pfs-for-gp-vpn-portal/m-p/261987#M74245 <P>Has anyone configured PFS on their Global Protect Portal?&nbsp;</P><P>&nbsp;</P><P>Any snags? Is this even possible for the inbound connections to the portal?</P> Wed, 22 May 2019 20:29:47 GMT https://live.paloaltonetworks.com/t5/general-topics/enabling-pfs-for-gp-vpn-portal/m-p/261987#M74245 hshawn 2019-05-22T20:29:47Z https://live.paloaltonetworks.com/t5/general-topics/enabling-pfs-for-gp-vpn-portal/m-p/262095#M74271 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/42784">@hshawn</a>,</P><P>PFS is enabled by default for Forward Proxy in anything above/at 7.1, and with Inbound Inspection this was activated by default in 8.0 and above.&nbsp;</P> Thu, 23 May 2019 18:24:44 GMT https://live.paloaltonetworks.com/t5/general-topics/enabling-pfs-for-gp-vpn-portal/m-p/262095#M74271 BPry 2019-05-23T18:24:44Z https://live.paloaltonetworks.com/t5/general-topics/enabling-pfs-for-gp-vpn-portal/m-p/262115#M74283 <P>We are not doing inbound inspection I guess I was wondering if it could be done just for the GP VPN portal or if it had to be on everything. which then makes me wonder what type of issues we may run into with inbound inspection&nbsp;</P> Thu, 23 May 2019 20:38:06 GMT https://live.paloaltonetworks.com/t5/general-topics/enabling-pfs-for-gp-vpn-portal/m-p/262115#M74283 hshawn 2019-05-23T20:38:06Z https://live.paloaltonetworks.com/t5/general-topics/enabling-pfs-for-gp-vpn-portal/m-p/262118#M74285 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/42784">@hshawn</a>,</P><P>Ahh okay got it. Inbound inspection can be configured fairly specifically to only include one resource such as GP, but you would really want to test it to verify that you have everything working correctly before enabling it for all external traffic. The good news is you can test by including a simple external IP as the source, so testing is certaintly do-able.&nbsp;</P><P>Additional SSL Inbound Inspection documentation can be found <A href="https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/decryption/configure-ssl-inbound-inspection.html" target="_self">HERE</A></P> Thu, 23 May 2019 21:16:26 GMT https://live.paloaltonetworks.com/t5/general-topics/enabling-pfs-for-gp-vpn-portal/m-p/262118#M74285 BPry 2019-05-23T21:16:26Z https://live.paloaltonetworks.com/t5/general-topics/enabling-pfs-for-gp-vpn-portal/m-p/266318#M74441 <P>So I gave this a shot, pretty straight forward but it does not look like it will work for something that terminates at the firewall itself (such as the GP VPN portal) the inbound decrypt rule never gets hit and the ssllabs scan still shows no PFS.&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 04 Jun 2019 15:08:07 GMT https://live.paloaltonetworks.com/t5/general-topics/enabling-pfs-for-gp-vpn-portal/m-p/266318#M74441 hshawn 2019-06-04T15:08:07Z https://live.paloaltonetworks.com/t5/general-topics/enabling-pfs-for-gp-vpn-portal/m-p/266503#M74443 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/42784">@hshawn</a>,</P><P>How exactly are you terminating the GP Portal interface on the firewall? Do you have it configured on a Loopback interface or an actual layer3 interface on the firewall?&nbsp;</P> Tue, 04 Jun 2019 23:07:54 GMT https://live.paloaltonetworks.com/t5/general-topics/enabling-pfs-for-gp-vpn-portal/m-p/266503#M74443 BPry 2019-06-04T23:07:54Z https://live.paloaltonetworks.com/t5/general-topics/enabling-pfs-for-gp-vpn-portal/m-p/303045#M78917 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480">@BPry</a>: I am working on this with <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/42784">@hshawn</a>&nbsp;We are using a loopback address on the Firewall.</P> Tue, 10 Dec 2019 20:45:52 GMT https://live.paloaltonetworks.com/t5/general-topics/enabling-pfs-for-gp-vpn-portal/m-p/303045#M78917 charlesk 2019-12-10T20:45:52Z https://live.paloaltonetworks.com/t5/general-topics/enabling-pfs-for-gp-vpn-portal/m-p/340900#M85533 <P>Hi,</P><P>&nbsp;</P><P>Did you solve this?</P><P>&nbsp;</P><P>We launched ssllabs to a GP portal website and it shows this:&nbsp;</P><P><SPAN>This server does not support Forward Secrecy with the reference browsers</SPAN></P><P>&nbsp;</P><P><SPAN>Is there any way to support PFS for GP portal web?</SPAN></P> Mon, 27 Jul 2020 17:17:40 GMT https://live.paloaltonetworks.com/t5/general-topics/enabling-pfs-for-gp-vpn-portal/m-p/340900#M85533 BigPalo 2020-07-27T17:17:40Z