topic Re: Traffic from GP interface in General Topics

Traffic from GP interface

Abdul_Razaq — Sun, 20 Oct 2019 15:45:37 GMT

Hi Team,

I am seeing some traffic initiated from GP interface to outside using source port udp/4500 to public IPs of clients( GP uses 4501 and I have xauth configured). Are these traffics are because of GP xauth configuration.. anybody has noticed it before ?.

I dont have any Ipsec tunnels configured from this interface.

thanks in advance.

Re: Traffic from GP interface

BatD — Mon, 21 Oct 2019 08:44:38 GMT

@Abdul_Razaq If you don't use any 3rd party clients with X-Auth, it could also be your standard users. The global protect agent will try IPSec connection to the Gateway and only if it fails will use SSL. This is enabled by default and configurable under “Global Protect>Agent>Tunnel Settings”

https://docs.paloaltonetworks.com/globalprotect/9-0/globalprotect-admin/globalprotect-gateways/configure-a-globalprotect-gateway.html

Re: Traffic from GP interface

Abdul_Razaq — Mon, 21 Oct 2019 09:00:02 GMT

Hi @BatD ,

I am seeing these traffic only for third party clients, I am seeing traffic initiated from PA with source udp/4500 to client public IPs (it is blocked by policy ).

As it is port 4500, I can make sure that it is because of third party client as GP uses 4501 in tunnel mode. I am wondering what is inside that packets, what PA is trying to send, is it the tunnel initiation? ( even though the policy is denying it, the IPSec connection is fine in responder mode).