There is no doubt that a lot of GREAT things were happening at Ignite'17. If you were not able to come, we all understand, but look forward to seeing you at another Ignite.
The Live Community booth was an exciting place to be. We met so many wonderful people and helped people #GetAnswers
For a peek into what it was like, If you missed this video on our front page, check out this small video.
Just like Kim (Kiwi) and Tom (Reaper) posted, I also have some of my favorite questions that I want to feature here. I will post the Question, the Posted Answer and My take on it.
What does a TAP interface do and how does it work?
TAP interface is used to get a copy of all traffic across the designated port, any interface can be a TAP interface except management.
A network tap is a device that provides a way to access data flowing across a computer network. Tap mode deployment allows you to passively monitor traffic flows across a network by way of a switch SPAN or mirror port.
The SPAN or mirror port permits the copying of traffic from other ports on the switch. By dedicating an interface on the firewall as a tap mode interface and connecting it with a switch SPAN port, the switch SPAN port provides the firewall with the mirrored traffic. This provides application visibility within the network without being in the flow of network traffic.
NOTE: When deployed in tap mode, the firewall is not able to take action, such as block traffic or apply QoS traffic control.
Can I use GlobalProtect over SSL to avoid "VPN" detection by the Chinese government?
Yes, GP only does full tunnelling. If you set up a gateway on a location outside your undesired location, your IP address will source from that location that's less restrictive. Allowing you acces and possibly avoiding detection (since you are using encrypted SSL traffic).
By default, when connecting to a GlobalProtect gateway, if IPSEC is unable to connect, it will attempt an SSL connection. This is configurable inside of the GlobalProtect gateway. Inside of Network > GlobalProtect > Gateways, select a gateway profile. Inside there, notice under the Tunnel Settings tab, there is an "Enable IPSec" option.
Gateway configuration showing the IPSEC option. Disable to force SSL connection.
This option is what controls whether IPSec will be used when connecting to GlobalProtect. If this is unchecked, then it will only use SSL. In the question, since IPSec traffic is going to be blocked on a Chinese network, but SSL traffic is allowed, then as long as you are always using SSL to connect, then the Chinese government will not see this traffic and you will still be able to VPN with GlobalProtect.
For more information on configuring GlobalProtect, please visit our NEW GlobalProtect portal page here: