Traffic from GP interface

Reply
L3 Networker

Traffic from GP interface

Hi Team,

 

I am seeing some traffic initiated from GP interface to outside using source port udp/4500 to public IPs of clients( GP uses 4501 and I have xauth configured). Are these traffics are because of GP xauth configuration.. anybody has noticed it before ?.

I dont have any Ipsec tunnels configured from this interface.

thanks in advance.

L4 Transporter

Re: Traffic from GP interface

@Abdul_Razaq If you don't use any 3rd party clients with X-Auth, it could also be your standard users. The global protect agent will try IPSec connection to the Gateway and only if it fails will use SSL. This is enabled by default and configurable under “Global Protect>Agent>Tunnel Settings”

https://docs.paloaltonetworks.com/globalprotect/9-0/globalprotect-admin/globalprotect-gateways/confi...

L3 Networker

Re: Traffic from GP interface

Hi @BatD ,

I am seeing these traffic only for third party clients, I am seeing traffic initiated from PA with source udp/4500 to client public IPs (it is blocked by policy ).

As it is port 4500, I can make sure that it is because of third party client as GP uses 4501 in tunnel mode. I am wondering what is inside that packets, what PA is trying to send, is it the tunnel initiation? ( even though the policy is denying it, the IPSec connection is fine in responder mode).

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!