Enabling PFS for GP VPN Portal

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L4 Transporter

Enabling PFS for GP VPN Portal

Has anyone configured PFS on their Global Protect Portal? 

 

Any snags? Is this even possible for the inbound connections to the portal?

Tags (2)
Highlighted
Cyber Elite

@hshawn,

PFS is enabled by default for Forward Proxy in anything above/at 7.1, and with Inbound Inspection this was activated by default in 8.0 and above. 

Highlighted
L4 Transporter

We are not doing inbound inspection I guess I was wondering if it could be done just for the GP VPN portal or if it had to be on everything. which then makes me wonder what type of issues we may run into with inbound inspection 

Highlighted
Cyber Elite

@hshawn,

Ahh okay got it. Inbound inspection can be configured fairly specifically to only include one resource such as GP, but you would really want to test it to verify that you have everything working correctly before enabling it for all external traffic. The good news is you can test by including a simple external IP as the source, so testing is certaintly do-able. 

Additional SSL Inbound Inspection documentation can be found HERE

Highlighted
L4 Transporter

So I gave this a shot, pretty straight forward but it does not look like it will work for something that terminates at the firewall itself (such as the GP VPN portal) the inbound decrypt rule never gets hit and the ssllabs scan still shows no PFS. 

 

 

Highlighted
Cyber Elite

@hshawn,

How exactly are you terminating the GP Portal interface on the firewall? Do you have it configured on a Loopback interface or an actual layer3 interface on the firewall? 

Highlighted
L1 Bithead

@BPry: I am working on this with @hshawn We are using a loopback address on the Firewall.

Highlighted
L4 Transporter

Hi,

 

Did you solve this?

 

We launched ssllabs to a GP portal website and it shows this: 

This server does not support Forward Secrecy with the reference browsers

 

Is there any way to support PFS for GP portal web?

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!