Has anyone configured PFS on their Global Protect Portal?
Any snags? Is this even possible for the inbound connections to the portal?
PFS is enabled by default for Forward Proxy in anything above/at 7.1, and with Inbound Inspection this was activated by default in 8.0 and above.
We are not doing inbound inspection I guess I was wondering if it could be done just for the GP VPN portal or if it had to be on everything. which then makes me wonder what type of issues we may run into with inbound inspection
Ahh okay got it. Inbound inspection can be configured fairly specifically to only include one resource such as GP, but you would really want to test it to verify that you have everything working correctly before enabling it for all external traffic. The good news is you can test by including a simple external IP as the source, so testing is certaintly do-able.
Additional SSL Inbound Inspection documentation can be found HERE
So I gave this a shot, pretty straight forward but it does not look like it will work for something that terminates at the firewall itself (such as the GP VPN portal) the inbound decrypt rule never gets hit and the ssllabs scan still shows no PFS.
How exactly are you terminating the GP Portal interface on the firewall? Do you have it configured on a Loopback interface or an actual layer3 interface on the firewall?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!