GlobalProtect authentication blocked by home firewall

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

GlobalProtect authentication blocked by home firewall

L0 Member

I use GlobalProtect to connect to my employer's network from my home Wifi.

However, the GP authentication requires port 8443, and this is not compatible with maintaining the highest security firewall settings on my Xfinity Gateway.     Every time I connect, therefore, I have to change the Gateway firewall to a lower security setting.      For personal cybersecurity reasons,  I'd like to maintain the highest security firewall settings all the time.     Can PaloAlto fix this problem, for example, by using port 443 rather than 8443?   Is there some other way of fixing this?

4 REPLIES 4

Cyber Elite
Cyber Elite

Hello,

 

What authentication is setup for GlobalProtect? GlobalProtects portal operates on port 443 and I don't believe this can be changed.

 

Also what is your personal router blocking port 8443 for? Because its a non-default port for SSL?

Xfinity gives very limited options. This is the Firewall IPv4 settings for the Xfinity gateway that I have.   You ca choose High, Typical, or Low security settings.     Our IT support department tells me that the High setting blocks port 8443, and that this is what is causing GlobalProtect to just get stuck on the samlpost web page.    

So my personal router is NOT using 8443.   Rather GP is trying to use it and is getting blocked.    That's all I know.

Cyber Elite
Cyber Elite

Oh gotcha, that would be related to the saml configuration used for authentication that your login relies on then and not GlobalProtect itself. You would need to work with/look at the SAML authentication you have set up and are using for authentication to see what the options are. 

Cyber Elite
Cyber Elite

@bfaull,

XFinity themselves don't recommend running maximum/high security for this exact reason. Unfortunately since you don't appear to be in control of the PAN side of things that you're connecting to, changing SAML to use 443 isn't going to be an option for you.

You'll either need to lower your security to Typical so that SAML can complete and you can get connected, or if you have the option on your gateway set things to custom and open what you need. There's really not a way around this since your IT department isn't going to completely change their configuration because of an option you set on your home equipment.

  • 1661 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!