Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
06-14-2016 08:29 AM
It has been noted that our global protect portal is reachable from the internet using port 4443 and is presenting a self signed cert which is seen as a security vulnerability. Can you let me know if port 4443 is necessary in terms of GlobalProtect connectivity?
The below comes to mind, but does anyone have any suggestions?
Cheers
Jack
06-14-2016 08:53 AM - edited 06-14-2016 08:54 AM
Hihi,
Actually your WEB GUI PA server switched to the port 4443 when you have GP enabled. GP running on the port 443.
06-14-2016 08:56 AM
Okay, thanks for the confirmation.
Port 4443 will be needed then, but is there anything else we could do?
06-14-2016 08:59 AM
Hi Jack,
can you please clarify what exactly do you want to achieve?
Thank,
Mykhaylo
06-15-2016 03:43 AM
Hi Mykhaylo,
Basically, I would like to know if port 4443 is needed. I don't think it is, unless you have set the GP portal to be on the management interface, which isn't the case. If it was, I would need 4443 because that is how you get to the management instead of the portal, on the same interface/IP.
Cheers
Jack
06-15-2016 03:49 AM
I would definitely not allow firewall management from external interface.
You can check what management profile is attached to untrust interface if you go to
Network > Interfaces and check "Management profile" column.
Then go to
Network > Network Profiles > Interface Mgmt
And create new profile for wan side or change current one.
If you need mgmt access from wan then at least limit it down with security policy to whitelisted IPs.
06-15-2016 03:53 AM
Hi Raido,
Thanks for your response,
However, as said above I'm not using management on an external interface.
Cheers
Jack
06-15-2016 03:58 AM
If you use globalprotect and have enabled management on same interface then management port jumps from 443 to 4443.
Are you sure you have not attached interface management profile to untrust interface that permits management through this untrust interface?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
