Queries on IKE and GP Gateway

Reply
Highlighted
L4 Transporter

Queries on IKE and GP Gateway

Hello,

 

We are planning to use Faster Link (400MB) as our primary link in our org.

Once we get this link running, we can get it setup with GlobalProtect and start setting up the remote sites to connect to that link as a secondary tunnel until we are ready to flick the switch and make it a primary.

 

Below are some questions we got.

 

1. Is it possible to setup an IKE Gateway and a Global Protect gateway on the same IP?

2. Is there a best practice against doing that?

3. If there is a best practice not to do that then (for now at least) I’d need an IKE gateway setup on that interface so we can start programming the remote sites to come in on that new link. Is it possible?

 

4. When it comes to programming the new tunnels on the interstate firewalls, if we somehow manage to break the existing SSL tunnel, do we have a backdoor to get back into the device?

5. Alternatively is there the functionality in the firewalls to do something like a restart in 10 mins, like the cisco routers?

 

Thanks in advance.

 

 

Highlighted
L7 Applicator

Re: Queries on IKE and GP Gateway

1. Yes,

2. No, But I would recommend running GlobalProtect on a loopback interface as it is a portal on sslwhich has a wider attack surface, having it on a loopback will help protect it better through security policies and 'distance' from the physical interface

3. it's not not-recommended

4. you could set up globalprotect for users before touching any of the existing site to site tunnels. you can also enable a management profile on a dataplane interface, but i strongly recommend not opening that to the internet as this exposes the management interface to attack

5. no there isn't. There is a feature request, so if you reach out to your local sales team, they can add your vote to FR ID: 204

reaper - PANgurus.com
I drink and I know things
Highlighted
Cyber Elite

Re: Queries on IKE and GP Gateway

Hello,

my response to #4.:

 

If you do this, lock it down with security policies that its only accessible from your main sites IP address. For this type of setup i recommend that the satelite sites are full tunnels to the main site and if the link goes down, its down, i.e. no split tunnel.

 

Regards,

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!