SSL VPN - Basic Questions

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

SSL VPN - Basic Questions

Not applicable

What basic steps have to be complete to allow a remote user to enter an ip address in their browser and get the ssl vpn authentication screen? We currently get an eventual timeout when we try to connect from a browser.  We followed the basic GlobalProtect setup steps, but, just wondering if there is something 'dumb' that we are missing.

Thanks!

11 REPLIES 11

L7 Applicator

Hello Shank,

Here is a good document to start initial troubleshooting: ?

You can verify the session information on the PAN firewall CLI to understand where the packet is getting dropped.

Are you trying to access the portal from inside network ( from firewall stand point) or from public internet...?

How To Access External GP Portal/GW From Inside The Firewall

Hope this helps.

Thanks

Not applicable

From the public side of the firewall.

Not applicable

Also, I get 'unauthorized' when I try to view the first link you provided. Thanks!

FYI for DOC Globalprotect portal uses web-browsing ?


Globalprotect portal uses web-browsing ?


1) Are both ssl and web-browsing need to be allowed for GP portal to connect. In customer's case we needed to allow both SSL and WEB-BROWSING in order to display the GP portal page.

PA-5050

PAN-OS : 5.0.4

Tested in lab and with Pan-OS 5.0.11 and found that we need both SSL and Web-browsing to allow GP portal page to get displayed.

2) The web-browsing application that is being identified when we access the GP portal page uses port 443 instead of 80. Customer needs to to know why ?

c2s flow:

                source:      115.114.47.125 [untrust]

                dst:         86.36.50.9

                proto:       6

                sport:       15579          dport:      443

                state:       ACTIVE          type:       FLOW

                src user:    unknown

                dst user:    unknown

        s2c flow:

                source:      86.36.50.9 [SSL-VPN]

                dst:         115.114.47.125

                proto:       6

                sport:       20077           dport:      15579

                state:       ACTIVE          type:       FLOW

                src user:    unknown

                dst user:    unknown

                qos node:    ethernet1/13, qos member N/A Qid -2

        start time                    : Sun Apr 27 18:46:24 2014

        timeout                       : 60 sec

        time to live                  : 52 sec

        total byte count(c2s)         : 7467

        total byte count(s2c)         : 55677

        layer7 packet count(c2s)      : 79

        layer7 packet count(s2c)      : 45

        vsys                          : vsys1

        application                   : web-browsing

        rule                          : test vpn

        session to be logged at end   : True

        session in session ager       : True

        session synced from HA peer   : False

        address/port translation      : source + destination

        nat-rule                      : (vsys1)

        layer7 processing             : completed

        URL filtering enabled         : False

        session via syn-cookies       : False

        session terminated on host    : True

        session traverses tunnel      : False

        captive portal session        : False

        ingress interface             : ethernet1/13

        egress interface              : loopback.1

        session QoS rule              : N/A (class 4)

        session tracker stage l7proc  : proxy timer expired

3) When we access the GP portal page, the monitor logs shows DECRYPTED checked. There is no decryption policy enabled on firewall then why this session is shown as decrypted ?



ANS:


1. Re: Globalprotect portal uses web-browsing ?

1. Yes, you need to allow both ssl and web-browsing for GP page to work. This assumes you have a default deny-all policy, which is not standard. If you don't have a deny-all policy, the GP page is on the same zone as the client requesting the page (usually) and is allowed implicitly.


2. Any connection that is decrypted will show the real application (see answer below). SSL is an application only when we cannot decrypt the session and determine what is happening under the SSL transport.


3. The reason it is decrypted is because the firewall itself is handling the SSL connection. There is nothing to decode because the firewall has the private & public key.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!