This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

What ports are needed for site to site IPsec tunnels to work?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

What ports are needed for site to site IPsec tunnels to work?

Go to solution
MarioMarquez
L3 Networker

‎03-14-2019 11:21 AM

We have 2 palo alot firewalls & we are trying to establish a ipsec tunnel between both.  We proved that all vpn configurations are correct and were able to establish the tunnel & pass traffic but only if we add a firewall rule saying allow any/any/any/any at the very top of the rule base, which goes against our security requirements.   Once we deleted the firewall rule the tunnels stopped working.  Simply put, we need to open firewall rules for site to site tunnels to work in our environment.  Does anyone know the Palo Alto TCP/UDP ports to open in order for phase 1 & 2 to go green?

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
Raido_Rattameister
Cyber Elite
Cyber Elite

‎03-14-2019 11:48 AM

IPSec - UDP 500

IPSec over NAT - UDP 4500

GlobalProtect - TCP 443 and UDP 4501

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

View solution in original post

14 REPLIES 14

Go to solution
Raido_Rattameister
Cyber Elite
Cyber Elite

‎03-14-2019 11:48 AM

IPSec - UDP 500

IPSec over NAT - UDP 4500

GlobalProtect - TCP 443 and UDP 4501

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Go to solution
MarioMarquez
L3 Networker
In response to Raido_Rattameister

‎03-14-2019 11:51 AM

Thanks!  Which zones do these ports need to be opened on?

0 Likes Likes

Go to solution
OtakarKlier
Cyber Elite
Cyber Elite
In response to MarioMarquez

‎03-14-2019 02:01 PM

Hello,

The one from the internet, ie untrust.

 

Regards,

0 Likes Likes

Go to solution
Raido_Rattameister
Cyber Elite
Cyber Elite
In response to OtakarKlier

‎03-14-2019 08:40 PM

Usually vpn is terminated on UNTRUST interface.

Unless you have added "block any" rule to the end this traffic is permitted already by "interzone-default" policy.

If you terminate vpn on on some other interface (TRUST, LOOPBACK etc) and have NAT in place then you need to adjust your security policy accordingly.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011
0 Likes Likes

Go to solution
MarioMarquez
L3 Networker
In response to Raido_Rattameister

‎03-15-2019 01:15 AM

Can you help me understand what your saying about the default security policy? It doesn't make sense to me. How can something be permitted already because of the inter-zone default policy when the default policy is to deny all inter-zone traffic? It seems like nothing is allowed out if the box accept intra-zone traffic and the rule-1 allow any to untrust.
0 Likes Likes

Go to solution
Raido_Rattameister
Cyber Elite
Cyber Elite
In response to MarioMarquez

‎03-15-2019 06:29 AM - edited ‎03-15-2019 06:31 AM

Hi I think I had typo in my answer about interzone. If traffic stays in same zone it is intrazone.

 

Basically rules are evaluated top to down.

First one that matches will take effect. Either allows or blocks and based on security profile will check for viruses or not (only allow rules).

If no rule matches then one of last 2 will match.

intrazone-default will match if traffic source and destination is in same zone. For example if traffic from vpn peer will come from internet and you have configured IPSec gateway on WAN interface then this rule will match.

If traffic (based on NAT and virtual router) is destined to some other zone then "interzone-default" will match.

 

Those default rules will not log by default so you don't see any traffic that matches those rules.

To gain this visibility you have to click on the rule and choose "override".

Click on the rule name.

On "Actions" tab check "Log at session end".

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Go to solution
BorisJones
L1 Bithead

‎03-24-2019 01:05 AM

Hi! I suggest install and setting VeePN and servers.
This vpn differs from other vpn providers:
1) Besides vpn you are provided with fully working vps   
a) Personalized configurations for your vpn  
b) Regulated logs
c) Generating your own services, such as http
d) There is no 3rd silent persons, after setting up you are going to be the only owner

0 Likes Likes

Go to solution
Elroykhlo
L1 Bithead
In response to Raido_Rattameister

‎05-07-2020 05:55 PM

Hi,

 

  I am currently encountering an issue, UDP 500 and 4500 are not enough to get site to site vpn tunnel up and running. Is that esp also required to be allowed?

 

THanks

Best Regards,

Elroy

0 Likes Likes

Go to solution
OtakarKlier
Cyber Elite
Cyber Elite
In response to Elroykhlo

‎05-08-2020 06:47 AM

Hello,

I went beyond ports and use the L7 Applications. Including the screen shot below. I also allow ping as some devices send ping to monitor tunnel status.

OtakarKlier_0-1588945648361.png

Hope that helps.

0 Likes Likes

Go to solution
Elroykhlo
L1 Bithead
In response to OtakarKlier

‎05-10-2020 05:35 PM

Hi,

 

  Thanks for your reply. Does that mean UDP 500 and 4500 are not enough and esp is also required? THanks

 

Best Regards,

Elroy

0 Likes Likes

Go to solution
KunalChopra
L2 Linker
In response to Elroykhlo

‎05-10-2020 10:10 PM

ideally if you have allowed ports , then it should work . for better security/clarity , instead of using service ports , you can use ipsec related applications as mentioned in earlier post .

Now , if it is still not working , then i would suggest you to check logs and see what exactly is getting denied and then allow it by ports OR application.

NOTE :- allow logging in default policies to see deny logs if it is hitting those policies

 

Hope it gives you a direction

0 Likes Likes

Go to solution
Elroykhlo
L1 Bithead
In response to KunalChopra

‎05-10-2020 10:14 PM

Thank you so much for your response. In my scenario, I am considering if it is blocking by the intermediate network devices which is mainly port-based. So I have limited visibility on those devices. But thanks again and it gives some insights as well. 

 

Best Regards,

Elroy

0 Likes Likes

Go to solution
KunalChopra
L2 Linker
In response to Elroykhlo

‎05-10-2020 10:18 PM

you should not see any logs in your  firewall if some  intermediate device is blocking it and that way it can be confirmed.

Or if you want to dig in further , just apply packet capture with both ends public ip in filter.

Cheers

 

0 Likes Likes

Go to solution
Elroykhlo
L1 Bithead
In response to KunalChopra

‎05-10-2020 10:58 PM

I have performed a packet capture and see that traffic is encap and no decap is sending back and most likely is using esp. My question is that ipsec should be using udp 500 and 4500 from documents. if I should enable esp as well

Thanks

Best Regards,

Elroy

0 Likes Likes
  • 1 accepted solution
  • 35692 Views
  • 14 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks