What ports are needed for site to site IPsec tunnels to work?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

What ports are needed for site to site IPsec tunnels to work?

L3 Networker

We have 2 palo alot firewalls & we are trying to establish a ipsec tunnel between both.  We proved that all vpn configurations are correct and were able to establish the tunnel & pass traffic but only if we add a firewall rule saying allow any/any/any/any at the very top of the rule base, which goes against our security requirements.   Once we deleted the firewall rule the tunnels stopped working.  Simply put, we need to open firewall rules for site to site tunnels to work in our environment.  Does anyone know the Palo Alto TCP/UDP ports to open in order for phase 1 & 2 to go green?

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

IPSec - UDP 500

IPSec over NAT - UDP 4500

GlobalProtect - TCP 443 and UDP 4501

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

View solution in original post

14 REPLIES 14

Cyber Elite
Cyber Elite

IPSec - UDP 500

IPSec over NAT - UDP 4500

GlobalProtect - TCP 443 and UDP 4501

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Thanks!  Which zones do these ports need to be opened on?

Hello,

The one from the internet, ie untrust.

 

Regards,

Usually vpn is terminated on UNTRUST interface.

Unless you have added "block any" rule to the end this traffic is permitted already by "interzone-default" policy.

If you terminate vpn on on some other interface (TRUST, LOOPBACK etc) and have NAT in place then you need to adjust your security policy accordingly.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Can you help me understand what your saying about the default security policy? It doesn't make sense to me. How can something be permitted already because of the inter-zone default policy when the default policy is to deny all inter-zone traffic? It seems like nothing is allowed out if the box accept intra-zone traffic and the rule-1 allow any to untrust.

Hi I think I had typo in my answer about interzone. If traffic stays in same zone it is intrazone.

 

Basically rules are evaluated top to down.

First one that matches will take effect. Either allows or blocks and based on security profile will check for viruses or not (only allow rules).

If no rule matches then one of last 2 will match.

intrazone-default will match if traffic source and destination is in same zone. For example if traffic from vpn peer will come from internet and you have configured IPSec gateway on WAN interface then this rule will match.

If traffic (based on NAT and virtual router) is destined to some other zone then "interzone-default" will match.

 

Those default rules will not log by default so you don't see any traffic that matches those rules.

To gain this visibility you have to click on the rule and choose "override".

Click on the rule name.

On "Actions" tab check "Log at session end".

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

L1 Bithead

Hi! I suggest install and setting VeePN and servers.
This vpn differs from other vpn providers:
1) Besides vpn you are provided with fully working vps   
a) Personalized configurations for your vpn  
b) Regulated logs
c) Generating your own services, such as http
d) There is no 3rd silent persons, after setting up you are going to be the only owner

Hi,

 

  I am currently encountering an issue, UDP 500 and 4500 are not enough to get site to site vpn tunnel up and running. Is that esp also required to be allowed?

 

THanks

Best Regards,

Elroy

Hello,

I went beyond ports and use the L7 Applications. Including the screen shot below. I also allow ping as some devices send ping to monitor tunnel status.

OtakarKlier_0-1588945648361.png

Hope that helps.

Hi,

 

  Thanks for your reply. Does that mean UDP 500 and 4500 are not enough and esp is also required? THanks

 

Best Regards,

Elroy

ideally if you have allowed ports , then it should work . for better security/clarity , instead of using service ports , you can use ipsec related applications as mentioned in earlier post .

Now , if it is still not working , then i would suggest you to check logs and see what exactly is getting denied and then allow it by ports OR application.

NOTE :- allow logging in default policies to see deny logs if it is hitting those policies

 

Hope it gives you a direction

Thank you so much for your response. In my scenario, I am considering if it is blocking by the intermediate network devices which is mainly port-based. So I have limited visibility on those devices. But thanks again and it gives some insights as well. 

 

Best Regards,

Elroy

you should not see any logs in your  firewall if some  intermediate device is blocking it and that way it can be confirmed.

Or if you want to dig in further , just apply packet capture with both ends public ip in filter.

Cheers

 

I have performed a packet capture and see that traffic is encap and no decap is sending back and most likely is using esp. My question is that ipsec should be using udp 500 and 4500 from documents. if I should enable esp as well

Thanks

Best Regards,

Elroy

  • 1 accepted solution
  • 30989 Views
  • 14 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!