When should I use a non-tunnel mode gateway with GlobalProtect? Also: license needed for HIP? SSL vs. IPSEC?

Showing results for 
Search instead for 
Did you mean: 

When should I use a non-tunnel mode gateway with GlobalProtect? Also: license needed for HIP? SSL vs. IPSEC?

Not applicable

Just getting started with PA, running software version 4.1.6, and I am learning how to set up a VPN to allow remote users into the protected network. We don't have a GlobalProtect license, but single-portal, single-gateway capability is included in the basic PA license as a replacement for NetConnect.

One thing that is not clear is why the GlobalProtect gateway configuration has a checkbox for Tunnel Mode. The Administrator's Guide mentions "non-tunnel mode" very briefly on p. 246, relating it to "internal gateways". These are also mentioned briefly on p. 251.

Can anyone explain what this is for, or more important, whether it's relevant to my configuration? There's just going to be a single PA firewall at the border of the protected network(s).

Also, the PA-4.1 Administrator's Guide discusses setting up HIP objects & profiles for GlobalProtect, but the document "GlobalProtect-Configuring-revE" which I located here doesn't mention this, and in fact I didn't find it to be necessary. Am I correct that the features of HIP (requiring clients to meet certain patch levels & such) are not available without a GlobalProtect license?

Yet another question: are there any reasons to prefer SSL vs. IPSec for the Tunnel mode? The checkbox for "enable IPSec" is on by default, but there's no description on p. 254 of why one might turn it off.

Thanks in advance for any answers.


L5 Sessionator


Please refer page 8 and page 25 of the global protect configuring rev E(https://live.paloaltonetworks.com/docs/DOC-2020) which talks about the tunnel mode, secondly HIP will require a license.

Thank you.

Subijith Raghunandan.

Okay, I still don't quite understand why there's  the option to not use tunnel mode. It seems to be related to internal gateways only, though, so apparently tunnel mode is the correct choice for my install.

Any reason to choose SSL vs. IPSec for data transport? All I could find in either the admin guide or the globalprotect guide was that "The SSL-VPN client may also operate in IPSec mode (if configured on the firewall) for efficient transport of data" (p. 231) and that if the IPSec option is chosen, IPSec will be primary but SSL will still be available as a fallback (pp. 246, 254).

So it seems that the IPSec checkbox should be checked, but the documentation isn't very informative.

Depends on which IPSec mode aswell... ESP (tunnel mode - full packet is encrypted and given a new header) or AH (transport mode - only payload is encrypted, keeping original header regarding srcip, dstip etc)?

Also given the findings of BEAST and now recently CRIME there could be situations where choosing SSL-VPN wont be such a good option after all.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!