01-17-2018 11:48 AM
So to the portal is SSL, but it looks like IPSec is applied somewhere in this process since there are globalprotect IPSec Crypto profile applied.
01-17-2018 01:03 PM
IPSec can be used if the GlobalProtect gateway configuration 'Enable IPSec' box checked; it's also required if you are using XAuth.
SSL VPN connections are are traditionally allowed in more places where IPSec may be blocked for security reasons, most of the enviroments that my users find themselves in will see the IPSec negotiation fail and they will simply stay on SSL. Once the SSL session is established to the gateway, the SSL session is used by the gateway to update the client with the encryption and authentication algorithms, keys, and the SPI the agent should use to setup the IPSec tunnel. Once that information is exchanged the agent attempts to form a tunnel with the provided information, and if successful switches to the IPSec tunnel.
Essentially it'll look like this, all in the SSL Session:
1. GP agent sends the Client Hello
2. GP Gateway sends the Server Hello, Server cert.
3. GP agent sends client cert (maybe/optionally), Client key exchange, change cipher, finished message
GP Gateway upon finished message will change cipher spec, send it's own finished message.
4. GP Gateway Auths agent
GP agent Performs a config request
GP Gateway responds with the config
5. The IPSec tunnel setup process takes place, and if successful the agent motions traffic towards the IPSec tunnel; otherwise it will continue to utilzie the SSL VPN connection instead of switching to the IPSec connection.
I would say that the majority of installations have no reason to even setup the IPSec process, esspecially since GP only supports sha1 crypto. The majority of connections for most enviroments will stay on the SSL connection either due to the necessary ports for IPSec formation being blocked or because the IPsec tunnel simply fails to form properly. In my experience enabling IPSec on the Gateway can present more issues for the agent actually establishing the connection; if you leave it as SSL I've had far less issues with agent access.
01-19-2018 11:07 AM
As I was looking at the configuration of my Zone protection that I want to apply to my outside zone it crossed my mind that how am I going to be able to apply it to my outside zone if it keeps my GP VPN from working even though it says that traffic is allowed
01-19-2018 11:23 AM
I would work towards trying to figure out exactly why GP is failing when you have Zone Protection enabled; it shouldn't if everything is setup correctly. I'd maybe call TAC and see if they can go through the logs for you to see what exactly happened; I'm guessing that a configuration elsewhere is causing the 'alert' to not be honered and is truly resetting traffic or something like that.
01-23-2018 11:23 AM
I took your suggestion and did this
"I would create a custom report that targets the Traffic Log database sorted by bytes and grouped by the Inbound Interface. This should give you a good idea of which zones you should actually target"
It did not turn out at all like I thought it would, is it possible to have several untrust zones? It looks like a majority of our traffic has more to do with the outside into our dorms. The zone I picked called outside only had traffic at around 200kb per hour.
01-23-2018 11:35 AM
Without knowing how your zones are actually organized it's possible that your 'outside' zone isn't even where your ISP terminates; it's also possible to have multiple different 'outside' zones depending on your configuration.
Is it possible to either share a screenshot of that report, that may provide enough insight to actually say "zone so and so is likely this". Right now without knowing what your zones are, and what interfaces terminate in which zone and what those interfaces are connected to, it's extremely difficult to provide any useful insight. The most I can offer right now is that if your 'outside' zone is only at 200kb per hour this likely isn't where your ISP connection terminates.
01-23-2018 11:51 AM
This makes things make a little more sense. With as many sub-interfaces you have I wouldn't be suprised if a few things are happening.
1) You have at least 2 sub-interfaces terminating in your 'OUTSIDE' zone. The listing for ethernet1/21.299 shows what could be traffic actually coming in from your ISP. The listing for ethernet1/22.300 is small and likely may be a redundant link to your ISP?
2) In your enviroment I would suspect that LIVING (dorms?) would always be higher than pretty much anything else in your enviroment.
01-23-2018 12:07 PM
Yes I think it is a bit complicated and almost every one of these interfaces is layer 3( I did not do the original configuration) . I am going to have to rethink Zone protection for the untrust zone. I am not sure how others have configured their firewall and if it is normal to have so many layer 3 interfaces or some many untrust/outside zones.
I think there is some redundancy in the ISP but not 100% where it occurs. But my plan with the zone protections was primarily to protect internet traffic (from the outiside) to attacking the internal network, is that the best use of Zone protection?
01-24-2018 06:26 AM
Anyone heard of snooping IP address on the zone protection profile? TAC just told be to disable it on zone protecion but I've never heard of it and I don't see that option on zone protection
01-24-2018 06:35 AM
I'm going to guess that they likely meant 'Spoofed IPs' not Snooped. Essentially spoofed IPs uses the routing table to verify that the traffic is ingressing from the proper interface. If it isn't, then it's considered a spoofed IP address and will be dropped by ZP. I'd caution enabling that feature if you use any PBF though, I've seen it cause a few issues in that scenario.
01-24-2018 06:44 AM
Yeah I figured it was the tech lack of the knowledge of the spoke or written english word which was the real issue, which i have complained about in the past but it only seems to get worse.
I do have spoofed IP address enabled on my zone protection profile
01-24-2018 06:46 AM
Are you using PBF, and does your GlobalProtect actually have defined routes within your routing table. This may help explain why ZP caused issues for your VPN enviroment.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
