Zone Protection - to or from

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Zone Protection - to or from

L4 Transporter

Is Zone protection applied from or too the zone?

47 REPLIES 47

@BPry

 

So to the portal is SSL, but it looks like IPSec is applied somewhere in this process since there are globalprotect IPSec Crypto profile applied.

@jdprovine,

IPSec can be used if the GlobalProtect gateway configuration 'Enable IPSec' box checked; it's also required if you are using XAuth.

SSL VPN connections are are traditionally allowed in more places where IPSec may be blocked for security reasons, most of the enviroments that my users find themselves in will see the IPSec negotiation fail and they will simply stay on SSL. Once the SSL session is established to the gateway, the SSL session is used by the gateway to update the client with the encryption and authentication algorithms, keys, and the SPI the agent should use to setup the IPSec tunnel. Once that information is exchanged the agent attempts to form a tunnel with the provided information, and if successful switches to the IPSec tunnel. 

 

Essentially it'll look like this, all in the SSL Session: 

1. GP agent sends the Client Hello

2. GP Gateway sends the Server Hello, Server cert.

3. GP agent sends client cert (maybe/optionally), Client key exchange, change cipher, finished message

    GP Gateway upon finished message will change cipher spec, send it's own finished message.

4. GP Gateway Auths agent

    GP agent Performs a config request 

    GP Gateway responds with the config

5. The IPSec tunnel setup process takes place, and if successful the agent motions traffic towards the IPSec tunnel; otherwise it will continue to utilzie the SSL VPN connection instead of switching to the IPSec connection. 

 

I would say that the majority of installations have no reason to even setup the IPSec process, esspecially since GP only supports sha1 crypto. The majority of connections for most enviroments will stay on the SSL connection either due to the necessary ports for IPSec formation being blocked or because the IPsec tunnel simply fails to form properly. In my experience enabling IPSec on the Gateway can present more issues for the agent actually establishing the connection; if you leave it as SSL I've had far less issues with agent access. 

@BPry

 

We do have xauth and IPSec enabled on the gateway. gateway.PNG

@BPry

As I was looking at the configuration of my Zone protection that I want to apply to my outside zone it crossed my mind that how am I going to be able to apply it to my outside zone if it keeps my GP VPN from working even though it says that traffic is allowed

@jdprovine,

I would work towards trying to figure out exactly why GP is failing when you have Zone Protection enabled; it shouldn't if everything is setup correctly. I'd maybe call TAC and see if they can go through the logs for you to see what exactly happened; I'm guessing that a configuration elsewhere is causing the 'alert' to not be honered and is truly resetting traffic or something like that. 

@BPry

 

I submitted a case to TAC I will let you know what they find out

@BPry

 

I took your suggestion and did this

"I would create a custom report that targets the Traffic Log database sorted by bytes and grouped by the Inbound Interface. This should give you a good idea of which zones you should actually target"

It did not turn out at all like I thought it would, is it possible to have several untrust zones?  It looks like a majority of our traffic has more to do with the outside into our dorms. The zone I picked called outside only had traffic at around 200kb per hour.

@jdprovine,

Without knowing how your zones are actually organized it's possible that your 'outside' zone isn't even where your ISP terminates; it's also possible to have multiple different 'outside' zones depending on your configuration. 

Is it possible to either share a screenshot of that report, that may provide enough insight to actually say "zone so and so is likely this". Right now without knowing what your zones are, and what interfaces terminate in which zone and what those interfaces are connected to, it's extremely difficult to provide any useful insight. The most I can offer right now is that if your 'outside' zone is only at 200kb per hour this likely isn't where your ISP connection terminates. 

@BPry

 

Here is a screenshoot, zones are listed source and destination. inbound.PNG

@jdprovine,

This makes things make a little more sense. With as many sub-interfaces you have I wouldn't be suprised if a few things are happening.

1) You have at least 2 sub-interfaces terminating in your 'OUTSIDE' zone. The listing for ethernet1/21.299 shows what could be traffic actually coming in from your ISP. The listing for ethernet1/22.300 is small and likely may be a redundant link to your ISP? 

2) In your enviroment I would suspect that LIVING (dorms?) would always be higher than pretty much anything else in your enviroment. 

 

@BPry

 

Yes I think it is a bit complicated and almost every one of these interfaces is layer 3( I did not do the original configuration) . I am going to have to rethink Zone protection for the untrust zone. I am not sure how others have configured their firewall and if it is normal to have so many layer 3 interfaces or some many untrust/outside zones. 

I think there is some redundancy in the ISP but not 100% where it occurs. But my plan with the zone protections was primarily to protect internet traffic (from the outiside) to attacking the internal network, is that the best use of Zone protection?

@BPry @Mick_Ball @OtakarKlier

 

Anyone heard of snooping IP address on the zone protection profile? TAC just told be to disable it on zone protecion but  I've never heard of it and I don't see that option on zone protection

@jdprovine,

I'm going to guess that they likely meant 'Spoofed IPs' not Snooped. Essentially spoofed IPs uses the routing table to verify that the traffic is ingressing from the proper interface. If it isn't, then it's considered a spoofed IP address and will be dropped by ZP. I'd caution enabling that feature if you use any PBF though, I've seen it cause a few issues in that scenario. 

@BPry

 

Yeah I figured it was the tech lack of the knowledge of the spoke or written english word which was the real issue, which i have complained about in the past but it only seems to get worse.

I do have spoofed IP address enabled on my zone protection profile 

@jdprovine,

Are you using PBF, and does your GlobalProtect actually have defined routes within your routing table. This may help explain why ZP caused issues for your VPN enviroment. 

  • 7517 Views
  • 47 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!