This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

unknown ikev2 peer - PA1420 running PAN-OS 11.0.1-h1

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

unknown ikev2 peer - PA1420 running PAN-OS 11.0.1-h1

Go to solution
Manu_P
L2 Linker

‎11-01-2023 05:55 AM

So, i have this type of errors in my logs and i really dont know how to tackle them.

No other info, like for example who is the peer that generates this event, like i used to get on an older PA device also running an older PANOS version

 

Manu_P_0-1698843190615.png

 

 

Any ideas?

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
Raido_Rattameister
Cyber Elite
Cyber Elite

‎11-01-2023 10:33 AM

You will get rid of noise coming from internet by permitting incoming VPN only from your peer IPs.

 

To figure out what IP is trying to connect you need to look into ikemgr.log log by using commands below

less mp-log ikemgr.log

tail follow yes mp-log ikemgr.log (updates log output in real time)

 

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

View solution in original post

3 REPLIES 3

Go to solution
Raido_Rattameister
Cyber Elite
Cyber Elite

‎11-01-2023 10:33 AM

You will get rid of noise coming from internet by permitting incoming VPN only from your peer IPs.

 

To figure out what IP is trying to connect you need to look into ikemgr.log log by using commands below

less mp-log ikemgr.log

tail follow yes mp-log ikemgr.log (updates log output in real time)

 

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Go to solution
Manu_P
L2 Linker
In response to Raido_Rattameister

‎11-02-2023 02:54 AM

Thanks, that did it (not doing much ike troubleshooting so i forgot about that log)

Still, i wished PanOS to display that info in the system monitor logs

 

Anyway, you said this:

"You will get rid of noise coming from internet by permitting incoming VPN only from your peer IPs"

 

How? i did not set an explicit rule to allow incoming vpn - i assumed the firewall did that behind the scene

Or do you mean to setup an explicit deny all incoming ike rule, with exception for an address group containing all my ike-gateways-ip-addresses?

 

 

0 Likes Likes

Go to solution
Raido_Rattameister
Cyber Elite
Cyber Elite
In response to Manu_P

‎11-02-2023 05:23 AM

You can add security policy

Source zone - WAN

Destination zone - WAN

Source IP - Your and your peer IPs that terminate IPSec

Destination IP - Your and your peer IPs that terminate IPSec

Application - ipsec

 

And at the end of the ruleset "block any" rule.

 

IPSec works because of "intrazone-default" rule permitting same zone traffic.

 

Be careful when you add "block any" rule because you might have other traffic relying on this intrazone-default rule.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011
  • 1 accepted solution
  • 3689 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks