Port 4443

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Port 4443

L3 Networker

It has been noted that our global protect portal is reachable from the internet using port 4443 and is presenting a self signed cert which is seen as a security vulnerability. Can you let me know if port 4443 is necessary in terms of GlobalProtect connectivity?

 

The below comes to mind, but does anyone have any suggestions?

 

https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Access-the-WebGUI-when-GlobalProtect...

 

Cheers

Jack

 

7 REPLIES 7

L3 Networker

Hihi,

 

Actually your WEB GUI  PA server switched to the port 4443 when you have GP enabled. GP running on the port 443.

Okay, thanks for the confirmation.

 

Port 4443 will be needed then, but is there anything else we could do?

Hi Jack,

 

can you please clarify what exactly do you want to achieve?

 

Thank,

Mykhaylo

Hi Mykhaylo,

 

Basically, I would like to know if port 4443 is needed. I don't think it is, unless you have set the GP portal to be on the management interface, which isn't the case. If it was, I would need 4443 because that is how you get to the management instead of the portal, on the same interface/IP.

 

Cheers

Jack

I would definitely not allow firewall management from external interface.

You can check what management profile is attached to untrust interface if you go to

Network > Interfaces and check "Management profile" column.

 

Then go to

Network > Network Profiles > Interface Mgmt

And create new profile for wan side or change current one.

 

If you need mgmt access from wan then at least limit it down with security policy to whitelisted IPs.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Hi Raido,


Thanks for your response,

 

However, as said above I'm not using management on an external interface.


Cheers

Jack

If you use globalprotect and have enabled management on same interface then management port jumps from 443 to 4443.

Are you sure you have not attached interface management profile to untrust interface that permits management through this untrust interface?

 

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011
  • 5520 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!