How to Confirm if GlobalProtect Tunnel is Using IPSec or SSL?

How to Confirm if GlobalProtect Tunnel is Using IPSec or SSL?

Created On 04/08/20 22:36 PM - Last Modified 04/18/20 00:08 AM

  • This document is meant to describe the process on confirming if your GlobalProtect Agent is using SSL rather than the recommended IPSec tunnel. 
  • If a customer complains about experiencing slower than usual tunnel performance, then a good place to start is to confirm if they've fell back from using IPSec (if configured) to SSL.
  • This document will discuss the necessary steps on how to check which tunnel is currently in use by your Agent.

  • PAN-OS 9.0.
  • GlobalProtect License
  • GlobalProtect Agent 5.1.1

Steps from GlobalProtect Agent:
  1. To confirm which protocol is currently in use within the Agent, navigate to the Agent and click on the Tray icon in the top right corner as shown below.

Screenshot displaying tray icon in GlobalProtect Agent.

  1. Next, choose settings from the dropdown list
Screenshot displaying settings menu selection in GlobalProtect Agent.

3. Then choose the "Connection" tab and take notice of the section labeled "Protocol."
Screenshot displaying the connection tab settings in GlobalProtect Agent. The section labeled protocol confirms whether SSL or IPSec is being used.

Steps from the GUI:
  1. Navigate to Network > GlobalProtect > Gateways and select the appropriate Gateway from the list.
Screenshot displaying the list of configured Gateways inn GlobalProtect.
2. Select the Agent tab and confirm if the checkbox next to "Enable IPSec" is checked.
Screenshot displaying the Enable IPSec checkbox in GlobalProtect Gateway agent settings.

Additional Information
  • If the checkbox is selected to enable IPSec but the tunnel is showing SSL instead, confirm that traffic on UDP port 4501 isn't being blocked somewhere along the path.
  • For full documentation on how to configure GlobalProtect, please refer to this document.

  • Print
  • Copy Link