How to Confirm if GlobalProtect Tunnel is Using IPSec or SSL?
60160
Created On 04/08/20 22:36 PM - Last Modified 04/18/20 00:08 AM
Objective
- This document is meant to describe the process on confirming if your GlobalProtect Agent is using SSL rather than the recommended IPSec tunnel.
- If a customer complains about experiencing slower than usual tunnel performance, then a good place to start is to confirm if they've fell back from using IPSec (if configured) to SSL.
- This document will discuss the necessary steps on how to check which tunnel is currently in use by your Agent.
Environment
- PAN-OS 9.0.
- GlobalProtect License
- GlobalProtect Agent 5.1.1
Procedure
Steps from GlobalProtect Agent:
- To confirm which protocol is currently in use within the Agent, navigate to the Agent and click on the Tray icon in the top right corner as shown below.
- Next, choose settings from the dropdown list
3. Then choose the "Connection" tab and take notice of the section labeled "Protocol."
Steps from the GUI:
- Navigate to Network > GlobalProtect > Gateways and select the appropriate Gateway from the list.
2. Select the Agent tab and confirm if the checkbox next to "Enable IPSec" is checked.
Additional Information
- If the checkbox is selected to enable IPSec but the tunnel is showing SSL instead, confirm that traffic on UDP port 4501 isn't being blocked somewhere along the path.
- For full documentation on how to configure GlobalProtect, please refer to this document.