End-of-Life (EoL)

SSL Tunnel Enforcement

Software Support
: Starting with PAN-OS 9.0, and GlobalProtect™ app 5.0.6 with Content Version 8207-5750.
OS Support
: Android, iOS, Linux, macOS, Windows
To mitigate the challenges of reliable connectivity in regions where IPSec is not permitted or to offer a fallback option to use SSL instead of IPSec, you can now specify whether to use SSL in the app configuration of your GlobalProtect portal. For VPN access, you can opt to enforce SSL connections only, disallow SSL connections, or allow the user to choose SSL or IPSec (default) depending on the geo-location and network performance to provide the best user experience.
When the user successfully establishes a VPN connection, on the GlobalProtect app they can verify whether the connection uses SSL or IPSec.
  1. On the firewall configured to act as the GlobalProtect portal, select the relevant app configuration.
    Select
    Network
    GlobalProtect
    Portals
    <portal-config>
    Agent
    <agent-config>
    App
    .
  2. Choose the
    Connect with SSL Only
    options you want to allow.
    The options are:
    • Yes
      —Require that all GlobalProtect clients connect using SSL only.
    • No
      —Connects with the protocol configured on the gateway for the VPN connection. If the gateway configuration has enabled IPSec, then it will use IPSec for the VPN connection. If the gateway has SSL configured, then it will use SSL for the VPN connection.
    • User can Change
      —Allow the user to change, whether they want to use SSL or stay with IPSec, on the GlobalProtect app. On the app, the user can select
      Settings
      General
      to enable
      Connect with SSL Only
      .
      The user can also select
      Settings
      Connection
      to verify that the
      Protocol
      is
      SSL
      .
  3. Click
    OK
    .
  4. Commit the configuration.

Recommended For You