Forticlient vs Globalprotect differences

 In this blog I will discuss a few items that different  between FTNT and PANW with regards to VPN clients

1: GlobalProetct uses a portal with a list of various gateways. The gateways are where your SSL or IPSEC VPN clients are terminated to. So think of it as a distributed gateway

Fortinet is manual you have to define each gateway

2: With Globalprotect if you need to use a radius server that is not using the MGMT interfaces and have defined local admins authentications with an existing radius server, you can have service for radius using a data plane interface

For Fortinet you can source the radius server from any interface 

3: GlobalProtect does not support Linux/Chrome/mobile devices without a license for globalprotect gateway

FortiGate does not care it supports numerous clients with no additional license

4: GlobalProtect SSL VPN client does not support DTLS

Forticlient, SSLvpn can use TCP or UDP

5: Globalprotect has a fallback from IPSEC ( default ) to SSL if the former has quality issues

Forticlient has no dual-mode fallback

NSE ( network security expert) and Route/Switching Engineer

kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^

=(  @  @ )=

         o

        /  \

CHKP proxy-id narrowing IKEv2

With CHKP and VPN, your Traffic Selectors will be narrowed down to longer CIDR if the peer sends a longer CIDR length 

The following ;

If the peer sends a 10.88.204.0/27 or 10.88.204.73/32 the Checkpoint will negotiate and install an IPsec Security Association for the more specific destination

Fortigate does the same thing btw but it will display the following "Dynamic proxyid as a result of selector narrowing" 

The checkpoint appliance just does not make it so obvious that narrowing has taken place.

This process typically does not issues unless traffic exiting is using the wrong SPI. You will see issues in a lot of firewall Forcepoint and checkpoint primarily where the traffic is exiting using the wrong SPI. You can easily find the SPI used by using a packet size of 666 as an example and capture the ESP datagram on exit and review the SPI #

tcpdump -nnvv -i wan proto 50 and less 790 and greater 666

And on a host generate a ping of 666 bytes { ping -s 666 x.x.x. }

The ESP datagram will stick out and you can verify the SPI value in hex to the IPsec SA.

NSE ( network security expert) and Route/Switching Engineer

kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^

=(  @  @ )=

         o

        /  \

sonicwall VPN types ( site 2 site or tunnel )

We will look at the differences

1. 1st tunnel interface means exactly that you have a tunnel and will need a route or use a routing protocol. 
2. This is a classic junos route-based type
3. the proxy-id will be a single 0.0.0.0/0 for src/dst subnets

A policy-based VPN will look similar to the following;

1.  The proxy-id would be whatever remote/local subnets that you define
2. Your policy will initialize the IPsec tunnel, think of a juniper policy-based VPN

In both cases, you still need a firewall policy to allow the traffic flow

NSE ( network security expert) and Route/Switching Engineer

kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^

=(  @  @ )=

         o

        /  \

Panorama and PA devices not receiving templates/devicegroups

 Have you ever had this scenario?

and

Nine out of 10 times you didn't associate the device to the correct devicegroup .

It's always important to make sure the deviceid is associated to the correct tmpl/devgrp

NSE ( network security expert) and Route/Switching Engineer

kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^

=(  @  @ )=

         o

        /  \