Hi Shankar! Thank you for your comment. Appreciate it!

Thank you so much for your comment. We are glad that you enjoyed the video. Please see the LIVEcommunity for more great Blogs, discussions and KB (Knowledge Base) articles. live.paloaltonetworks.com

Our pleasure! We are glad it was helpful. Good luck! We encourage you to check out the LIVEcommunity page for more great information: live.paloaltonetworks.com

Thanks for your comment! We're glad you found the video helpful!

Its a Super-Secret.. (Hint: everything is flipped in editing.. so it looks like we are writing in reverse).. Please don't tell any one. ;)

Oh that's a genius idea, keep up the good work!

:-)

Dude! Thank you so much for your videos, I just passed CISSP ;)

I gave this a sarcastic upvote. I want to make a bunch of videos like this and wear a shirt with backwards text on it (which will be correct when flipped) just to double brainfuq people.

Glad you liked it! As always, please be sure to visit the LIVEcommunity to participate in online discussions, read our blogs and see all of the great information that we have there: live.paloaltonetworks.com

Glad to hear that! We encourage you to check out the LIVEcommunity page for more great information: live.paloaltonetworks.com

you mean DNS

Really !!

Glad it helped!

You're welcome! Check out the LIVEcommunity page for more great info: live.paloaltonetworks.com

Glad it was helpful! Please check out the LIVEcommunity page for more great info: live.paloaltonetworks.com

Hi Kushal, thanks for the positive feedback!

Parameters for phase 1 are exchanged during phase 1 negotiations. IKE SAs are exchanged and setting up a secure channel for negotiating IPSec SAs in phase 2. You can follow the different phase progression in the ikemgr.log but you might have to increase the debug level for more verbose logging.

The Palo Alto Networks supports only tunnel mode for IPSec VPN. The transport mode is not supported for IPSec VPN. For more information about this, please see this article: live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-IPSec-VPN/ta-p/56535 Thanks for your comment! We're glad you found the video helpful!

Thanks for your comment! We're glad you found the video helpful!

In the first phase both ends identify and authenticate, this is when the pre-shared key (or certificate) is used and needs to be identical on both ends before negotiations can be continued. It works somewhat like a TCP handshake where server and client first identify and authenticate against one another, then exchange Diffie-Hellman asymmetric keys and re-encrypt their communication before negotiating phase 2. Another party would need to figure out pre-shared key and identification, then spoof the destination IP and then do the same to the other end before a man-in-the-middle could occur, simply sniffing would not help after the very first exchange as both peers then switch to dynamic keys

@@PANgurus thanks!

Thanks for your comment! We're glad you found the video helpful! psst, the secret is that the video is recorded normally, but the image is reversed so you can read what is being written. As far as it being small, you can increase the resolution to 1080p and full screen it, which should help you see it a little better.

IPSec will encrypt the traffic between the endpoint and the firewall. On the Firewall you will see what sites the endpoint is accessing because the traffic would then be decrypted. If any other device captures the traffic(from the endpoint to the firewall), it will all be encrypted.. and no one can see what sites are being accessed.

Thanks for your comment! We're glad you found the video helpful!

Thank you!

Might be because this requires a little more elaboration and most of the things written are hard to read and understand specially where the headers are explained.

Yes, he didn't contradict but should have said Tunnel mode. In Transport mode the payload of each packet is encrypted but the original IP header is not. In Tunnel mode, both IP header and payload are encrypted.

My guess is that this represents the tunnel termination interface on each side of the tunnel.

It is all Magic. Just kidding. We reverse the image like a mirror so everyone can see and understand what is being discussed in the video. Thanks for viewing!

Thanks for asking.. The Video is reversed, and they are behind a glass panel to write on. Thanks for watching! Be sure to check out the LIVEcommunity for more great information: live.paloaltonetworks.com

Yes, Authentication Header (AH) adds a header that 'authenticates' the content is unaltered (like a signature), no encryption so simply transporting the payload with proof of integrity. Encapsulating Security Payload (ESP), packages the payload in an encrypted container, creating a virtual tunnel between 2 points

@@PaloAltoNetworksLiveCommunity Thank you very much :) This information is really helpfull.

@@PaloAltoNetworksLiveCommunity Are you sure? I don't believe Transport mode = AH or Tunnel mode equals ESP. They are separate entities and Transport/tunnel can be either AH or ESP.

Thanks for your comment ! At this time there's no L2TP support. You can reach out to a local SE and have him add your vote to the feature request.

Hi Robert! 'ipsec' is a set of protocols (ike and ipsec) used to establish a secure communication channel between two devices. To be able to establish this communication, both peers need to be configured with matching parameters beforehand. controlling which IP's are allowed to connect, or which communication is allowed to traverse the tunnel requires security policies to allow or deny certain sources or destinations.

Thanks for asking.. SSL/TLS VPN products protect application traffic streams from remote users to an SSL/TLS gateway. In other words, IPsec VPNs connect hosts or networks to a protected private network, while SSL/TLS VPNs securely connect a user's application session to services inside a protected network. As always, please be sure to visit the LIVEcommunity to participate in online discussions, read our blogs and see all of the great information that we have there: live.paloaltonetworks.com

TLS only operates on TCP at the transport layer which relies on ip at the network layer. TCP segments are sent unencrypted as part of the payload in ip packets so having the payload of ip packets encrypted will help in concealing that. IPSec also has the added benefit of doing this for UDP (which has its own transport level security protocols) and any other transport level protocol

You're welcome! Please check out the LIVEcommunity page for more great info: live.paloaltonetworks.com