IKE Gateway Advanced Options Tab
Table of Contents
Expand all | Collapse all
-
- Objects > Addresses
- Objects > Address Groups
- Objects > Regions
- Objects > Dynamic User Groups
- Objects > Application Groups
- Objects > Application Filters
- Objects > Services
- Objects > Service Groups
- Objects > Devices
- Objects > External Dynamic Lists
- Objects > Custom Objects > Spyware/Vulnerability
- Objects > Custom Objects > URL Category
- Objects > Security Profiles > Antivirus
- Objects > Security Profiles > Anti-Spyware Profile
- Objects > Security Profiles > Vulnerability Protection
- Objects > Security Profiles > File Blocking
- Objects > Security Profiles > WildFire Analysis
- Objects > Security Profiles > Data Filtering
- Objects > Security Profiles > DoS Protection
- Objects > Security Profiles > Mobile Network Protection
- Objects > Security Profiles > SCTP Protection
- Objects > Security Profile Groups
- Objects > Log Forwarding
- Objects > Authentication
- Objects > Decryption > Forwarding Profile
- Objects > Schedules
-
-
- Firewall Interfaces Overview
- Common Building Blocks for Firewall Interfaces
- Common Building Blocks for PA-7000 Series Firewall Interfaces
- Tap Interface
- HA Interface
- Virtual Wire Interface
- Virtual Wire Subinterface
- PA-7000 Series Layer 2 Interface
- PA-7000 Series Layer 2 Subinterface
- PA-7000 Series Layer 3 Interface
- Layer 3 Interface
- Layer 3 Subinterface
- Log Card Interface
- Log Card Subinterface
- Decrypt Mirror Interface
- Aggregate Ethernet (AE) Interface Group
- Aggregate Ethernet (AE) Interface
- Network > Interfaces > VLAN
- Network > Interfaces > Loopback
- Network > Interfaces > Tunnel
- Network > Interfaces > SD-WAN
- Network > VLANs
- Network > Virtual Wires
-
- Network > Network Profiles > GlobalProtect IPSec Crypto
- Network > Network Profiles > IPSec Crypto
- Network > Network Profiles > IKE Crypto
- Network > Network Profiles > Monitor
- Network > Network Profiles > Interface Mgmt
- Network > Network Profiles > QoS
- Network > Network Profiles > LLDP Profile
- Network > Network Profiles > SD-WAN Interface Profile
-
-
- Device > Setup
- Device > Setup > Management
- Device > Setup > Interfaces
- Device > Setup > Telemetry
- Device > Setup > Content-ID
- Device > Setup > WildFire
- Device > Setup > DLP
- Device > Log Forwarding Card
- Device > Config Audit
- Device > Administrators
- Device > Admin Roles
- Device > Access Domain
- Device > Authentication Sequence
- Device > Device Quarantine
-
- Security Policy Match
- QoS Policy Match
- Authentication Policy Match
- Decryption/SSL Policy Match
- NAT Policy Match
- Policy Based Forwarding Policy Match
- DoS Policy Match
- Routing
- Test Wildfire
- Threat Vault
- Ping
- Trace Route
- Log Collector Connectivity
- External Dynamic List
- Update Server
- Test Cloud Logging Service Status
- Test Cloud GP Service Status
- Device > Virtual Systems
- Device > Shared Gateways
- Device > Certificate Management
- Device > Certificate Management > Certificate Profile
- Device > Certificate Management > OCSP Responder
- Device > Certificate Management > SSL/TLS Service Profile
- Device > Certificate Management > SCEP
- Device > Certificate Management > SSL Decryption Exclusion
- Device > Certificate Management > SSH Service Profile
- Device > Response Pages
- Device > Server Profiles
- Device > Server Profiles > SNMP Trap
- Device > Server Profiles > Syslog
- Device > Server Profiles > Email
- Device > Server Profiles > HTTP
- Device > Server Profiles > NetFlow
- Device > Server Profiles > RADIUS
- Device > Server Profiles > TACACS+
- Device > Server Profiles > LDAP
- Device > Server Profiles > Kerberos
- Device > Server Profiles > SAML Identity Provider
- Device > Server Profiles > DNS
- Device > Server Profiles > Multi Factor Authentication
- Device > Local User Database > Users
- Device > Local User Database > User Groups
- Device > Scheduled Log Export
- Device > Software
- Device > Dynamic Updates
- Device > Licenses
- Device > Support
- Device > Policy Recommendation
-
- Network > GlobalProtect > MDM
- Network > GlobalProtect > Clientless Apps
- Network > GlobalProtect > Clientless App Groups
- Objects > GlobalProtect > HIP Profiles
-
- Use the Panorama Web Interface
- Context Switch
- Panorama Commit Operations
- Defining Policies on Panorama
- Log Storage Partitions for a Panorama Virtual Appliance in Legacy Mode
- Panorama > Setup > Interfaces
- Panorama > High Availability
- Panorama > Administrators
- Panorama > Admin Roles
- Panorama > Access Domains
- Panorama > Device Groups
- Panorama > Plugins
- Panorama > Log Ingestion Profile
- Panorama > Log Settings
- Panorama > Server Profiles > SCP
- Panorama > Scheduled Config Export
End-of-Life (EoL)
IKE Gateway Advanced Options Tab
- Network > Network Profiles > IKE Gateways > Advanced Options
Configure advanced IKE gateway settings such as passive mode,
NAT Traversal, and IKEv1 settings such as dead peer detection.
IKE Gateway Advanced
Options | Description |
|---|---|
Enable Passive Mode | Click to have the firewall only respond
to IKE connections and never initiate them. |
Enable NAT Traversal | Click to have UDP encapsulation used on
IKE and UDP protocols, enabling them to pass through intermediate
NAT devices. Enable NAT Traversal if Network Address Translation
(NAT) is configured on a device between the IPSec VPN terminating points. |
IKEv1 Tab | |
Exchange Mode | Choose auto, aggressive,
or main. In auto mode
(default), the device can accept both main mode
and aggressive mode negotiation requests;
however, whenever possible, it initiates negotiation and allows
exchanges in main mode. You must configure
the peer device with the same exchange mode to allow it to accept
negotiation requests initiated from the first device. |
IKE Crypto Profile | Select an existing profile, keep the default
profile, or create a new profile. The profiles selected for IKEv1
and IKEv2 can differ. For information on IKE Crypto profiles,
see Network
> Network Profiles > IKE Crypto. |
Enable Fragmentation | Click to allow the local gateway to receive
fragmented IKE packets. The maximum fragmented packet size is 576
bytes. |
Dead Peer Detection | Click to enable and enter an interval (2
- 100 seconds) and delay before retrying (2 - 100 seconds). Dead
peer detection identifies inactive or unavailable IKE peers and
can help restore resources that are lost when a peer is unavailable. |
IKEv2 Tab | |
IKE Crypto Profile | Select an existing profile, keep the default
profile, or create a new profile. The profiles selected for IKEv1
and IKEv2 can differ. For information on IKE Crypto profiles,
see Network
> Network Profiles > IKE Crypto. |
Strict Cookie Validation | Click to enable Strict Cookie
Validation on the IKE gateway.
|
Liveness Check | The IKEv2 Liveness Check is
always on; all IKEv2 packets serve the purpose of a liveness check.
Click this box to have the system send empty informational packets
after the peer has been idle for a specified number of seconds.
Range: 2-100. Default: 5. If necessary, the side that is trying
to send IKEv2 packets attempts the liveness check up to 10 times
(all IKEv2 packets count toward the retransmission setting). If
it gets no response, the sender closes and deletes the IKE_SA and CHILD_SA.
The sender starts over by sending out another IKE_SA_INIT. |