Palo Alto VPN - Site to Site step by step configuration [2024]

Поділитися
Вставка
  • Опубліковано 16 січ 2025

КОМЕНТАРІ • 49

  • @netsums
    @netsums  11 місяців тому +1

    FREE Palo Alto Cheat Sheet in different formats and further FREE resources: netsums.com/resources

  • @MrAlccosta
    @MrAlccosta 2 місяці тому +1

    I just found you on Internet. This video is amazing!. Your didactic is superb!

    • @MrAlccosta
      @MrAlccosta 2 місяці тому

      Ricardo! Eu sabia que seu sotaque em Ingles era do Brasil! Muito bom canal! Estou comecando com Palo-Alto e seus videos ajudarao muito. Abracos aqui do Canada em 2024!

    • @netsums
      @netsums  2 місяці тому

      Hahaha. Pois é, o sotaque me entrega. :-) grande abraço, fico feliz que os vídeos podem te ajudar!

  • @siddeeq3712
    @siddeeq3712 Рік тому +1

    Excellent video my friend. Keep up the good work.

    • @netsums
      @netsums  Рік тому

      Thank you for the comment, I'm glad you liked it. :)

    • @Cybersecurity689
      @Cybersecurity689 Рік тому

      Palo Alto Firewall Basic introduction about in GUI
      ua-cam.com/video/5zzW87-VbhE/v-deo.html

  • @alfonsotrocciola4527
    @alfonsotrocciola4527 4 місяці тому

    Your videos are amazing and you explain things with passion, you want to make sure that we understand the topic, I really appriciate a lot this videos, a huge "thank you!" for sharing your knowledge

    • @netsums
      @netsums  4 місяці тому

      Thank you for your lovely comment, I'm happy you get some value from the videos. :-)

  • @benedictagyemang3862
    @benedictagyemang3862 7 місяців тому

    Great training, very precise and right on point, thanks for sharing. I have already registered for your upcoming course. I am an avid learner and I always look forward to learning new information.

    • @netsums
      @netsums  7 місяців тому +1

      Thank you for your comment, glad to be able to help!

    • @benedictagyemang3862
      @benedictagyemang3862 3 місяці тому

      You are very welcome!

  • @kalibygomes3443
    @kalibygomes3443 10 місяців тому

    Excelente aula, parabéns!

  • @asadmalix
    @asadmalix Місяць тому

    Great and thanks

  • @Jaydip1987
    @Jaydip1987 11 місяців тому +1

    @netsum , got 2 things to discuss, I was able to bring up tunnel between 2 Palo-Alto Firewalls without any Ipsec rule, just added specific rule for interesting(inside) subnet, any specific reason for adding it? 2nd thing, you've not used tunnel interface Ip anywhere, so I've tested without tunnel interface IP and it worked fine. I think we need tunnel interface ip only when we use dynamic routing protocol. Correct me if I'm wrong.

    • @jesurajpandiankamaraj6194
      @jesurajpandiankamaraj6194 11 місяців тому

      Q1) I think the intra zone (OUTSIDE to OUTSIDE) traffic is allowed in PA firewalls by default.
      Q2) My understanding too same. IP on the tunnels needed for dynamic routing protocols.

    • @netsums
      @netsums  11 місяців тому

      Hi @jaydipparmar5653. In my lab I changed the default intrazone rule from allow to deny (override using Panorama). I personally prefer it like this, I have more control on what's going through the firewall. But in a default configuration, you wouldn't need the IPSec rules, you're right.
      And yes, if you're using dynamic routing, you need the IP address on the tunnel. Another application would be if you have multiple tunnels and you want to monitor the tunnel availabilities (path monitoring). In this case, I would also suggest to add IP addresses to the tunnel interfaces and use the interface from one tunnel side to monitor the IP address on the other side.

  • @kalibygomes3443
    @kalibygomes3443 10 місяців тому

    Na expectativa pelo vídeo de VPN site to site baseada em politica e usando NAT!

    • @netsums
      @netsums  9 місяців тому

      Olá, eu não estou encontrando mais o último e-mail que você me mandou, desculpe. Mas a sua configuração do Proxy-ID tem que ser feita com os endereços já traduzidos (endereços externos de NAT). As redes que você entra na configuração do Proxy-ID são as que vão ser "vistas" no túnel. A tradução do NAT já foi feita. Eu imagino que essa foi sua pergunta, certo? Eu estou planejando um vídeo sobre S2S baseado em política, só não sei quando vai ficar pronto. Qualquer coisa pode me escrever de novo. Abraços.

    • @kalibygomes3443
      @kalibygomes3443 9 місяців тому

      Isso mesmo, muito obrigado!@@netsums

  • @badral9
    @badral9 Рік тому +1

    Hello Thank you for tutorial, Currently i have tunnel for GlobalProtect. Should we create separate tunnel for Site to Site VPN?

    • @netsums
      @netsums  Рік тому

      Hi. I would always create separate tunnels for GlobalProtect and Site-2-Site. I don't see any reason why not to do it. :)

  • @amoluplods
    @amoluplods Місяць тому

    Nice vidio

    • @netsums
      @netsums  Місяць тому

      Thank you, I'm glad you liked it.

  • @giri455161
    @giri455161 4 місяці тому

    Really good explanation about the VPN configuration, please make the other video for Policy based VPN too or if you have already made it, please share me the link of that.

    • @netsums
      @netsums  4 місяці тому

      Tha k you for the comment. Here the link for the policy-based VPN video: ua-cam.com/video/LeJVUjRCzKo/v-deo.html

  • @irvingcastro9971
    @irvingcastro9971 11 місяців тому

    Hi, Great video.
    You should do also based on policies.
    Greetings from mexico.

    • @netsums
      @netsums  11 місяців тому

      ¡Hola! Thanks, I'll keep it in mind for the upcoming videos. :-)

  • @belmarsadyt
    @belmarsadyt 8 місяців тому

    Hi thank for your video very helpful as I trying to configure for the first time. S2S with Palo
    By the way I think there is some misteake or confusion during your explaination with your diagram.
    For example when you are configuring Ike GW you are in PA-VM ( as you said in the beginning)
    But show the other side (PA-440) ??
    Other thing your PA-VM has inside and outside interface 1/1. ?
    Thanks

    • @netsums
      @netsums  8 місяців тому +1

      Ops, so I guess there are some mistakes in the video. I haven't noticed it, I need to watch it again, then. 😊 But I'm glad I still could help.

    • @belmarsadyt
      @belmarsadyt 8 місяців тому

      @@netsumsone question, why configuring ip adresse for the tunnel, as this is only needed if you are using dynamic routing according to Palo documentation?
      Thanks

    • @netsums
      @netsums  8 місяців тому +1

      IP addresses for the tunnel interfaces are also required if you want to enable tunnel monitoring. I don't remember anymore if I configured tunnel monitoring in this video. But if not, you're right, the IP addresses would be optional.

  • @shamimkamarudeen
    @shamimkamarudeen Рік тому

    why in the rule the source and destination zone is outside you selected ? it should be VPN-S2S and Inside right ????

    • @netsums
      @netsums  Рік тому

      Can you please give me the timestamp? I will take a look

    • @shamimkamarudeen
      @shamimkamarudeen Рік тому

      @@netsums 16:44 source zone

    • @netsums
      @netsums  Рік тому

      At this stage of the setup of the vpn connection, there is still no ipsec tunnel, and the gateways need to exchange their security information over the Internet. The only way for a gateway to reach your firewall over the internet would be though the outside zone. I hope I could make myself understandable. :)

  • @seanbyrne960
    @seanbyrne960 9 місяців тому

    hello I am using path monitoring on numbered Tunnels -- one firewall shows the path monitor up -- the second firewall shows the path monitor up -- have you come across this before ?

    • @netsums
      @netsums  9 місяців тому

      Hi, I'm not sure I understand your question. If both firewalls are showing the path monitor up, than it's all good, right? :-) Or do you mean one of the firewalls is showing the path monitor down? In this case you should make sure that ping is allowed on both sides (in the tunnel management profile would be the first place I would look)?
      You could try using the CLI to ping the other side using the option to enter a source interface to test if both sides are answering to ping.

    • @seanbyrne960
      @seanbyrne960 9 місяців тому +1

      thank you -- I have ping enabled both sides using the management profile and security policy config-- I ran a packet capture on both firewalls -firewall #2 has an address x.x.x.2 -firewall #1 has an address x.x.x.1-the traces show .1 ping & .2 reply -- > this explains why one path monitor probe is up-
      the capture shows the ping request from .2 is not responded toby .1 @@netsums

  • @ArslanAli-wh3yq
    @ArslanAli-wh3yq 8 місяців тому

    Hi,
    How we can use the OSPF model instead of static routes?

    • @netsums
      @netsums  8 місяців тому

      With OSPF you need an IP address for the tunnel interface. docs.paloaltonetworks.com/network-security/ipsec-vpn/administration/site-to-site-vpn-quick-configs/site-to-site-vpn-with-ospf

  • @0xRakan
    @0xRakan 10 місяців тому

    Can we have a video doing s2s VPN between Palo and FTD firepower?

    • @netsums
      @netsums  10 місяців тому

      Hi. I unfortunately don't have access to a Firepower in my lab.

    • @kkb8510
      @kkb8510 4 місяці тому

      @@netsums Hello Where do you think we can get a pal alto trial license from? ive tried cdw in the past and you never get anything from them palo related even if you make the order, so where else do you think we can get a license to lab on eve-ng? i already have the pa-vm image,

  • @hamidmahmood8483
    @hamidmahmood8483 Рік тому

    what is the config on the router

    • @netsums
      @netsums  Рік тому

      It has the simplest configuration you can imagine. It doesn't know any networks expect the locally connected ones.

  • @f1re_w1re67
    @f1re_w1re67 8 місяців тому

    Awesome vid!

    • @netsums
      @netsums  8 місяців тому

      Thanks, I'm glad you liked it