Palo Alto VPN - Site to Site step by step configuration [2024]
Вставка
- Опубліковано 8 сер 2024
- #paloaltonetworks #paloaltofirewall #firewall #vpn
In this video I am going to show you how to configure site-to-site VPN using the Palo Alto Firewall and Panorama. I am going to show you some theory about IPsec and IKE, and afterwards how to configure VPN using the GUI. I will be using Panorama, but you can make the same configuration directly on the firewall.
** FREE VPN CONNECTION SHEET TO DOWNLOAD **
cs.netsums.com
Download this free VPN connection sheet that you can send to your partners or customers to share your VPN configuration
Timeline:
00:00 Palo Alto Site-to-Site VPN Configuration Step by Step
00:34 Types of Site-to-Site VPN
02:59 Introduction to IPsec and IKE
04:21 FREE Connection Sheet
04:51 Firewall configuration - Наука та технологія
![Palo Alto GlobalProtect VPN Configuration Step by Step [2024]](http://i.ytimg.com/vi/Dj-rjuX9I_E/mqdefault.jpg)
![Palo Alto GlobalProtect VPN Configuration Step by Step [2024]](/img/tr.png)
![Palo Alto Policy-based Site to Site VPN with NAT [2024]](/img/n.gif)
FREE Palo Alto Cheat Sheet in different formats and further FREE resources: netsums.com/resources
Excelente aula, parabéns!
Great training, very precise and right on point, thanks for sharing. I have already registered for your upcoming course. I am an avid learner and I always look forward to learning new information.
Thank you for your comment, glad to be able to help!
Excellent video my friend. Keep up the good work.
Thank you for the comment, I'm glad you liked it. :)
Palo Alto Firewall Basic introduction about in GUI
ua-cam.com/video/5zzW87-VbhE/v-deo.html
Na expectativa pelo vídeo de VPN site to site baseada em politica e usando NAT!
Olá, eu não estou encontrando mais o último e-mail que você me mandou, desculpe. Mas a sua configuração do Proxy-ID tem que ser feita com os endereços já traduzidos (endereços externos de NAT). As redes que você entra na configuração do Proxy-ID são as que vão ser "vistas" no túnel. A tradução do NAT já foi feita. Eu imagino que essa foi sua pergunta, certo? Eu estou planejando um vídeo sobre S2S baseado em política, só não sei quando vai ficar pronto. Qualquer coisa pode me escrever de novo. Abraços.
Isso mesmo, muito obrigado!@@netsums
Hi, Great video.
You should do also based on policies.
Greetings from mexico.
¡Hola! Thanks, I'll keep it in mind for the upcoming videos. :-)
Hello Thank you for tutorial, Currently i have tunnel for GlobalProtect. Should we create separate tunnel for Site to Site VPN?
Hi. I would always create separate tunnels for GlobalProtect and Site-2-Site. I don't see any reason why not to do it. :)
Awesome vid!
Thanks, I'm glad you liked it
@netsum , got 2 things to discuss, I was able to bring up tunnel between 2 Palo-Alto Firewalls without any Ipsec rule, just added specific rule for interesting(inside) subnet, any specific reason for adding it? 2nd thing, you've not used tunnel interface Ip anywhere, so I've tested without tunnel interface IP and it worked fine. I think we need tunnel interface ip only when we use dynamic routing protocol. Correct me if I'm wrong.
Q1) I think the intra zone (OUTSIDE to OUTSIDE) traffic is allowed in PA firewalls by default.
Q2) My understanding too same. IP on the tunnels needed for dynamic routing protocols.
Hi @jaydipparmar5653. In my lab I changed the default intrazone rule from allow to deny (override using Panorama). I personally prefer it like this, I have more control on what's going through the firewall. But in a default configuration, you wouldn't need the IPSec rules, you're right.
And yes, if you're using dynamic routing, you need the IP address on the tunnel. Another application would be if you have multiple tunnels and you want to monitor the tunnel availabilities (path monitoring). In this case, I would also suggest to add IP addresses to the tunnel interfaces and use the interface from one tunnel side to monitor the IP address on the other side.
Hi,
How we can use the OSPF model instead of static routes?
With OSPF you need an IP address for the tunnel interface. docs.paloaltonetworks.com/network-security/ipsec-vpn/administration/site-to-site-vpn-quick-configs/site-to-site-vpn-with-ospf
Hi thank for your video very helpful as I trying to configure for the first time. S2S with Palo
By the way I think there is some misteake or confusion during your explaination with your diagram.
For example when you are configuring Ike GW you are in PA-VM ( as you said in the beginning)
But show the other side (PA-440) ??
Other thing your PA-VM has inside and outside interface 1/1. ?
Thanks
Ops, so I guess there are some mistakes in the video. I haven't noticed it, I need to watch it again, then. 😊 But I'm glad I still could help.
@@netsumsone question, why configuring ip adresse for the tunnel, as this is only needed if you are using dynamic routing according to Palo documentation?
Thanks
IP addresses for the tunnel interfaces are also required if you want to enable tunnel monitoring. I don't remember anymore if I configured tunnel monitoring in this video. But if not, you're right, the IP addresses would be optional.
hello I am using path monitoring on numbered Tunnels -- one firewall shows the path monitor up -- the second firewall shows the path monitor up -- have you come across this before ?
Hi, I'm not sure I understand your question. If both firewalls are showing the path monitor up, than it's all good, right? :-) Or do you mean one of the firewalls is showing the path monitor down? In this case you should make sure that ping is allowed on both sides (in the tunnel management profile would be the first place I would look)?
You could try using the CLI to ping the other side using the option to enter a source interface to test if both sides are answering to ping.
thank you -- I have ping enabled both sides using the management profile and security policy config-- I ran a packet capture on both firewalls -firewall #2 has an address x.x.x.2 -firewall #1 has an address x.x.x.1-the traces show .1 ping & .2 reply -- > this explains why one path monitor probe is up-
the capture shows the ping request from .2 is not responded toby .1 @@netsums
Can we have a video doing s2s VPN between Palo and FTD firepower?
Hi. I unfortunately don't have access to a Firepower in my lab.
why in the rule the source and destination zone is outside you selected ? it should be VPN-S2S and Inside right ????
Can you please give me the timestamp? I will take a look
@@netsums 16:44 source zone
At this stage of the setup of the vpn connection, there is still no ipsec tunnel, and the gateways need to exchange their security information over the Internet. The only way for a gateway to reach your firewall over the internet would be though the outside zone. I hope I could make myself understandable. :)
what is the config on the router
It has the simplest configuration you can imagine. It doesn't know any networks expect the locally connected ones.