Configure Site-to-site IPSEC VPN Tunnel in Palo Alto Firewall

Поділитися
Вставка
  • Опубліковано 4 гру 2024

КОМЕНТАРІ • 59

  • @sec-u-rity7287
    @sec-u-rity7287  3 роки тому +5

    Friends, this was just a quick setup video. I also do full In-Depth Palo Alto trainings where you would learn all the concepts in detail and also get lots of hands-on. Contact me on below email if you are interested in the full training course:
    technicalexpertkw@gmail.com

  • @MWCRaja
    @MWCRaja 3 роки тому +5

    This was Crisp & Clear Explanation ... Do more Videos brother.

  • @ABHIJITMSAWANT
    @ABHIJITMSAWANT 2 роки тому

    You explained it really nicely. Its the first time I learnt on how to set ip on PA-VM. Thanks.

  • @simba0x
    @simba0x Рік тому

    thanks for making the concept more easy with other options by explaining for understanding and use of them as welll

  • @techlearner4806
    @techlearner4806 2 роки тому

    Thank you Kaushal for easy explanation.

  • @mostafasafari8583
    @mostafasafari8583 Рік тому

    Thank you so much, my friend. The part related to configuring the policies wasn't clear in other videos on UA-cam.

  • @richhughsam6464
    @richhughsam6464 2 роки тому

    Great video, and thanks for providing clear details and explanations, as well as validation that the tunnel came up.

  • @thiudhay
    @thiudhay 2 роки тому

    thanks my friend, very simple your explanation tutorial.

  • @MRX-gh7hs
    @MRX-gh7hs 3 роки тому +1

    Make a video on IPsec troubleshooting it will be helpful..
    This explanation is good 👌

  • @gajananborekar8223
    @gajananborekar8223 2 роки тому

    Good bro,pls updating similar videos

  • @CocinandoMemes
    @CocinandoMemes 3 роки тому +1

    Great video Man you explain really good!

  • @osh8576
    @osh8576 2 роки тому

    Excellent video and you did a great job to explain. Thank you.

  • @nigelpalmer6135
    @nigelpalmer6135 Рік тому

    Great video, thanks for sharing this.

  • @fasalrahman2775
    @fasalrahman2775 3 роки тому

    superb explanation. keep going brother

  • @sachinj4912
    @sachinj4912 3 роки тому

    loved it, cool and simple explanation.

  • @nikhilpilankar5611
    @nikhilpilankar5611 13 днів тому

    U help me alot

  • @dkinc2958
    @dkinc2958 2 роки тому

    Great detailed walkthrough. Great job, Do you have any videos on how to properly setup email notifications using O365? I'm amazed how it does not work out of the box? Thank you

  • @dhinakaransivaprakasam4884
    @dhinakaransivaprakasam4884 3 роки тому +1

    Why do we create policy rules twice (to allow traffic from src to dest and dest to src) like ACL in router. Won't it maintain connection table

  • @benjaminson5054
    @benjaminson5054 2 роки тому

    Good explanation...well done!

  • @techlearner4806
    @techlearner4806 2 роки тому

    Kaushal as you mentioned tunnel can't be up without traffic then how and why tunnel comes up in this case?

  • @deltafalcon1
    @deltafalcon1 3 роки тому

    Loved it man, thank you!

  • @deepakw3567
    @deepakw3567 3 роки тому

    Nicely explained bro ..thanks👍

  • @eddiek8185
    @eddiek8185 3 роки тому +1

    Nice simple video, whats the actual connection between the two PAs. Is that a router (cloud) ? Is there any NAT to translate LAN IP subnet to the outside?

    • @sec-u-rity7287
      @sec-u-rity7287  3 роки тому

      Hi Edy, in my lab both the firewalls are directly connected on their Outside interfaces, but in real world it won't be the case, there will be Internet/WAN connectivity between 2 firewall Outside interfaces and will definitely be on different subnets. There is no NAT for the private IPs (loopback interfaces in my case), they don't need to be natted in real world scenario as well since their traffic is going to go through the tunnel.
      Hope this answers your question :)

    • @novastarexpress1302
      @novastarexpress1302 3 роки тому +1

      @@sec-u-rity7287 thanks u for the explanation

  • @nitesharbale9088
    @nitesharbale9088 4 роки тому +1

    @Sec-U-rity great video.. thankyou for this great explanation. While i was practising i did not see any logs in monitor tab. After a little research i realised it requires license. Could you please let me know how can i get one. PA team says in order to get a VM license i need to create a support account on their site, but need device serial no which i dont have.

    • @sec-u-rity7287
      @sec-u-rity7287  4 роки тому +1

      Hi Nitesh, thanks for watching the video.
      Yes you are right, you won't see the logs until you license your VM, you can use evaluation license as well for that purpose. To purchase the VM license through you company, you need to get in touch with your company account manager or contact Palo Alto distributors.
      For personal use I guess you can request for an evaluation license directly by contacting sales through their website. Hope this helps. Cheers!

  • @BDVSecurity
    @BDVSecurity 2 роки тому

    Great explanation

  • @olaniyiajibare2884
    @olaniyiajibare2884 3 роки тому +2

    Good Job

  • @deepakprasad4317
    @deepakprasad4317 3 роки тому

    Thank you so much Sir!!

  • @valerydolce
    @valerydolce 3 роки тому

    Great video.
    Are you using physical Palo Alto devices or a Simulator (EVE-ng, GNS3)? If the latter, do you have a step by step tutorial that one can exploit ?

    • @sec-u-rity7287
      @sec-u-rity7287  3 роки тому +1

      I am using VMware images on VMware Esxi, not any simulator :) you can use VMware workstation pro also which has a free trial and follow similar steps, pls see below video for the installation steps: ua-cam.com/video/gmQOQp1IypQ/v-deo.html

    • @valerydolce
      @valerydolce 3 роки тому

      @@sec-u-rity7287 Thank you - Now I need to download the Image.

  • @desaironak11
    @desaironak11 3 роки тому

    excellent . please do more vidoes

  • @freddycalderon9092
    @freddycalderon9092 2 роки тому

    I've seen other people use an IPv4 Address for the Tunnel. They have said they use it for troubleshooting purposes. Does it matter or not if creating a 2 IP address /30 address?

    • @sec-u-rity7287
      @sec-u-rity7287  2 роки тому

      It is not compulsory to assign an IP to tunnel interface unless u wanna do dynamic routing over the tunnel (see my video in which I have configured ospf on ipsec tunnel) or if u wanna do tunnel monitoring

  • @shangyahu
    @shangyahu 2 роки тому

    感谢

  • @mrbptvmovies5470
    @mrbptvmovies5470 2 роки тому

    Nice

  • @samcool4u
    @samcool4u 3 роки тому

    great video.

  • @simba0x
    @simba0x Рік тому

    Hi Admin,
    I am not able to see any traffic log on the monitor section of any of the PA. I followed your steps only and I am using PANOS 10 in vmware. Can you please help on this ?

    • @simba0x
      @simba0x Рік тому

      all daemons are running admin@PA-2> show system software status
      Slot 1, Role mp
      ----------------------------------------
      Type Name State Info
      Group all running
      Group base running
      Group batch running
      Group batch_secondary running
      Group chassis running
      Group data_plane running
      Group dsms running
      Group fips running
      Group frr running
      Group gdb running
      Group grp_plugins running
      Group ha_ssh running
      Group mgmt_services running
      Group ntlm-grp running
      Group services running
      Group supervisor running
      Group tasks running
      Group third_party running
      Process all_task running (pid: 3921)
      Process authd running (pid: 5090)
      Process bfd running (pid: 4686)
      Process brdagent running (pid: 3322)
      Process chasd running (pid: 3250)
      Process comm running (pid: 3918)
      Process contentd running (pid: 3205)
      Process crypto running (pid: 3813)
      Process dagger running (pid: 3204)
      Process devsrvr running (pid: 4797)
      Process dha running (pid: 4773)
      Process dhcp running (pid: 5086)
      Process distributord running (pid: 4801)
      Process dnsproxy running (pid: 5087)
      Process ehmon running (pid: 3249)
      Process ha-sshd running (pid: 3833)
      Process ha_agent running (pid: 5083)
      Process icd running (pid: 5056)
      Process ifmgr running (pid: 5079)
      Process ikemgr running (pid: 5075)
      Process iotd running (pid: 4796)
      Process keymgr running (pid: 5078)
      Process l2ctrl running (pid: 5082)
      Process l3svc running (pid: 30673)
      Process logrcvr running (pid: 5076)
      Process masterd running (pid: 2919)
      Process mgmtsrvr running (pid: 4873)
      Process monitor running (pid: 3216)
      Process monitor-dp running (pid: 4789)
      Process mprelay running (pid: 4687)
      Process pl-dp_notify running (pid: 6246)
      Process pl-vm_agent running (pid: 6255)
      Process plugin_api_server running (pid: 3218)
      Process pppoe running (pid: 5088)
      Process rasmgr running (pid: 5077)
      Process redis_gp running (pid: 3817)
      Process redis_idmgr running (pid: 3815)
      Process redis_iotd running (pid: 4879)
      Process redis_useridd running (pid: 4885)
      Process routed running (pid: 5089)
      Process satd running (pid: 5084)
      Process sdwand running (pid: 4685)
      Process snmpd running (pid: 11594)
      Process sshd running (pid: 3875)
      Process sslmgr running (pid: 5085)
      Process sslvpn running (pid: 5074)
      Process sslvpn_ngx running (pid: 5120)
      Process sysd running (pid: 2963)
      Process sysdagent running (pid: 3206)
      Process tund running (pid: 4688)
      Process useridd running (pid: 4800)
      Process varrcvr running (pid: 5080)
      Process vm_agent running (pid: 3217)
      Process web_backend running (pid: 5055)
      Process websrvr running (pid: 5511)
      Process wifclient running (pid: 3935)

    • @sec-u-rity7287
      @sec-u-rity7287  Рік тому +1

      Is your firewall licensed? You won't see traffic logs until there is a license on the firewall

    • @simba0x
      @simba0x Рік тому

      @@sec-u-rity7287 It is not licensed. Thanks for immediate response.

  • @fasalrahman2775
    @fasalrahman2775 3 роки тому

    inorder to negotiate phase1 and phase2 bw 2 PA, Do we nee to set up policy from outside(PA1) to outside(PA2) with application IKE and ESP ????

    • @sec-u-rity7287
      @sec-u-rity7287  3 роки тому +2

      Same zone traffic would be allowed by default if you don't modify the default 'intrazone-default' rule. But if that rule is set to deny, then yes, for outside to outside traffic also you need a policy with ike and ipsec app-ids.

    • @fasalrahman2775
      @fasalrahman2775 3 роки тому

      @@sec-u-rity7287 thank youu

  • @ranghelsoto6516
    @ranghelsoto6516 4 роки тому

    Excellent video, friend. A query. If I had a subnet like 192.168.1.0/24, and you configure the IP 192.168.1.1 as DG of that subnet in the Palo Alto LAN interface, how could I do connectivity tests? to the other end? Let's imagine that the other end of your subnet is 10.10.10.0/24, and you want to do a connectivity test from my Subnet, to the IP 10.10.10.10/24. If I want to do the test from the CLI of my Palo Alto, what would be the correct command to do it, avoiding going to a PC in my declared subnet, and only doing it from the Firewall itself. Would the correct command be like this? "ping source 192.168.1.1 host 10.10.10.10", is this correct?

    • @sec-u-rity7287
      @sec-u-rity7287  3 роки тому

      Hi Ranghel, Yes you are right, you can ping from internal interface of 1 firewall as source to internal interface of other firewall as destination...in your example, yes it would be ""ping source 192.168.1.1 host 10.10.10.10". Do not forget to add those IPs in Proxy IDs in case the tunnel is between PA and non-PA device (policy based VPN).
      Hope this answers your query :)

  • @chaminlakmal3250
    @chaminlakmal3250 Рік тому

    Hi, I sent an email to you and are you able to talk about that?

  • @troysipple2591
    @troysipple2591 2 роки тому

    Really good. Thank you!