Friends, this was just a quick setup video. I also do full In-Depth Palo Alto trainings where you would learn all the concepts in detail and also get lots of hands-on. Contact me on below email if you are interested in the full training course: technicalexpertkw@gmail.com
Nice simple video, whats the actual connection between the two PAs. Is that a router (cloud) ? Is there any NAT to translate LAN IP subnet to the outside?
Hi Edy, in my lab both the firewalls are directly connected on their Outside interfaces, but in real world it won't be the case, there will be Internet/WAN connectivity between 2 firewall Outside interfaces and will definitely be on different subnets. There is no NAT for the private IPs (loopback interfaces in my case), they don't need to be natted in real world scenario as well since their traffic is going to go through the tunnel. Hope this answers your question :)
Great detailed walkthrough. Great job, Do you have any videos on how to properly setup email notifications using O365? I'm amazed how it does not work out of the box? Thank you
@Sec-U-rity great video.. thankyou for this great explanation. While i was practising i did not see any logs in monitor tab. After a little research i realised it requires license. Could you please let me know how can i get one. PA team says in order to get a VM license i need to create a support account on their site, but need device serial no which i dont have.
Hi Nitesh, thanks for watching the video. Yes you are right, you won't see the logs until you license your VM, you can use evaluation license as well for that purpose. To purchase the VM license through you company, you need to get in touch with your company account manager or contact Palo Alto distributors. For personal use I guess you can request for an evaluation license directly by contacting sales through their website. Hope this helps. Cheers!
Great video. Are you using physical Palo Alto devices or a Simulator (EVE-ng, GNS3)? If the latter, do you have a step by step tutorial that one can exploit ?
I am using VMware images on VMware Esxi, not any simulator :) you can use VMware workstation pro also which has a free trial and follow similar steps, pls see below video for the installation steps: ua-cam.com/video/gmQOQp1IypQ/v-deo.html
I've seen other people use an IPv4 Address for the Tunnel. They have said they use it for troubleshooting purposes. Does it matter or not if creating a 2 IP address /30 address?
It is not compulsory to assign an IP to tunnel interface unless u wanna do dynamic routing over the tunnel (see my video in which I have configured ospf on ipsec tunnel) or if u wanna do tunnel monitoring
Hi Admin, I am not able to see any traffic log on the monitor section of any of the PA. I followed your steps only and I am using PANOS 10 in vmware. Can you please help on this ?
all daemons are running admin@PA-2> show system software status Slot 1, Role mp ---------------------------------------- Type Name State Info Group all running Group base running Group batch running Group batch_secondary running Group chassis running Group data_plane running Group dsms running Group fips running Group frr running Group gdb running Group grp_plugins running Group ha_ssh running Group mgmt_services running Group ntlm-grp running Group services running Group supervisor running Group tasks running Group third_party running Process all_task running (pid: 3921) Process authd running (pid: 5090) Process bfd running (pid: 4686) Process brdagent running (pid: 3322) Process chasd running (pid: 3250) Process comm running (pid: 3918) Process contentd running (pid: 3205) Process crypto running (pid: 3813) Process dagger running (pid: 3204) Process devsrvr running (pid: 4797) Process dha running (pid: 4773) Process dhcp running (pid: 5086) Process distributord running (pid: 4801) Process dnsproxy running (pid: 5087) Process ehmon running (pid: 3249) Process ha-sshd running (pid: 3833) Process ha_agent running (pid: 5083) Process icd running (pid: 5056) Process ifmgr running (pid: 5079) Process ikemgr running (pid: 5075) Process iotd running (pid: 4796) Process keymgr running (pid: 5078) Process l2ctrl running (pid: 5082) Process l3svc running (pid: 30673) Process logrcvr running (pid: 5076) Process masterd running (pid: 2919) Process mgmtsrvr running (pid: 4873) Process monitor running (pid: 3216) Process monitor-dp running (pid: 4789) Process mprelay running (pid: 4687) Process pl-dp_notify running (pid: 6246) Process pl-vm_agent running (pid: 6255) Process plugin_api_server running (pid: 3218) Process pppoe running (pid: 5088) Process rasmgr running (pid: 5077) Process redis_gp running (pid: 3817) Process redis_idmgr running (pid: 3815) Process redis_iotd running (pid: 4879) Process redis_useridd running (pid: 4885) Process routed running (pid: 5089) Process satd running (pid: 5084) Process sdwand running (pid: 4685) Process snmpd running (pid: 11594) Process sshd running (pid: 3875) Process sslmgr running (pid: 5085) Process sslvpn running (pid: 5074) Process sslvpn_ngx running (pid: 5120) Process sysd running (pid: 2963) Process sysdagent running (pid: 3206) Process tund running (pid: 4688) Process useridd running (pid: 4800) Process varrcvr running (pid: 5080) Process vm_agent running (pid: 3217) Process web_backend running (pid: 5055) Process websrvr running (pid: 5511) Process wifclient running (pid: 3935)
Excellent video, friend. A query. If I had a subnet like 192.168.1.0/24, and you configure the IP 192.168.1.1 as DG of that subnet in the Palo Alto LAN interface, how could I do connectivity tests? to the other end? Let's imagine that the other end of your subnet is 10.10.10.0/24, and you want to do a connectivity test from my Subnet, to the IP 10.10.10.10/24. If I want to do the test from the CLI of my Palo Alto, what would be the correct command to do it, avoiding going to a PC in my declared subnet, and only doing it from the Firewall itself. Would the correct command be like this? "ping source 192.168.1.1 host 10.10.10.10", is this correct?
Hi Ranghel, Yes you are right, you can ping from internal interface of 1 firewall as source to internal interface of other firewall as destination...in your example, yes it would be ""ping source 192.168.1.1 host 10.10.10.10". Do not forget to add those IPs in Proxy IDs in case the tunnel is between PA and non-PA device (policy based VPN). Hope this answers your query :)
Same zone traffic would be allowed by default if you don't modify the default 'intrazone-default' rule. But if that rule is set to deny, then yes, for outside to outside traffic also you need a policy with ike and ipsec app-ids.
Friends, this was just a quick setup video. I also do full In-Depth Palo Alto trainings where you would learn all the concepts in detail and also get lots of hands-on. Contact me on below email if you are interested in the full training course:
technicalexpertkw@gmail.com
This was Crisp & Clear Explanation ... Do more Videos brother.
Thanks!!
You explained it really nicely. Its the first time I learnt on how to set ip on PA-VM. Thanks.
thanks for making the concept more easy with other options by explaining for understanding and use of them as welll
Thank you so much, my friend. The part related to configuring the policies wasn't clear in other videos on UA-cam.
Thank you Kaushal for easy explanation.
Great video, and thanks for providing clear details and explanations, as well as validation that the tunnel came up.
Thank you so much!!
Make a video on IPsec troubleshooting it will be helpful..
This explanation is good 👌
Great video Man you explain really good!
thanks my friend, very simple your explanation tutorial.
Excellent video and you did a great job to explain. Thank you.
Nice simple video, whats the actual connection between the two PAs. Is that a router (cloud) ? Is there any NAT to translate LAN IP subnet to the outside?
Hi Edy, in my lab both the firewalls are directly connected on their Outside interfaces, but in real world it won't be the case, there will be Internet/WAN connectivity between 2 firewall Outside interfaces and will definitely be on different subnets. There is no NAT for the private IPs (loopback interfaces in my case), they don't need to be natted in real world scenario as well since their traffic is going to go through the tunnel.
Hope this answers your question :)
@@sec-u-rity7287 thanks u for the explanation
Great detailed walkthrough. Great job, Do you have any videos on how to properly setup email notifications using O365? I'm amazed how it does not work out of the box? Thank you
Good bro,pls updating similar videos
Why do we create policy rules twice (to allow traffic from src to dest and dest to src) like ACL in router. Won't it maintain connection table
Kaushal as you mentioned tunnel can't be up without traffic then how and why tunnel comes up in this case?
@Sec-U-rity great video.. thankyou for this great explanation. While i was practising i did not see any logs in monitor tab. After a little research i realised it requires license. Could you please let me know how can i get one. PA team says in order to get a VM license i need to create a support account on their site, but need device serial no which i dont have.
Hi Nitesh, thanks for watching the video.
Yes you are right, you won't see the logs until you license your VM, you can use evaluation license as well for that purpose. To purchase the VM license through you company, you need to get in touch with your company account manager or contact Palo Alto distributors.
For personal use I guess you can request for an evaluation license directly by contacting sales through their website. Hope this helps. Cheers!
superb explanation. keep going brother
Thanks a lot!!
Great video, thanks for sharing this.
Great video.
Are you using physical Palo Alto devices or a Simulator (EVE-ng, GNS3)? If the latter, do you have a step by step tutorial that one can exploit ?
I am using VMware images on VMware Esxi, not any simulator :) you can use VMware workstation pro also which has a free trial and follow similar steps, pls see below video for the installation steps: ua-cam.com/video/gmQOQp1IypQ/v-deo.html
@@sec-u-rity7287 Thank you - Now I need to download the Image.
Loved it man, thank you!
Nicely explained bro ..thanks👍
Thanks mate
loved it, cool and simple explanation.
Thanks man
U help me alot
Good explanation...well done!
I've seen other people use an IPv4 Address for the Tunnel. They have said they use it for troubleshooting purposes. Does it matter or not if creating a 2 IP address /30 address?
It is not compulsory to assign an IP to tunnel interface unless u wanna do dynamic routing over the tunnel (see my video in which I have configured ospf on ipsec tunnel) or if u wanna do tunnel monitoring
Hi Admin,
I am not able to see any traffic log on the monitor section of any of the PA. I followed your steps only and I am using PANOS 10 in vmware. Can you please help on this ?
all daemons are running admin@PA-2> show system software status
Slot 1, Role mp
----------------------------------------
Type Name State Info
Group all running
Group base running
Group batch running
Group batch_secondary running
Group chassis running
Group data_plane running
Group dsms running
Group fips running
Group frr running
Group gdb running
Group grp_plugins running
Group ha_ssh running
Group mgmt_services running
Group ntlm-grp running
Group services running
Group supervisor running
Group tasks running
Group third_party running
Process all_task running (pid: 3921)
Process authd running (pid: 5090)
Process bfd running (pid: 4686)
Process brdagent running (pid: 3322)
Process chasd running (pid: 3250)
Process comm running (pid: 3918)
Process contentd running (pid: 3205)
Process crypto running (pid: 3813)
Process dagger running (pid: 3204)
Process devsrvr running (pid: 4797)
Process dha running (pid: 4773)
Process dhcp running (pid: 5086)
Process distributord running (pid: 4801)
Process dnsproxy running (pid: 5087)
Process ehmon running (pid: 3249)
Process ha-sshd running (pid: 3833)
Process ha_agent running (pid: 5083)
Process icd running (pid: 5056)
Process ifmgr running (pid: 5079)
Process ikemgr running (pid: 5075)
Process iotd running (pid: 4796)
Process keymgr running (pid: 5078)
Process l2ctrl running (pid: 5082)
Process l3svc running (pid: 30673)
Process logrcvr running (pid: 5076)
Process masterd running (pid: 2919)
Process mgmtsrvr running (pid: 4873)
Process monitor running (pid: 3216)
Process monitor-dp running (pid: 4789)
Process mprelay running (pid: 4687)
Process pl-dp_notify running (pid: 6246)
Process pl-vm_agent running (pid: 6255)
Process plugin_api_server running (pid: 3218)
Process pppoe running (pid: 5088)
Process rasmgr running (pid: 5077)
Process redis_gp running (pid: 3817)
Process redis_idmgr running (pid: 3815)
Process redis_iotd running (pid: 4879)
Process redis_useridd running (pid: 4885)
Process routed running (pid: 5089)
Process satd running (pid: 5084)
Process sdwand running (pid: 4685)
Process snmpd running (pid: 11594)
Process sshd running (pid: 3875)
Process sslmgr running (pid: 5085)
Process sslvpn running (pid: 5074)
Process sslvpn_ngx running (pid: 5120)
Process sysd running (pid: 2963)
Process sysdagent running (pid: 3206)
Process tund running (pid: 4688)
Process useridd running (pid: 4800)
Process varrcvr running (pid: 5080)
Process vm_agent running (pid: 3217)
Process web_backend running (pid: 5055)
Process websrvr running (pid: 5511)
Process wifclient running (pid: 3935)
Is your firewall licensed? You won't see traffic logs until there is a license on the firewall
@@sec-u-rity7287 It is not licensed. Thanks for immediate response.
Great explanation
Thanks
Good Job
Thank you :)
Excellent video, friend. A query. If I had a subnet like 192.168.1.0/24, and you configure the IP 192.168.1.1 as DG of that subnet in the Palo Alto LAN interface, how could I do connectivity tests? to the other end? Let's imagine that the other end of your subnet is 10.10.10.0/24, and you want to do a connectivity test from my Subnet, to the IP 10.10.10.10/24. If I want to do the test from the CLI of my Palo Alto, what would be the correct command to do it, avoiding going to a PC in my declared subnet, and only doing it from the Firewall itself. Would the correct command be like this? "ping source 192.168.1.1 host 10.10.10.10", is this correct?
Hi Ranghel, Yes you are right, you can ping from internal interface of 1 firewall as source to internal interface of other firewall as destination...in your example, yes it would be ""ping source 192.168.1.1 host 10.10.10.10". Do not forget to add those IPs in Proxy IDs in case the tunnel is between PA and non-PA device (policy based VPN).
Hope this answers your query :)
Thank you so much Sir!!
excellent . please do more vidoes
Thanks buddy...happy learning!!
inorder to negotiate phase1 and phase2 bw 2 PA, Do we nee to set up policy from outside(PA1) to outside(PA2) with application IKE and ESP ????
Same zone traffic would be allowed by default if you don't modify the default 'intrazone-default' rule. But if that rule is set to deny, then yes, for outside to outside traffic also you need a policy with ike and ipsec app-ids.
@@sec-u-rity7287 thank youu
great video.
感谢
Nice
Hi, I sent an email to you and are you able to talk about that?
Really good. Thank you!