Next-Generation Firewall
Configure an IPSec Tunnel
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
Cloud Management of NGFWs
- PAN-OS 11.1 & Later
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- Cloud Management of NGFWs
-
-
-
- Configure a Filter Access List
- Configure a Filter Prefix List
- Configure a Filter Community List
- Configure a BGP Filter Route Map
- Configure a Filter Route Maps Redistribution List
- Configure a Filter AS Path Access List
- Configure an Address Family Profile
- Configure a BGP Authentication Profile
- Configure a BGP Redistribution Profile
- Configure a BGP Filtering Profile
- Configure an OSPF Authentication Profile
- Configure a Logical Router
- Configure a Static Route
- Configure OSPF
- Configure BGP
- Configure an IPSec Tunnel
- Web Proxy
- Cheat Sheet: GlobalProtect for Cloud Management of NGFWs
-
PAN-OS 11.1 & Later
- PAN-OS 11.1 & Later
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
-
- Tap Interfaces
-
- Layer 2 and Layer 3 Packets over a Virtual Wire
- Port Speeds of Virtual Wire Interfaces
- LLDP over a Virtual Wire
- Aggregated Interfaces for a Virtual Wire
- Virtual Wire Support of High Availability
- Zone Protection for a Virtual Wire Interface
- VLAN-Tagged Traffic
- Virtual Wire Subinterfaces
- Configure Virtual Wires
- Configure a PPPoE Client on a Subinterface
- Configure an IPv6 PPPoE Client
- Configure an Aggregate Interface Group
- Configure Bonjour Reflector for Network Segmentation
- Use Interface Management Profiles to Restrict Access
-
- DHCP Overview
- Firewall as a DHCP Server and Client
- Firewall as a DHCPv6 Client
- DHCP Messages
- Dynamic IPv6 Addressing on the Management Interface
- Configure an Interface as a DHCP Server
- Configure an Interface as a DHCPv4 Client
- Configure an Interface as a DHCPv6 Client with Prefix Delegation
- Configure the Management Interface as a DHCP Client
- Configure the Management Interface for Dynamic IPv6 Address Assignment
- Configure an Interface as a DHCP Relay Agent
-
- DNS Overview
- DNS Proxy Object
- DNS Server Profile
- Multi-Tenant DNS Deployments
- Configure a DNS Proxy Object
- Configure a DNS Server Profile
- Use Case 1: Firewall Requires DNS Resolution
- Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resolution for Security Policies, Reporting, and Services within its Virtual System
- Use Case 3: Firewall Acts as DNS Proxy Between Client and Server
- DNS Proxy Rule and FQDN Matching
-
- NAT Rule Capacities
- Dynamic IP and Port NAT Oversubscription
- Dataplane NAT Memory Statistics
-
- Translate Internal Client IP Addresses to Your Public IP Address (Source DIPP NAT)
- Create a Source NAT Rule with Persistent DIPP
- PAN-OS
- Strata Cloud Manager
- Enable Clients on the Internal Network to Access your Public Servers (Destination U-Turn NAT)
- Enable Bi-Directional Address Translation for Your Public-Facing Servers (Static Source NAT)
- Configure Destination NAT with DNS Rewrite
- Configure Destination NAT Using Dynamic IP Addresses
- Modify the Oversubscription Rate for DIPP NAT
- Reserve Dynamic IP NAT Addresses
- Disable NAT for a Specific Host or Interface
-
- Network Packet Broker Overview
- How Network Packet Broker Works
- Prepare to Deploy Network Packet Broker
- Configure Transparent Bridge Security Chains
- Configure Routed Layer 3 Security Chains
- Network Packet Broker HA Support
- User Interface Changes for Network Packet Broker
- Limitations of Network Packet Broker
- Troubleshoot Network Packet Broker
-
- Enable Advanced Routing
- Logical Router Overview
- Configure a Logical Router
- Create a Static Route
- Configure BGP on an Advanced Routing Engine
- Create BGP Routing Profiles
- Create Filters for the Advanced Routing Engine
- Configure OSPFv2 on an Advanced Routing Engine
- Create OSPF Routing Profiles
- Configure OSPFv3 on an Advanced Routing Engine
- Create OSPFv3 Routing Profiles
- Configure RIPv2 on an Advanced Routing Engine
- Create RIPv2 Routing Profiles
- Create BFD Profiles
- Configure IPv4 Multicast
- Configure MSDP
- Create Multicast Routing Profiles
- Create an IPv4 MRoute
-
-
PAN-OS 11.2
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 8.1 (EoL)
- Cloud Management and AIOps for NGFW
Configure an IPSec Tunnel
Configure an IPSec tunnel to authenticate and/or encrypt data as it traverses a
tunnel.
Contact your account team to enable Cloud Management for NGFWs using
Strata Cloud Manager.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
One of these:
|
The IPSec tunnel configuration allows you to authenticate and encrypt IP packets as
they traverse the tunnel.
View the tunnel status to check whether
the valid IKE and IPSec SAs have been established and whether the IPSec tunnel is
available for passing the traffic.
- Log in to Strata Cloud Manager.
- Configure a tunnel interface to be used in the IPSec tunnel configuration.
- Configure the layer 3 interface to be used in the IKE gateway configuration (as a local IKE endpoint).
- Select ManageConfigurationNGFW and Prisma AccessDevice SettingsIPSec Tunnels and select the Configuration Scope where you want to create the IPSec tunnel.You can select a folder or firewall from your Folders or select Snippets to configure the IPSec tunnel in a snippet.
- Add IPSec Tunnel.
- Configure the IPSec tunnel.
- Enter a descriptive Name.
- Select the Tunnel Interface you configured instep 2.
- Select the Address Type (IPv4 or IPv6) for the IPSec tunnel based on your network's addressing scheme. Use IPv4 for legacy systems and IPv6 for modern networks requiring more address space and scalability.
- (Optional) Enable Tunnel Monitoring.
- Enable tunnel monitoring for the IPSec tunnel.
- Enter the Destination IP to send the ICMP probe.
A predefined tunnel monitoring profile is associated and pushed to all managed firewalls when you configure an IPSec tunnel. The defaults are:- Action—Default is Wait Recover.The firewall waits for the tunnel to recover. It continues to use the tunnel interface in routing decisions as if the tunnel were still active.
- Interval (sec)—Default is 3 seconds.Specifies the time (in seconds) between heartbeats.
- Threshold—Default is 5.Specifies the number of heartbeats the firewall waits before taking the default action.
- Configure Proxy IDs:
- Click Add and specify the Proxy ID name.
- Enter the local IP address or subnet for the VPN gateway in Local Proxy ID.
- Enter the remote IP address for the VPN gateway in Remote Proxy ID.
- Select the Protocol:
- Number—Specify the protocol number (used for interoperability with third-party devices).
- Any—Allows TCP and/or UDP traffic.
- TCP—Specify the local port and remote port numbers.
- UDP—Specify the local port and remote port numbers.
Proxy IDs can be set up using either IPv4 or IPv6 address types to identify the VPN peers. A Proxy Identity, or proxy ID, represents a defined set of traffic for an IPSec VPN, which is governed by the Security Association (SA) negotiated between peers (or established after a successful negotiation). When configuring a Palo Alto Networks firewall to work with a VPN peer using a policy-based VPN, you must set up both a local and remote proxy ID for the IPSec tunnel. During IKE phase 2 negotiation, each peer compares its configured proxy IDs with those received in the packets to ensure compatibility. For multiple tunnels, assign unique proxy IDs to each tunnel interface, as each proxy ID counts toward the firewall's IPSec VPN tunnel capacity, which varies by firewall model. - Configure and enable IPSec tunnel Advanced Settings.
- IPSec Crypto Profile—Ciphers used for authentication and encryption between IKE peers and the lifetime of the key.You can select predefined IPSec Crypto profiles or Create New.
- Anti Replay— Subprotocol of IPSec and is part of the internet Engineering Task Force (IETF) Request for Comments (RFC) 6479 used to prevent hackers from injecting or making changes in packets that travel from a source to a destination. Uses a unidirectional security association to establish a secure connection between two nodes in the network.
- Copy ToS—Copies the Type of Service (ToS) header from the inner IP header to the outer IP header of the encapsulated packets to preserve the original TOS information.If there are multiple sessions inside the tunnel (each with a different ToS value), copying the ToS header can cause the IPSec packets to arrive out of order.
- Enable GRE Encapsulation—Add GRE encapsulation in cases where the remote endpoint requires traffic to be encapsulated within a GRE tunnel before IPSec encrypts the traffic.
- Configure the IPSec tunnel IKE Gateway.
- Select the Address Type (IPv4 or IPv6) for the IPSec tunnel based on your network's addressing scheme. Use IPv4 for legacy systems and IPv6 for modern networks requiring more address space and scalability.
- Select the IKE Interface to act as the local gateway endpoint.
- Enter the Local IP Address. The Local IP address lists the IPv4 or IPv6 addresses based on the Address Type that you've selected.Specify the exact IP address of the IKE interface has multiple IP addresses.
- Select the Peer IP Address Type.
- Static—Enter a Peer Address that is a static IPv4 address or select an address object.
- FQDN—Enter a Peer Address that is an FQDN string or an address object that uses an FQDN string.
- Dynamic—Select the Authentication method if the peer IP address or FQDN is unknown.
- Pre-shared key—Enter the Pre-Shared Key string and Confirm Pre-Shared Key.
- Certificate—Select the Local Certificate and Certificate Profile to specify how to authenticate the peer gateway.
- Select the type of Local Identification and define the identification format to distinguish and identify the local gateway.The local IP address of the firewall is used if no local identification is defined.
- Select the type of Peer Identification and define the identification format to distinguish and identify the peer gateway.The IP address of the peer gateway is used if no peer identification is defined.
- Enable IKE Passive Mode to specify that the firewall only responds to IKE connection requests and never initiates them.
- (Optional) Keep NAT Traversal enabled to allow IPSec VPN connections to stay open when traffic goes through the gateway or devices that use NAT.Enabled by default. When an IP packet passes through a NAT device, it is changed and no longer compatible with IPSec. Enable NAT traversal to protect the original IPSec encoded packet by encapsulating it with an additional layer of UDP and IP headers.
- Configure the IKE Gateway Advanced Settings.
- Select the IKE Protocol Version to specify the negotiation method the IKE gateway initiates with its peer (IKEv1 only mode, IKEv2 only mode, or IKEv2 preferred mode).
- Select the IKEv1 Crypto Profile and IKEv2 Crypto Profile. The ability to configure one or both of the IKE Crypto profiles is based on the IKE Protocol Version you selected.Select a predefined crypto profile or Create New.
- Save.
- Push Config to push your configuration changes.