Focus

Next-Generation Firewall

Configure a Tunnel Interface

Table of Contents

Filter

Expand All | Collapse All

Next-Generation Firewall Docs

Getting Started
Administration
Version
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1
Networking
Version
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
AIOps
Incidents & Alerts
Release Notes
Version
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1

Configure a Loopback Interface

Configure Routing Profiles

Configure a Tunnel Interface

Configure a tunnel interface to connect to and establish a VPN tunnel.

Contact your account team to enable Cloud Management for NGFWs using Strata Cloud Manager.

Where Can I Use This?	What Do I Need?
`NGFW (Managed by Strata Cloud Manager)` `VM-Series, funded with Software NGFW Credits`	`AIOps for NGFW Premium license (use the Strata Cloud Manager app)`

To set up a VPN tunnel, the Layer 3 interface at each end must have a logical tunnel interface for the firewall to connect to and establish a VPN tunnel. A tunnel interface is a logical (virtual) interface that is used to deliver traffic between two endpoints. If you configure any Proxy IDs, the Proxy ID is counted toward any IPSec tunnel capacity.

The tunnel interface must belong to a security zone to apply a policy rule and it must be assigned to a logical router in order to use the existing routing infrastructure. Ensure that the tunnel interface and the physical interface are assigned to the same logical router so that the firewall can perform a route lookup and determine the appropriate tunnel to use.

Strata Cloud Manager

Select

Manage

Configuration

NGFW and Prisma Access

Device Settings

Interfaces

Tunnel

and select the Configuration Scope where you want to create the tunnel interface.

Select a firewall from your

Folders

or select

Snippets

to configure the tunnel interface in a snippet.

If you select a folder or select a snippet, you create a tunnel interface variable that must be assigned at the device level.

Add Tunnel

Enter the

Interface Name

By default, all tunnel interfaces are prefixed with

tunnel

. The tunnel interface name supports numeric characters only.

(Optional) Enter a

Description

(Folders and Snippets only; Optional) Assign the interface to a

Logical Router

See Configure a Logical Router for more information.

(Folders and Snippets only; Optional) Assign the interface to a

Zone

Create New

to create a new zone. See Zone Protection and DoS Protection for more information.

Add

static IP addresses to configure the interface IPv4 settings.

Only

Static

IP addresses are supported.

To route traffic between the sites, a tunnel interface doesn’t require an IP address. An IP address is only required if you want to enable tunnel monitoring or if you’re using a dynamic routing protocol to route traffic across the tunnel. With dynamic routing, the tunnel IP address serves as the next hop IP address for routing traffic to the VPN tunnel.

Save

Push Config

to push your configuration changes.

Configure a Loopback Interface

Configure Routing Profiles

Next-Generation Firewall Docs

Configure a Tunnel Interface

Next-Generation Firewall Docs

Configure a Tunnel Interface

Recommended For You

Activation & Onboarding

Next-Generation Firewalls

Cloud-Delivered Security Services

Network Security

Visibility & Monitoring

Best Practices

Experts Corner