>
    Strata Copilot
    Create a GRE Tunnel over a Cellular Interface
    Focus
    Download PDF
    Focus
    1. Home
    2. Next-Generation Firewall
    3. GRE Tunnels
    4. Create a GRE Tunnel over a Cellular Interface
    Download PDF
    Next-Generation Firewall

    Create a GRE Tunnel over a Cellular Interface

    Table of Contents

    Create a GRE Tunnel over a Cellular Interface

    On supported firewall models, create a GRE tunnel over a cellular interface to connect two endpoints in a point-to-point, logical link.
    Where Can I Use This?What Do I Need?
    • NGFW (Managed by PAN-OS or Panorama)
    • PAN-OS 12.1 or a later release
    • One of the following supported firewall models:
      • PA-410R-5G
      • PA-415-5G
      • PA-450R-5G
      • PA-455-5G
      • PA-455R-5G
    The PA-410R-5G, PA-415-5G, PA-450R-5G, PA-455R-5G, and PA-455-5G firewalls support a cellular interface to provide data connectivity using the 5G mobile network. Because the address of a cellular interface is dynamically assigned, the local address of a GRE tunnel over that interface must also be able to change dynamically. The peer address of the GRE tunnel needs to support an FQDN, which can resolve to a dynamically changing address. Beginning with PAN-OS 12.1, after you configure 5G for a cellular interface, you can create a GRE tunnel to connect two endpoints that are cellular interfaces in a point-to-point, logical link.
    There are several differences between creating a GRE tunnel over a cellular interface as opposed to another type of interface. When you create a GRE tunnel over a cellular interface:
    • The firewall model must support a cellular interface.
    • The cellular interface does not support a static IP address; its dynamic IP address comes from an ISP. Therefore, the local IP address for the GRE tunnel is configured as None.
    • The peer address at the remote end of the tunnel can be an IPv4 address or an FQDN that dynamically resolves to an IPv4 address.
    If you're creating a GRE tunnel on an interface other than a cellular interface, see Create a GRE Tunnel.
    1. Configure a cellular interface.
      1. Select NetworkInterfacesCellular.
      2. Add a cellular interface and enter the Interface Name, for example, cellular1/1. The firewall models listed above support one cellular interface.
    2. Create a tunnel interface.
      1. Select NetworkInterfacesTunnel.
      2. Add a tunnel and enter the tunnel Interface Name followed by a period and a number (range is 1 to 9,999). For example, tunnel.3.
      3. On the Config tab, assign the tunnel interface to a Virtual Router or a Logical Router.
      4. The PA-415-5G firewall supports one Virtual System; the PA-410R-5G and PA-450R-5G firewalls support two virtual systems, and the PA-455-5G firewall supports five virtual systems.
      5. Assign the tunnel interface to a Security Zone.
      6. Assign an IP address to the tunnel interface. (You must assign an IP address if you want to route to this tunnel or monitor the tunnel endpoint.) Select IPv4 or IPv6 or configure both.
        This address and the corresponding address of the peer's tunnel interface should be on the same subnet because it's a point-to-point, logical link.
        • (IPv4 only) On the IPv4 tab, Add an IPv4 address, select an address object, or select New Address and specify the Type of address and enter it. For example, enter 192.168.2.1.
        • (IPv6 only) On the IPv6 tab, Enable IPv6 on the interface.
          1. For Interface ID, select EUI-64 (default 64-bit Extended Unique Identifier).
          2. Add a new Address, select an IPv6 address object, or select New Address and specify an address Name. Enable address on interface and click OK.
          3. Select the Type of address and enter the IPv6 address or FQDN and click OK to save the new address.
          4. Select Enable address on interface and click OK.
      7. Click OK.
    3. Create a GRE tunnel to force packets to traverse a specific point-to-point path.
      1. Select NetworkGRE Tunnels and Add a tunnel by Name.
      2. Select the Interface to use as the local GRE tunnel endpoint (source interface) to be the cellular interface you configured.
      3. Select the Local Address to be None because the cellular interface can't have a static IP address. The ISP provides a dynamic IPv4 address as the local address.
      4. Select the Peer Address Type as one of the following:
        • IP—Enter the Peer Address (the IPv4 address of the opposite endpoint of the GRE tunnel).
        • FQDN—Enter the FQDN that resolves to an IPv4 address assigned to the opposite endpoint of the GRE tunnel.
      5. Select the Tunnel Interface that you created. (This identifies the tunnel when it's the egress Interface for routing.)
      6. Enter the TTL for the IP packet encapsulated in the GRE packet (range is 1 to 255; default is 64).
      7. Select Copy ToS Header to copy the Type of Service (ToS) field from the inner IP header to the outer IP header of the encapsulated packets to preserve the original ToS information. Select this option if your network uses QoS and depends on the ToS bits for enforcing QoS policy rules.
      8. Enable ERSPAN to enable the firewall to decapsulate Encapsulated Remote Switched Port Analyzer (ERSPAN) data sent through the GRE tunnel. You can configure a network switch to use ERSPAN to send mirrored traffic through a GRE tunnel to the firewall for use by Security services such as IoT security. After decapsulating the data, the firewall inspects it similarly to how it inspects traffic received on a tap interface. It then creates Enhanced Application logs (EALs) and traffic, threat, WildFire®, URL, data, GTP (when GTP is enabled), SCTP (when SCTP is enabled), tunnel, auth, and decryption logs. The firewall forwards these logs to the logging service where IoT security accesses and analyzes the data.
    4. (Best practice) Enable the Keep Alive function for the GRE tunnel.
      If Keep Alive is enabled, by default it takes three unreturned keepalive packets (Retries) at 10-second intervals for the GRE tunnel to go down, and it takes five Hold Timer intervals at 10-second intervals for the GRE tunnel to come back up.
      1. Select Keep Alive to enable the keepalive function for the GRE tunnel (default is disabled).
      2. (Optional) Set the Interval (sec) (in seconds) between keepalive packets that the local end of the GRE tunnel sends to the tunnel peer. This is also the interval that, when multiplied by the Hold Timer, is the length of time that the firewall must see successful keepalive packets before the GRE tunnel comes back up (range is 1 to 50; default is 10). Setting an interval too small will cause many keepalive packets that might be unnecessary in your environment and will require extra bandwidth and processing. Setting an interval too large can delay failover because error conditions might not be identified immediately.
      3. (Optional) Enter the Retry setting, which is the number of intervals that keepalive packets are not returned before the firewall considers the tunnel peer down (range is 1 to 255; default is 3). When the tunnel is down, the firewall removes routes associated with the tunnel from the forwarding table. Configuring a retry setting helps avoid taking measures on a tunnel that isn't down.
      4. (Optional) Set the Hold Timer, which is the number of Intervals that keepalive packets are successful, after which the firewall reestablishes communication with the tunnel peer (range is 1 to 64; default is 5).
    5. Click OK.
    6. Configure a routing protocol or static route to route traffic to the destination by way of the GRE tunnel. For example, Configure a Static Route to the network of the destination server and specify the egress Interface to be the local tunnel endpoint (tunnel.1). Configure the Next Hop to be the IP address of the tunnel at the opposite end. For example, 192.168.2.3.
    7. Commit your changes.
    8. Configure the opposite end of the tunnel with its public IP address, its peer IP address (that corresponds to the peer IP address of the GRE tunnel on the firewall), and its routing protocol or static route.
    9. Verify that the firewall can communicate with the tunnel peer over the GRE tunnel.
      1. Access the CLI.
      2. > ping source 192.168.2.1 host 192.168.2.3

    © 2026 Palo Alto Networks, Inc. All rights reserved.