>
    Strata Cloud Manager
    Focus
    Download PDF
    Focus
    1. Home
    2. Next-Generation Firewall
    3. GRE Tunnels
    4. Strata Cloud Manager
    Download PDF
    Next-Generation Firewall

    Strata Cloud Manager

    Table of Contents

    Strata Cloud Manager

    Use Strata Cloud Manager to create a GRE tunnel.
    Create a GRE tunnel to connect two endpoints in a point-to-point logical link.
    1. Select ConfigurationNGFW and Prisma Access.
    2. For Configuration Scope, select Folders and then select All Firewalls, a specific folder, or the specific firewalls you want to configure. (Don’t choose Global.)
    3. Create a tunnel interface.
      1. Select DeviceInterfacesTunnel and Add Tunnel.
      2. Enter the tunnel Interface Name followed by a period and a number (the range is 1 to 9,999). For example, tunnel.1. (The Default Interface Assignment is tunnel.)
      3. (Optional) Enter a Comment about the tunnel interface.
      4. (Optional) Select a NetFlow Profile to export statistics about the IP traffic ingressing its interfaces or Create New NetFlow Profile.
      5. Assign the interface to a Logical Router or a Virtual Router.
      6. Assign the tunnel interface to a security Zone or Create New zone.
      7. Assign an IP address to the tunnel interface. (You must assign an IP address if you want to route to this tunnel or monitor the tunnel endpoint.) The tunnel interface can have IPv4 and IPv6 addresses. You can select IPv4 and Static address type. Select the + and enter one or more IPv4 addresses for the tunnel interface.
      8. You can also select IPv6 and Enable IPv6 on the interface.
      9. (IPv6 address only) Select EUI-64 (default 64-bit Extended Unique Identifier) or enter the 64-bit extended unique identifier (EUI-64) in hexadecimal format (for example, 00:26:08:FF:FE:DE:4E:29). If you leave this field blank, the firewall uses the EUI-64 generated from the MAC address of the physical interface. If you enable the Use interface ID as host portion option when adding an address, the firewall uses the Interface ID as the host portion of that address.
      10. (IPv6 address only) Add one or more IPv6 addresses for the tunnel interface.
      11. (IPv6 address only) Select Enable address in interface to enable that IPv6 address on the interface.
      12. (IPv6 address only) Select Anycast to make the IPv6 address (route) an Anycast address (route). This means multiple locations can advertise the same prefix, and IPv6 sends the anycast traffic to the node it considers the nearest, based on routing protocol costs and other factors.
      13. (IPv6 address only) Add the IPv6 address to the tunnel interface.
      14. Enter the Maximum Transmission Unit (MTU) to specify the largest size of a data packet (in bytes) that the firewall can transmit over the GRE tunnel; the range is 576 to 9,216 in jumbo frame mode; up to 1,500 otherwise.
      15. Save the tunnel interface.
    4. Create a GRE tunnel to force packets to traverse a specific point-to-point path.
      1. Select DeviceGRE Tunnels and Add GRE Tunnels.
      2. Enter a Name for the GRE tunnel.
      3. Select the Interface to use as the local GRE tunnel endpoint (source interface), which is an Ethernet interface or subinterface, a cellular interface, an Aggregate Ethernet (AE) interface, a loopback interface, or a VLAN interface.
      4. Enter the Local Address. If you selected a cellular interface, the Local Address can be None (empty).
      5. Select the Peer Address Type to be IP or FQDN. The FQDN address type is available only if you selected a cellular interface for the Local Address.
      6. Select the Tunnel Interface you created in the prior step. (This identifies the tunnel when it's the egress Interface for routing.)
      7. Enter the TTL for the IP packet encapsulated in the GRE packet (the range is 1 to 255; the default is 64).
      8. Select Copy ToS Header to copy the Type of Service (ToS) field from the inner IP header to the outer IP header of the encapsulated packets to preserve the original ToS information. Select this option if your network uses QoS and depends on the ToS bits for enforcing QoS policy rules.
      9. Select ERSPAN (Encapsulated Remote SPAN) to mirror the SPAN traffic from one device to another for remote packet capture or monitoring.
    5. (Best practice) Specify the Keep Alive settings for the GRE tunnel.
      1. (Optional) Enable Keep Alive packets.
      2. (Optional) In the Keep Alive section, set the Interval (sec) (in seconds) between keepalive packets that the local end of the GRE tunnel sends to the tunnel peer. This is also the interval that, when multiplied by the Hold Timer, is the length of time that the firewall must see successful keepalive packets before the GRE tunnel comes back up. The range is 1 to 50; the default is 10. Setting an interval too small will cause many keepalive packets that might be unnecessary in your environment and will require extra bandwidth and processing. Setting an interval too large can delay failover because error conditions might not be identified immediately.
        If Keep Alive is enabled, by default it takes three unreturned keepalive packets (Retries) at 10-second intervals for the GRE tunnel to go down and it takes five Hold Timer intervals at 10-second intervals for the GRE tunnel to come back up.
      3. (Optional) Enter the Retry setting, which is the number of intervals that keepalive packets are not returned before the firewall considers the tunnel peer down (the range is 1 to 255; the default is 3). When the tunnel is down, the firewall removes routes associated with the tunnel from the forwarding table. Configuring a retry setting helps avoid taking measures on a tunnel that isn't truly down.
      4. (Optional) Set the Hold Timer, which is the number of Intervals that keepalive packets are successful, after which the firewall re-establishes communication with the tunnel peer (the range is 1 to 64; the default is 5).
    6. Save the GRE tunnel settings.
    7. Configure a routing protocol or static route to route traffic to the destination by way of the GRE tunnel. For example, Configure a Static Route to the network of the destination server and specify the egress Interface to be the local tunnel endpoint (tunnel.1). Configure the Next Hop to be the IP address of the tunnel at the opposite end. For example, 192.168.2.3.
    8. Push Config.
    9. Configure the opposite end of the tunnel with its public IP address, its local and peer IP addresses (that correspond to the peer and local IP addresses, respectively, of the GRE tunnel on the firewall), and its routing protocol or static route.
    10. Verify that the firewall can communicate with the tunnel peer over the GRE tunnel. For example, ping the IP address of the opposite end of the tunnel.
      1. Access the CLI.
      2. > ping source 192.168.2.1 host 192.168.2.3

    © 2025 Palo Alto Networks, Inc. All rights reserved.