End-of-Life (EoL)

GRE Tunneling Support

The firewall can terminate a generic routing encapsulation (GRE) tunnel to connect two endpoints in a point-to-point, logical link.
Palo Alto Networks next-generation firewalls can now terminate generic routing encapsulation (GRE) tunnels, which enables you to route or forward packets to a GRE tunnel. The GRE tunnel connects two endpoints in a point-to-point, logical link between the firewall and another device. GRE tunnels are simple to use and are often the tunneling protocol of choice for point-to-point connectivity, especially to services in the cloud or to partner networks.
Create a GRE tunnel when you want to direct packets that are destined for an IP address to take a certain point-to-point path, such as to a cloud-based proxy or to a partner network. The packets travel in the GRE tunnel to the cloud service while on their way to the destination address, which enables the cloud service to enforce its services or policies on the packets.
The following figure is an example of a GRE tunnel connecting the firewall across the internet to a cloud service.
    1. Select
    2. Enter the tunnel
      Interface Name
      followed by a period and a number (range is 1 to 9,999); for example,
    3. Assign the tunnel interface to a
      Security Zone
    4. Assign an IP address to the tunnel interface.
  1. Create a GRE tunnel to have packets take a specific point-to-point path.
    1. Select
      GRE Tunnels
      a tunnel.
    2. Select the
      to use as the local GRE tunnel endpoint (source interface), which is an Ethernet interface or subinterface or an Aggregated Ethernet (AE), loopback, or VLAN interface.
    3. Select the
      Local IP Address
      of that interface.
    4. Enter the
      Peer Address
      , which is the IP address of the opposite endpoint of the GRE tunnel.
    5. Select the
      Tunnel Interface
      that you created.
  2. (
    Best Practice
    ) Enable the
    Keep Alive
    function for the GRE tunnel. Optionally, modify the Keep Alive settings.
  3. Configure a routing protocol or static route to route packets to the GRE tunnel. For example, configure a static route to the destination server.
  4. Commit
    your changes.
  5. Configure the opposite end of the tunnel.
  6. Verify that the firewall can communicate with the tunnel peer over the GRE tunnel.

Recommended For You