1. Home
    2. Prisma
    3. Prisma SD-WAN
    4. Prisma SD-WAN Administrator’s Guide
    5. Prisma SD-WAN Sites and Devices
    6. Prisma SD-WAN Ports and Interfaces
    7. Prisma SD-WAN Standard VPN
    8. Configure Generic Routing Encapsulation (GRE) Tunnels

    Configure Generic Routing Encapsulation (GRE) Tunnels

    Let us learn to configure GRE tunnels.
    Prisma SD-WAN supports Generic Routing Encapsulation (GRE) tunnels from branch or data center sites to standard VPN endpoints to integrate with cloud security services. Due to the insecure nature of GRE, as a best practice we strongly recommend applying a Zone Based Firewall Policy to any traffic using GRE for transport over an insecure transport, such as the Internet. Additionally, you should also consider implementing Source Network Address Translation (NAT) for any traffic going through a GRE tunnel to obscure the Internal IP addressing scheme. Exposure of the internal addressing scheme along with unencrypted data over GRE can significantly increase attack vectors at a site.
    1. Log in to the Prisma SD-WAN web interface and navigate to
      Map
      Claimed Devices
       and select a device.
    2. From the ellipsis menu, select
      Configure the device
      .
    3. Navigate to
      Interfaces
       and click the
      +
       add icon to create a new interface as
      Standard VPN
      .
    4. On the
      Configure Interface: New Standard VPN
       screen, set up the
      Main Configuration
       for the new interface.
      1. For
        Admin Up
        , select
        Yes
        .
        GRE tunnels are stateless by design, the GRE tunnel is established when the standard VPN interface is created, and the parent interface is up.
        When Keep-Alive is disabled, the standard VPN interface immediately enters the Up state when:
        • The standard VPN interface is created.
        • The parent interface is up.
        • Admin Up
           is set to
          Yes
          .
        The standard VPN interface may later be moved to the down state due to the failure of a liveliness probe if one or more were configured on the standard VPN endpoint associated with this interface. We strongly recommend to have GRE keep-alives enabled and/or have a liveliness probe configured on the standard VPN endpoint such that a failure can be detected and avoid traffic being black-holed.
      2. (Optional)
         Enter a
        Name
        ,
        Description
        , and
        Tags
        .
      3. Select
        GRE
         as the
        Standard VPN Type
        .
        The
        Interface Type
         must display as
        Standard VPN
        .
      4. Select a
        Parent Interface
         to establish the GRE tunnel.
        For a branch ION device any of the following ports can be used as a parent interface:
        • Internet L3 Port
        • Private WAN L3 Port
        • Virtual Interface (private and public)
        • PPPoE interface
        • Bypass Pair - Internet and Private WAN ports
        • Sub-Interfaces - Internet and Private WAN ports
        For a data center ION device, any of the following ports can be used as a parent interface:
        • Any
          Connect to Internet
           port
        • Any
          Connect to Peer Network
           port
        The following interfaces which do not have an IP address cannot be used as a parent interface:
        • A Private L2 port of a bypass pair
        • A Loopback interface
      5. Toggle
        Scope
         to
        Local
         or
        Global
        .
      6. Enter an
        Inner Tunnel IP Address
         or
        Mask
        .
        The address is the address of the innermost envelope's payload. When the standard VPN peer receives the IP packet from the tunnel interface, the outer IP header and GRE header are removed. The packet is then routed based on the Inner Tunnel IP Address.
      7. (Optional)
         Enter values for
        Checksum
         and
        Keep Alive
        .
        The default value for Keep-Alive Interval is 10 seconds, which implies that a Keep-Alive is sent every 10 seconds. The default value for Keep-Alive Retry Count is 3 which means that the device try sending a keep alive three times before declaring the interface to be down.
        • If you configure Keep-Alive on the ION device, the standard VPN peer device should be capable of replying to the Keep-Alive. If the ION device does not receive a response from the peer device within the configured Keep-Alive Retry Count, it will result in the interface being marked as down.
        • Some devices act as remote service endpoints and do not support Prisma SD-WAN GRE Keep-alives. In such cases, you may need to use service endpoint liveliness probes.
        • Prisma SD-WAN Data Center devices do not support service endpoint configuration. As a result liveliness probes cannot be configured and multiple remotes and remote selection cannot be used.
        • NAT performed between the local and remote endpoints of the GRE Tunnel may disrupt the use of GRE Keep-Alives.
        • if Checksum is configured on the ION device, the standard VPN peer device should also respond with a checksum in its GRE header. If the standard VPN peer device does not support Checksum, the packet drops as a Frame Error.
      8. Select a
        Standard VPN Endpoint
         from the
        Endpoint
         field.
        The GRE tunnel can only be created if the standard VPN interface has an endpoint or Peer IP configured. The Peer IP must be available either through the endpoint or the Peer IP field.
        An endpoint must be configured when the ION device is being used at a branch site. This enables the endpoint to be used in path policies to direct traffic. Endpoints can, but are not required to, specify IP addresses or host names of the possible peer device(s).
        The Peer IP overrides any IP addresses provided by the endpoint. If the ION device is being used at a Data Center site, the Peer IP has to be provided.
      9. Click
        Create Standard VPN
        .

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2022 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo