Connecting to a Palo Alto Networks NGFW

This article describes how to connect and configure a single Palo Alto Networks Next Generation Firewall (NGFW) with firmware version 8.0.0 or later. Because Palo Alto Firewalls do no support Policy Based VPN, you must create Route Based BGP VPN to connect to Pureport. This allows you to grow your network without having to manage Traffic Selectors and Route Tables.


Prerequisites

Before connecting to a Palo Alto Networks NGFW, you must have a Pureport Route-Based BGP VPN Connection using IKEv2. See "Connecting to a Site VPN - Route-Based with BGP" for details.


You must also gather the following information: 

  • The Encryption, Integrity, and DH Group mechanisms from the Pureport Console.
  • Primary Pureport Gateway IP
  • Secondary Pureport Gateway IP
  • Primary Gateway Pre-shared Key
  • Secondary Gateway Pre-shared Key
  • Primary Gateway BGP password
  • Secondary Gateway BGP Password
  • The Primary Gateway Customer VTI IP in CIDR format.
  • The Primary Gateway Pureport VTI IP
  • The Secondary Gateway Customer VTI IP in CIDR format.
  • The Secondary Gateway Pureport VTI IP
  • Pureport ASN
  • Customer ASN


You can find this information in your Site IPSec VPN connection pages, as shown here:



Example Configuration

This example builds an HA IPSEC VPN between a customer-premises device and the Pureport platform. The configuration consists of two separate tunnels built on a single commercial broadband connection and single peer IP at the location. For information on connecting a second redundant ISP in an active/active scenario, refer to the Palo Alto Networks support guides.


Tunnel failure and route updates are handled via BGP and optionally ECMP. 


Note: These examples provide a baseline configuration only. You must adapt these examples to your specific environment.


  1. Create a Pureport compatible IKE Crypto Policy that supports Pureport's crypto set at Network > Network Profiles > IKE Crypto.
    !This creates an IKE Crypto profile that supports Pureport's crypto set.
    edit network ike crypto-profiles ike-crypto-profiles pureport-ike-crypto
      set hash [ sha256 sha384 sha512 ]
      set dh-group [ group5 group14 group19 group20 ]
      set encryption [ aes-128-cbc aes-192-cbc aes-256-cbc ]
      set lifetime hours 8
    top


  2. Create the Primary IKE Gateway at Network->Network Profiles > IKE Gateways.
    edit network ike gateway ike-pureport-site-0
      set authentication pre-shared-key key <Primary Gateway Pre-shared Key>
      set protocol ikev2 dpd enable yes
      set protocol ikev2 ike-crypto-profile pureport-ike-crypto
      set protocol version ikev2
      set local-address interface ethernet1/1  !Change this to your external interface
      set local-address ip "Outside IP"
      set peer-address ip <Primary Pureport Gateway IP>
      set local-id type ipaddr id <Primary Pureport Customer IP>
      set peer-id type ipaddr id <Primary Pureport Gateway IP>
    top


  3. Create an IPSec Crypto Profile that matches the Connection's IPSec VPN ESP Settings at Network > Network Profiles > IPSec Crypto.
    edit network ike crypto-profiles ipsec-crypto-profiles pureport-ipsec-crypto
     set esp authentication sha256
     set esp encryption aes-128-cbc
     set dh-group group14 lifetime seconds 3600
    top


  4. Create the Primary Tunnel Interface Configuration at Network > Interfaces > Tunnel.
    edit network interface tunnel units tunnel.100
      set ip <Primary Customer VTI IP in CIDR>
    top

        

    You will also need to add this interface to the proper Security Zone for traffic to flow. In this example we have added it to the "inside" trust zone, but you should add it to the appropriate zone to achieve your security requirements:

    set zone inside network layer3 tunnel.100


  5. Create the Primary IPSec Tunnel Network > IPSec Tunnels.
    edit network tunnel ipsec vpn-ipsec-tunnel-site-0
      set auto-key ike-gateway ike-pureport-site-0
      set auto-key ipsec-crypto-profile pureport-ipsec-crypto
      set tunnel-interface tunnel.100
      set anti-replay yes
    top


  6. Add the Primary tunnel interface to your Virtual Router at Network > Virtual Router.
    edit network virtual-router default
     set interface tunnel.100
    top


  7. Configure the Secondary IKE Gateway at Network > Network Profiles > IKE Gateways.
    edit network ike gateway ike-pureport-site-1
      set authentication pre-shared-key key <Secondary Gateway Pre-shared Key>
      set protocol ikev2 dpd enable yes
      set protocol ikev2 ike-crypto-profile pureport-ike-crypto
      set protocol version ikev2
      set local-address interface ethernet1/1 !Change this to your external interface
      set local-address ip "Outside IP"
      set peer-address ip <Secondary Pureport Gateway IP>
      set local-id type ipaddr id <Secondary Customer Gateway IP>
      set peer-id type ipaddr id <Secondary Pureport Gateway IP>
    top


  8. Create the Secondary Tunnel Interface Configuration at Network > Interfaces > Tunnel.
    edit network interface tunnel units tunnel.101
      set ip <Secondary Customer VTI IP in CIDR>
    top


    You will also need to add this interface to the proper Security Zone for traffic to flow. In this example we have added it to the "inside" trust zone, but you should add it to the appropriate zone to achieve your security requirements:

    set zone inside network layer3 tunnel.101


  9. Create the Primary IPSec Tunnel Network > IPSec Tunnels.
    edit network tunnel ipsec vpn-ipsec-tunnel-site-1
      set auto-key ike-gateway ike-pureport-site-1
      set auto-key ipsec-crypto-profile pureport-ipsec-crypto
      set tunnel-interface tunnel.101
      set anti-replay yes
    top


  10. Add the Primary tunnel interface to your Virtual Router and add your Static Routes at  Network > Virtual Router.
    edit network virtual-router default
     set interface tunnel.101
    top


  11.  Configure BGP Network->Virtual Router > YOUR VIRTUAL ROUTER > BGP.
    edit network virtual-router default protocol bgp
     set router-id <Primary Customer Gateway IP>
     set local-as <Customer BGP ASN>
     set install-route yes
     set reject-default-route yes
     set routing-options as-format 4-byte
     set auth-profile pureport-vpn-0 secret <Primary Gateway BGP Password>
     set auth-profile pureport-vpn-1 secret <Secondary Gateway BGP Password>
     set enable yes
    top


  12.  Configure the BGP Peer Group with the Primary Gateway:
    edit network virtual-router default protocol bgp peer-group PureportBGP
       edit peer pureport-site-0
        set connection-options authentication pureport-vpn-0
        set connection-options keep-alive-interval 10
        set connection-options hold-time 30
        set subsequent-address-family-identifier unicast yes
        set local-address ip <Primary BGP Customer IP in CIDR>
        set local-address interface tunnel.100
        set peer-as <Primary Gateway BGP Pureport ASN>
        set peer-address ip <Primary Gateway BGP Pureport IP>
        set enable yes
    top


  13. Configure the BGP Peer Group with the Secondary Gateway:
    edit network virtual-router default protocol bgp peer-group PureportBGP
       edit peer pureport-site-1
        set connection-options authentication pureport-vpn-1
        set connection-options keep-alive-interval 10
        set connection-options hold-time 30
        set subsequent-address-family-identifier unicast yes
        set local-address ip <Secondary BGP Customer IP in CIDR>
        set local-address interface tunnel.101
        set peer-as <Secondary Gateway BGP Pureport ASN>
        set peer-address ip <Secondary Gateway BGP Pureport IP>
        set enable yes
    top


  14. Configure your device to distribute your networks/interfaces Network > Virtual Routers > YOUR VIRTUAL ROUTER > Redistribution Profile.
    edit network virtual-router default protocol redist-profile pureport
     set filter interface ethernet1/9 !This will advertise any networks connected to this interface. Multiple interfaces can be added.
     set filter type connect
     set priority 2
     set action redist
    top
    
    edit network virtual-router default protocol bgp redist-rules pureport
     set enable yes
     set set-origin incomplete
     set address-family-identifier ipv4
    top


  15. (Optional) Configure your device for ECMP for faster failover and recovery during a tunnel failure at Network > Virtual Routers > YOUR VIRTUAL ROUTER > Router Settings > ECMP.
    edit network virtual-router default 
     set ecmp algorithm ip-modulo
     set ecmp enable yes
     set ecmp symmetric-return yes
     set protocol bgp ecmp-multi-as yes
    top



Testing IPSEC VPN Tunnel Connectivity

When using Palo Alto Firewall, both tunnels are ACTIVE. When using BGP, the routing table will automatically update if one of the tunnels disconnect. 


To verify BGP peering is established, check the route table from PAN UI Network > Virtual Routers > More Runtime Stats or via the CLI with:

show routing route


The Flags column of the table shows B for the routes that you are receiving via BGP peering. The following command will show you which interface is receiving the route in the Interface column:

show routing fib


On a system in your home network, ping each Pureport VTI IP address to confirm that your tunnels have successfully established connection to your Pureport Gateways. A successful ping will transmit all packets with no losses


 In our above configuration example, the Pureport VTI IPs are:

  • 169.254.1.2
  • 169.254.2.2


To ping the the Primary Gateway Pureport VTI, use:

ping 169.254.1.2



To ping the Secondary Gateway Pureport VTI, use:

ping 169.254.2.2