topic Re: Site-To-Site VPN Question in General Topics

Site-To-Site VPN Question

DuggiFresh — Tue, 09 Jul 2024 16:25:15 GMT

If we deploy a Site-To-Site VPN to one of our remote locations with a Palo Alto NGFW will our main hub firewall control the Threat/URL, etc... and Security/NAT rules for the other Palo Alto?

Re: Site-To-Site VPN Question

JayGolf — Tue, 09 Jul 2024 19:42:15 GMT

Hi @DuggiFresh ,

Creating a tunnel to a remote site does not give the hub control over the remote site's subscriptions/services as the remote fw will have its own subscriptions/services. You will still need to configure the security policies on the remote site that allow traffic to the hub along with the security profiles you have access to.

Re: Site-To-Site VPN Question

BPry — Wed, 10 Jul 2024 02:13:21 GMT

@DuggiFresh,

The answer to your question is ... it depends. @JayGolf is correct in that the answer to this question is generally no. If your goal with this setup is to have the remote site pass everything to your main site and using those subscriptions for all traffic and managing all rules from a single node, you could have the remote site send everything across the tunnel and process everything on the main site. This would have the main site have full control over all traffic, handle any NAT for the remote site, and generally be treated as an extension of the main site.

There's some consequences with this sort of configuration however. The configuration on both sides is slightly more complex to handle everything correctly, it's an abnormal configuration for someone coming into the environment, and you'll have additional latency tunneling all of that traffic back and forth from the main site when accessing resources that don't actually require the use of the tunnel (IE: all normal internet traffic).

That may or may not be a large concern for your environment depending on requirements and the added latency when going across the tunnel for everything.

Re: Site-To-Site VPN Question

DuggiFresh — Wed, 10 Jul 2024 15:35:56 GMT

That is what I was wanting to do is to have my remote site pass everything to my main site. These are very small remote sites and our main site is hardly using much resources of the PA it maybe peaks CPU load 10% sometimes but other than that its 2-4% averaging. How easy is passing is it to accomplish passing everything to the main site with a tunnel?

Also, are there better alternatives than a tunnel if we are wanting to direct all traffic to our main site?

Re: Site-To-Site VPN Question

OtakarKlier — Thu, 11 Jul 2024 14:48:06 GMT

Hello,

I would recommend the tunnel as it is the most secure option without spending additional money on a point2point circuit. Just route all traffic out of your 'hub' to control the traffic.

https://www.cisa.gov/resources-tools/resources/trusted-internet-connections-tic-30-core-guidance-documents

This helps greatly in managing and supporting the users when they have issues accessing an internet resource.

Regards,

Re: Site-To-Site VPN Question

DuggiFresh — Fri, 12 Jul 2024 16:27:19 GMT

What are some good resources on how to do that? Would I just need to create a static route from the remote site to the IPsec vpn tunnel? I don't want to use those remote sites for managing any of the policies and only use the hub to manage the policies.

Re: Site-To-Site VPN Question

OtakarKlier — Fri, 12 Jul 2024 16:30:03 GMT

Hello,

If you only have the one VPN tunnel and way to get to the hub device, then yes a static route would be the easiest.

Regards,