topic Re: VPNs between Palo and Check Point in General Topics

VPNs between Palo and Check Point

DavePalo — Tue, 08 Feb 2011 14:28:16 GMT

Hello all,

I'm hoping that somebody may be able to answer a few questions I have about the configuration of Palo Alto firewalls please?

Most of my experience in recent years has been with Check Point firewalls. I've found that most things can be done in a very similar way with Palo Altos but I have a few questions - about site to site VPNs in particular.

I have set up a simple testbed with a Check Point firewall (traditional mode) and a Palo Alto firewall each with an inside and outside interface. For end to end testing there is a Windows XP machine behind each as below.

WinXP(192.168.1.2/24)---(192.168.1.1/24)PaloAlto(172.16.1.1/30)====(172.16.1.2/30)CheckPoint(192.168.5.1/24)---(192.168.5.2/24)WinXP

In order to get this working I have:

     1) Confired IKE and IPSec Cryptos in PA to match CP
     2) Created tunnel interface and selected virtual router and new zone
     3) Created IKE gateway specifying local interface, local IP, remote IP, pre-shared key and selected IKE crypto profile
     4) Created IPSec tunnel specifying tunnel interface, IKE gateway (pulling in some values) and selecting IPSec crypto profile
     4a) Added a proxy ID with Local of 192.168.1.0/24 and remote of 192.168.5.0/24
     5) Add a static route to virtual router with destination of 192.168.5.0/24 and tunnel created above as interface

I've done the equivalent on the CP box and allowed all traffic between both subnets in both policies. All seems to work fine.

So my questions are:

1) Is this the best way do do this please? If so, when the CP box is replaced with a PA box will it still be the best way?

2) Most of my sites have at least three networks behind them. Do I need to add proxy IDs for every possible combination please?

For example,

If
site A had subnets 192.168.1.0/24, 192.168.2.0/24 and 192.168.3.0/24
and
site B had subnets 192.168.5.0/24, 192.168.6.0/24 and 192.168.7.0/24

would I need

     Proxy ID name proxy01 Local ID 192.168.1.0/24 Remote ID 192.168.5.0/24 Protocol Any
     Proxy ID name proxy02 Local ID 192.168.1.0/24 Remote ID 192.168.6.0/24 Protocol Any
     Proxy ID name proxy03 Local ID 192.168.1.0/24 Remote ID 192.168.7.0/24 Protocol Any
     Proxy ID name proxy04 Local ID 192.168.2.0/24 Remote ID 192.168.5.0/24 Protocol Any
     Proxy ID name proxy05 Local ID 192.168.2.0/24 Remote ID 192.168.6.0/24 Protocol Any
     Proxy ID name proxy06 Local ID 192.168.2.0/24 Remote ID 192.168.7.0/24 Protocol Any
     Proxy ID name proxy07 Local ID 192.168.3.0/24 Remote ID 192.168.5.0/24 Protocol Any
     Proxy ID name proxy08 Local ID 192.168.3.0/24 Remote ID 192.168.6.0/24 Protocol Any
     Proxy ID name proxy09 Local ID 192.168.3.0/24 Remote ID 192.168.7.0/24 Protocol Any

I'm sorry if these questions seem silly or this has been covered elsewhere. I've had a good look around and not found much info.

Any help would really be appreciated!

Many thanks,
Dave

Re: VPNs between Palo and Check Point

gswcowboy — Tue, 08 Feb 2011 16:27:38 GMT

You have configured it appropriately. PA implements route based VPNs so the default network IDs or Proxy IDs will be 0.0.0.0/0. The default limit on the number of supported Proxy ID's is 10 so the IDs listed falls under that limit. Otherwise, you look good.

-Renato

Re: VPNs between Palo and Check Point

DavePalo — Tue, 08 Feb 2011 16:54:42 GMT

Thanks for your reply Renato!

I'm glad that I'm going the right way although slightly concerned about the limit of 10 Proxy IDs. I'm not sure that this will be enough in some cases.

Do you know if the limit can be increased please?

Thanks,

Dave

Re: VPNs between Palo and Check Point

gswcowboy — Tue, 08 Feb 2011 17:16:43 GMT

Hi Dave,

Unfortunately, increasing the limit would be considered a feature request and those go through your SE.

Regards,

Renato

Re: VPNs between Palo and Check Point

bpappas — Tue, 08 Feb 2011 17:17:45 GMT

@dyoung:

The limit is per unique tunnel. Each tunnel can have up to 10 proxy IDs. If you need more proxy IDs to the remote location you can configure a second tunnel to the VPN peer for the other proxy IDs.

-benjamin

Re: VPNs between Palo and Check Point

aestevez — Thu, 10 Feb 2011 08:44:28 GMT

Hi,

we have some customers working like this, you need to create a phase1 to remote peer and if you need 20 proxyIDs you must create 2 tunnels with the same phase1 but diferrent phase2 each tunnel with 10 proxyID, remember to add the correct routes to each new tunnel.

But this works perfectly!!!

Regards

Albert Estevez

Re: VPNs between Palo and Check Point

DavePalo — Thu, 10 Feb 2011 10:10:09 GMT

That's great - many thanks for your help everybody!

Re: VPNs between Palo and Check Point

migration — Tue, 24 May 2011 10:57:51 GMT

aestevez ha scritto:

Hi,

But this works perfectly!!!

Regards

Albert Estevez

Hi!

Do I need to create 2 different tunnel interfaces (tab Network -> Interfaces) or only 2 differents phase2 with the same tunnel interface?

Thanks

Re: VPNs between Palo and Check Point

alestevez — Tue, 24 May 2011 14:16:46 GMT

Hi Iceman,

you will need to define 2 different tunnels and define the correct static routes to return the traffic for each tunnel interface.

I hope this help to you.

Remember that at the end you will have 2 ipsec tunnels sharing the same ike gateway and the same phase1 and phase2 but each ipsec tunnel will be attached to a different tunnel interface and routes how maximum 10 () proxy-id by tunnel.

Rergards

Albert

Re: VPNs between Palo and Check Point

rapoint_person — Thu, 07 Jul 2011 08:42:07 GMT

Checkpoint allows setting upp only one tunnel between ike gateways. That means there is no need to specify each and every proxy-id or worrying about having multiple tunnel interfaces with their respective routes. Simply use the default proxy-id in the PAN (0.0.0.0/0)

If I remember correctly this is a setting on the "interop device" in CP.

Re: VPNs between Palo and Check Point

DavePalo — Thu, 07 Jul 2011 09:03:58 GMT

Hi Oskar,

I remember trying that (using 3.1.7) and I found that tunnels from Palo to CP established OK but tunnels from CP to Palo failed because the Palo complained about not having a matching proxy id.

In the end I had to create a proxyid to match each network I had defined in the Check Point firewall object topology.

All worked OK then. Maybe this behaviour has changed in later versions.

Regards,

Dave

Re: VPNs between Palo and Check Point

rapoint_person — Thu, 07 Jul 2011 09:14:22 GMT

No issues what so ever. Have used it a couple of times. In fact, I have been forced to get it working when having a CP firewall in a large VPN-mesh. The CP had loads of small networks that would require a ridiculous amount of routes and tunnel interfaces on all the PAN devices. I'd say it wasn’t an option in that particular case. R65 versions and later (Checkpoint) work as far as I know.

Re: VPNs between Palo and Check Point

DavePalo — Thu, 07 Jul 2011 09:34:32 GMT

Interesting. Was your CP in "Traditional" or "Simple" mode as this may affect how the tunnels are negotiated?

I had quite a few little networks on CP too! Would have preferred to get it working as you suggested,

Thanks,

Dave

Re: VPNs between Palo and Check Point

rapoint_person — Thu, 07 Jul 2011 09:50:52 GMT

Always used simple mode when setting it up this way.

Hope you get it working!

Cheers,

/Oskar