topic Re: Security Zone Site to Site VPN in General Topics

Security Zone Site to Site VPN

MPI-AE — Wed, 22 Nov 2017 09:18:13 GMT

Hey guys,

We do have a headquarter and a branch office.

All services are located in the HQ, in the branch office there are just workstations that access the services of the HQ.

So I have to set up a site to site vpn connection between the BO and HQ.

Let's start with the Palo Alto in the branch office.

I have to create a tunnel interface and choose a security zone.

According to the manual:

"Security Zone: (select the layer 3 internal zone from which the traffic will originate)"

I don't understand that. there are more than one client interfaces/networks in the BO, and each interface is a single zone. So there are more than one internal zones which originate traffic to the HQ.

1) Which zone do I have to choose?

And my second question: 2) When I set up the security policies, which destination zone do I have to use for the traffic that's destination is the HQ ?

and 3) the destination zone in the security policies and the security zone of the tunnel interface, are these the same?

Thanks for any help!

Re: Security Zone Site to Site VPN

reaper — Wed, 22 Nov 2017 09:43:32 GMT

@MPI-AE

there are 2 levels that need to be considered when building VPN tunnels and allowing traffic through

first you need to be able to create the VPN tunnel itself, this works at a lower 'network' level as you bind the tunnel to an interface (either physical or loopback)

so typically you will use your untrust interface to initiate the tunnel

once the tunnel is established, you need to allow user connections to enter the tunnel: creating the tunnel has also created a new interface: the tunnel interface

so any security policies that allow users to connect to the tunnel, will need to be from the user zones to the tunnel interface zone, and reverse in case HQ needs to make connections into the BO (think IT doing remote takeovers)

please check out this article to help you get started: Getting Started: VPN

Re: Security Zone Site to Site VPN

MPI-AE — Wed, 22 Nov 2017 10:07:25 GMT

@reaper

I'm talking about that one: (That's from an instruction video)

Which security zone do I have to choose here?

Re: Security Zone Site to Site VPN

reaper — Wed, 22 Nov 2017 10:15:48 GMT

This is where you create the tunnel interface: it is best practice to assign it it's own zone (create a new one, for example 'vpn-to-HQ') so you can control what goes in and out through security policies; from a security perspective it will behave as a physical interface with a zone

from trust to vpn-to-hq allow

from vpn-to-hq to trust allow

you can also choose to put it in the user zone and let the default intrazone poloicy simply allow everything in and out

Re: Security Zone Site to Site VPN

MPI-AE — Fri, 24 Nov 2017 11:18:02 GMT

Thank you, that will help me!

Another question, though:

My PA-820 is on 8.0.2 and my PA-3020 is on 7.1.7

1) is that a problem?

2) I want to update my PA-3020 in two months to Version 8, too. Will the Site to Site vpn remain?

Re: Security Zone Site to Site VPN

reaper — Fri, 24 Nov 2017 12:05:15 GMT

1. No

2. Yes

ipsec parameters on both PAN-OS are identical so version mismatch is no problem and after an upgrade the configuration will remain identical and the tunnel will immediately work as before

Re: Security Zone Site to Site VPN

MPI-AE — Fri, 24 Nov 2017 12:44:03 GMT

That's good to know!

I think there is a last question.

We do have a /22 public ip addresses.

And our Global Protect Gateway listens on one of that public addresses. The external interface on our firewall, however, is an ip from our ISP, so it's different from our public space.

The question is, for the site to site vpn. when I set up the IKE Gateway, can I use an address from our public space as a peer or do I need to use the external interface with the IP of our ISP?

For example with a loopback interface?

Re: Security Zone Site to Site VPN

reaper — Fri, 24 Nov 2017 13:30:40 GMT

you can either add your public space to your external interface and use that addrss, or create a loopback interface and place it in the external zone (or a different zone and then control ipsec/ike with security policy)

if you need proxy-arp, you'll need to add the public IP range to the interface, and can then still add a loopback for a specific IP. If your ISP is forwarding the entire range to your firewall MAC, you can use the loopback without adding the range to your external interface

hope this makes sense

Re: Security Zone Site to Site VPN

MPI-AE — Sat, 25 Nov 2017 16:55:52 GMT

yeah that makes sense, I will try that:)

I finsihed the configuration on my remote firewall.

I'm wondering why I don't see any logs in the traffic monitor that the firewall wants to reach the gateway peer ip address?

Is that normal?

Re: Security Zone Site to Site VPN

reaper — Sat, 25 Nov 2017 21:01:03 GMT

The actual packets are probably flowing untrust to untrust (originating on the external interface heading out to the internet)
If you don't have a specific security policy, these packets will hit the default intrazone policy which has logging disabled by default

The negotiation should be visible in the 'system' log

Re: Security Zone Site to Site VPN

MPI-AE — Tue, 12 Dec 2017 10:47:59 GMT

@reaper

Thanks for your help, the tunnel is working now.

When I want to connect to the firewall via https over the tunnel, the monitor traffic log says:

Application: incomplete

To Port: 443

Action: allow

Reason: Aged Out.

Can you tell me why it doesn't recognize ssl?

The same problem with ssh..

Is the encryption too strong?

Re: Security Zone Site to Site VPN

reaper — Tue, 12 Dec 2017 10:55:26 GMT

once the tunnels are up, you need to make sure routing is fine on both sides for the sessions that need to go into the tunnel

you'll need to add a route on the virtual router with the remote subnet pointed at the local tunnel interface. you will also need security policies to allow in- and egress sessions to be created so you'll probably need a few "trust to vpn" and "vpn to trust" rules

are you trying to connect to the managment interface througfh the vpn tunnel?

is the management on the remote end connected to the 'lan' interface or is it in it's own network. you'll need to make sure the whole 'chain' can be reached

eg. routing from your client to your local firewall, routing from your local firewall into the tunnel, security policy on your local firewall to allow the connection. security policy on the remote fiorewall to allow the packets from the tunnel onto the lan, routing to your mgmt interface, routing from the mgmt interface to your client's ip (if there's a router in between you will need to add routing to the firewall), routing on the firewall to return the packet into the tunnel