topic Re: IPSec Tunnel from vsys1 to vsys2 in General Topics

IPSec Tunnel from vsys1 to vsys2

Solomonsands — Mon, 05 Mar 2018 16:30:23 GMT

Hello All,

I have a design issue to mull over, and one of the options is to look at having ipsec tunnels between vsys isntances on the same box.

So, I have vsys1 as my default vr, what I may need to do is turn up vsys2 and have certain traffic in vsys1 'hop' over to vsys2. Sounds problmeatic so my first instinct is to encap it between vsys instances. Is there a built-in mechanism to allow virtual systems to securely pass traffic to one-another? I assume that they are all isolated from one another by design, which again makes me think that a tunnel of some type needs to be established for them to communicate.

This is a 5220 in active/passive.

Thoughts?

Re: IPSec Tunnel from vsys1 to vsys2

BPry — Mon, 05 Mar 2018 17:05:37 GMT

@Solomonsands,

Honestly it seems unnecessary to include an IPSec tunnel in this situation. Palo Alto includes a number of ways to allow inter-vsys communication, and adding a tunnel into this would be rather messy. So options I would look at are the following

1) Utilizing an existing switch to simply loop 2 interfaces to bridge the gap. Easy and you get the same benefits with a little less complex of a situation.

2) Utilize intervsys routing; which can be found in more detail in this LIVE article HERE. This is the 'best' answer in my mind, but it does get a little more complex.

The Built-in option for this type of traffic would be #2 as listed above.

Re: IPSec Tunnel from vsys1 to vsys2

Solomonsands — Mon, 05 Mar 2018 17:43:16 GMT

@BPry

Thanks for the reply. From what I gathered, traffic between vsys have to egress to their respective external zone before traversing the firewall in to the destination external zone. My concern is the encryption state of each hop.

I have the 5220 at edge with vsys1. He takes an IPSec tunnel from a crappy remote router with less-than-optimal encryption. Per our sec posture, only FIPS crypto can be used to get in to our environment. Our solution thus far is to stand up an intermediate ipsec router that can speak non-FIPS, and then it routes the traffic to the 5220 with FIPS crypto in to a dmz. We believe the use of another vsys can take the place of the intermediate router, but need to be sure that the traffic passing from vsys to vsys is secure and observable. Is this what inter-vsys routing does by default?

Re: IPSec Tunnel from vsys1 to vsys2

OtakarKlier — Mon, 05 Mar 2018 19:34:08 GMT

Hello,

If its only one or a few machines that need to connect to you via VPN, what about giving them the GlobalProtect client? That way you can ensure your security posture.

Just a thought.