topic Re: How to configure a IPSEC VPN proxy-id to allow Internet bound traffic? in General Topics

How to configure a IPSEC VPN proxy-id to allow Internet bound traffic?

SThatipelly — Wed, 21 Oct 2020 13:40:11 GMT

I have a S-to-S vpn tunnel to a remote location (terminating on cisco router) which was passing just the Intranet traffic. But, I would like to pass the site's Internet bound traffic through the VPN tunnel and subject it to Palo's threat inspection policies.How can I do this?

Thanks.

Re: How to configure a IPSEC VPN proxy-id to allow Internet bound traffic?

S.Cantwell — Wed, 21 Oct 2020 13:46:26 GMT

Hello there.

The will be changed by use of the routing table (generally speaking)

Routing Table (example)

ToPAN_as_PeerID (199.99.88.88) use Internet route

0.0.0.0 use tunnel interface.

Now, the FW will establish the Phase1 portion of the VPN to the Peer.

And Phase2 traffic will now be passed through the tunnel interface.

Thanks

Re: How to configure a IPSEC VPN proxy-id to allow Internet bound traffic?

SThatipelly — Wed, 21 Oct 2020 13:51:07 GMT

@S.Cantwell I'm not quite sure I got your point. Are you suggesting me to put in a route pointing to tunnel interface on the peer side? The peer is cisco router.

Re: How to configure a IPSEC VPN proxy-id to allow Internet bound traffic?

S.Cantwell — Wed, 21 Oct 2020 15:23:05 GMT

Howdy

Yes, you should really have a simplified routing table (if I understand your query)

From the Cisco side.

One route to the PAN FW public IP (for establishing the VPN).

One (default route) to the PANW, via a tunnel interface, so that all traffic is encapsulated/transmited to the PANW FW for inspection.

Now 100% of all traffic goes across Cisco to PAN VPN for inspection.