This document describes how to configure a VPN tunnel between a Palo Alto Networks firewall and Azure. The Azure tunnel must be configured with a static IP address, as Azure only supports IKE V1 if a static IP is used. Azure only supports IKE V2 If the Azure tunnel is configured with a dynamic IP address. At this time, Palo Alto Networks only supports IKE V1.
See the Azure documentation for configuration information of the Azure side. The following example shows an Azure address space configuration:
Example configuration of defined local networks with a gateway address of the Palo Alto Networks firewall VPN endpoint:
Next, configure the Tunnel interface.
Assign an IP on the same subnet as the Azure Gateway Subnet.
Select a virtual router and the appropriate security zone. Selecting a pre-existing zone, that includes other servers, may negate the need for new policies.
The settings of the default IKE Crypto profile should be the same as for Azure:
Create a new IPSec Crypto Profile for Azure to match the Lifetime value. For example, if Azure's lifetime is 3600 seconds, which is different from other tunnels in the network. The correct selection for the DH Group is "no-pfs" for no perfect forward secrecy. Note: For Lifetime size, it is GB 98.
The default can be modified if this is the only tunnel or if the other tunnels use the same settings.
Create an IKE Gateway selecting the external interface of your Palo Alto Networks firewall and the IP of that interface for "Local IP Address". This will match the VPN Gateway Address configured on the Local Address in Azure that you're tunneling to. The Peer IP Address can be obtained from the Azure Virtual Network Dashboard of the same Azure Virtual Network. The Local Identification IP Address should match the Local IP Address on the same screen. The Pre-shared Key can be obtained by clicking "Manage Key" on the Azure Virtual network Dashboard of the Azure Network. Then, simply copy and paste.
Now configure a new IPSec Tunnel with the newly created Tunnel Interface, IKE Gateway and IPSec Crypto Profile.
Go to the Proxy IDs tab and create at least one ID with the appropriate local and remote subnets. Local should match the defined "Local Networks" you configured in Azure with the appropriate gateway address of your Palo Alto Networks firewall IPSec tunnel endpoint. Remote should match the configured Azure address space.
Finally, create a route to direct traffic via the tunnel interface to the Auzre Virtual Network.
At this point a ping to the Azure Virtual Network should bring the tunnel up, if not, check the System log to troubleshoot (for example, no ping responses are received, but other traffic is working).