Configuration Articles

Announcements
Customer Notice: Panorama Certificate Expiration on June 16 2017.  Read More >

How to Configure VPN Tunnel Between a Palo Alto Networks Firewall and Azure

by panagent on ‎06-07-2013 10:18 AM - edited on ‎02-13-2017 01:00 PM by (45,410 Views)

Overview

This document describes how to configure a VPN tunnel between a Palo Alto Networks firewall and Azure. The Azure tunnel must be configured with a static IP address, as Azure only supports IKE V1 if a static IP is used. Azure only supports IKE V2 If the Azure tunnel is configured with a dynamic IP address. At this time, Palo Alto Networks only supports IKE V1.

 

For IKEv2 setup instructions, please see:

https://live.paloaltonetworks.com/t5/Integration-Articles/Configuring-IKEv2-VPN-for-Microsoft-Azure-...

 

Steps

  1. See the Azure documentation for configuration information of the Azure side. The following example shows an Azure address space configuration:
    PAN-AZU-Config.PNG
    Example configuration of defined local networks with a gateway address of the Palo Alto Networks firewall VPN endpoint:
    PAN-AZU-Config2.PNG
  2. Next, configure the Tunnel interface.
    1. Assign an IP on the same subnet as the Azure Gateway Subnet.
    2. Select a virtual router and the appropriate security zone. Selecting a pre-existing zone, that includes other servers, may negate the need for new policies.
      PAN-AZU-Tunnel.5.PNG
  3. The settings of the default IKE Crypto profile should be the same as for Azure:
    PAN-AZU-IKE-Crypto.PNG
  4. Create a new IPSec Crypto Profile for Azure to match the Lifetime value. For example, if Azure's lifetime is 3600 seconds, which is different from other tunnels in the network. The correct selection for the DH Group is "no-pfs" for no perfect forward secrecy.
    Note: For Lifetime size, it is GB 98.

    The default can be modified if this is the only tunnel or if the other tunnels use the same settings.
    PAN-AZU-IPSecCrypto.PNG
  5. Create an IKE Gateway selecting the external interface of your Palo Alto Networks firewall and the IP of that interface for "Local IP Address". This will match the VPN Gateway Address configured on the Local Address in Azure that you're tunneling to. The Peer IP Address can be obtained from the Azure Virtual Network Dashboard of the same Azure Virtual Network. The Local Identification IP Address should match the Local IP Address on the same screen. The Pre-shared Key can be obtained by clicking "Manage Key" on the Azure Virtual network Dashboard of the Azure Network. Then, simply copy and paste.
    PAN-AZU-IKE-Gateway.PNG
  6. Now configure a new IPSec Tunnel with the newly created Tunnel Interface, IKE Gateway and IPSec Crypto Profile.
    PAN-AZU-IPSecTunnel.PNG

  7. Go to the Proxy IDs tab and create at least one ID with the appropriate local and remote subnets. Local should match the defined "Local Networks" you configured in Azure with the appropriate gateway address of your Palo Alto Networks firewall IPSec tunnel endpoint. Remote should match the configured Azure address space.
    PAN-AZU-ProxyIDs.PNG
  8. Finally, create a route to direct traffic via the tunnel interface to the Auzre Virtual Network.
    PAN-AZU-route.PNG

At this point a ping to the Azure Virtual Network should bring the tunnel up, if not, check the System log to troubleshoot (for example, no ping responses are received, but other traffic is working).

PAN-AZU-UP-UP.PNG

 

Note: This document was generated from the following discussion: How to configure PAN to Azure VPN tunnel

 

owner: panagent

Comments
by calonso
on ‎11-13-2014 06:33 PM

Thank you, it worked for us.

by terence.lee
on ‎01-06-2015 10:43 PM

I have seen an incident where the only change to make VPN stable is we disabled Dead Peer Detection, which is not supported per Microsoft's doc and not found in Azure ASA template configuration.

http://msdn.microsoft.com/en-us/library/azure/jj156075.aspx

For the Phase 2 Security Association (SA) Lifetime (Throughput), Azure uses 102,400,000 KB. We are not able to use this value on PA, and I think this is not significant. However, I can have this field blank in my lab. My PANOS version is 6.0.6.

by cagnew
on ‎06-03-2015 08:48 AM

For this value, it becomes 98 GB's ( KB 102400000 / 1024 = 100000 | 100000 MB / 1024 = 97.65625 (Round it up to the nearest whole number 98 GB)) That's how you get this value. It's confirmed working with this value set.

by paultaylor
on ‎06-10-2015 03:50 AM

Now that PAN 7.0.0 supports IKEv2, can we get this article updated?  We had it working last night, but around the time we hit 1 hour uptime, P2 broke and we could never get it to recover, even resetting IKE. 

by alapins
on ‎06-10-2015 10:09 AM

I second this motion. Is there an updated doc that outlines configuration now that IKEv2 is supported?

by sajidalisajid
on ‎07-09-2015 02:03 AM

Working Solution with PAN-OS 6.1.5 -     Configured & Tested 8th July 2015

Tunnel Interface

1.jpg

IKE Crypto (under Network > Network Profiles)

2.jpg

IPSec Crypto

3.jpg

IKE Gateways

4.jpg

    

IPSec Tunnels

5.jpg

by Chinnawat
on ‎10-05-2015 10:18 PM
thank
Register now
Ask Questions Get Answers Join the Live Community
Contributors