IPSec Tunnel from vsys1 to vsys2

L1 Bithead

IPSec Tunnel from vsys1 to vsys2

Hello All,


I have a design issue to mull over, and one of the options is to look at having ipsec tunnels between vsys isntances on the same box.


So, I have vsys1 as my default vr, what I may need to do is turn up vsys2 and have certain traffic in vsys1 'hop' over to vsys2.  Sounds problmeatic so my first instinct is to encap it between vsys instances.  Is there a built-in mechanism to allow virtual systems to securely pass traffic to one-another? I assume that they are all isolated from one another by design, which again makes me think that a tunnel of some type needs to be established for them to communicate.


This is a 5220 in active/passive.



L7 Applicator

Re: IPSec Tunnel from vsys1 to vsys2


Honestly it seems unnecessary to include an IPSec tunnel in this situation. Palo Alto includes a number of ways to allow inter-vsys communication, and adding a tunnel into this would be rather messy. So options I would look at are the following


1) Utilizing an existing switch to simply loop 2 interfaces to bridge the gap. Easy and you get the same benefits with a little less complex of a situation. 


2) Utilize intervsys routing; which can be found in more detail in this LIVE article HERE. This is the 'best' answer in my mind, but it does get a little more complex. 


The Built-in option for this type of traffic would be #2 as listed above. 

L1 Bithead

Re: IPSec Tunnel from vsys1 to vsys2



Thanks for the reply.  From what I gathered, traffic between vsys have to egress to their respective external zone before traversing the firewall in to the destination external zone.  My concern is the encryption state of each hop.


I have the 5220 at edge with vsys1.  He takes an IPSec tunnel from a crappy remote router with less-than-optimal encryption.  Per our sec posture, only FIPS crypto can be used to get in to our environment.  Our solution thus far is to stand up an intermediate ipsec router that can speak non-FIPS, and then it routes the traffic to the 5220 with FIPS crypto in to a dmz. We believe the use of another vsys can take the place of the intermediate router, but need to be sure that the traffic passing from vsys to vsys is secure and observable.  Is this what inter-vsys routing does by default?

L7 Applicator

Re: IPSec Tunnel from vsys1 to vsys2


If its only one or a few machines that need to connect to you via VPN, what about giving them the GlobalProtect client? That way you can ensure your security posture.


Just a thought.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!