I need guidance on how I could go about working on the configuration. there is only two interfaces/zones on the Firewall, untrust and trust.
The trusted interface leg is connected to the internal network segment and the external interface is connected to the router facing the Telecoms .
Hello, It may not be this simple but here are the basics...1st you need to create a tunnel interface that belongs to the zone that you want your vpn connections to terminate to. Some people use the trust zone others create a separate zone. 2nd you need to create an iKE gateway that uses your physical untrusted interface that will connect to the peer, this is also where you setup your Peers IP address and the pre-shared key. 3rd create an IPSec tunnel bound to the tunnel interface that you created and select the IKE gateway you created. The key type is usually auto. 4th set up your proxy IDs. ..These should be the source and destination network address for the networks on either end of the tunnel. This will be the inverse of what you have on the Cisco end..known as the interesting traffic or encryption domain.
I am wondering if you know of a easy migration method whereby you are required to configure tons of IPSEC VPN tunnels on Palo Alto Firewall. I find the manual method of using the GUI to create the tunnels feasible only if there isn't a lot of tunnels. Is there a way to use command line to create VPN tunnels including phase 1 and phase 2 config easily? Kindly advise pls or anyone here in the forums that has done that?
The CLI guides for the various versions of PANOS should have what you're looking for... as an example there's a 'set network ike' section starting on page 95 and there's an ipsec subcommand of 'set network tunnel' on page 121 of the PANOS 4.1 CLI guide. There are lots and lots of options and subcommands in the CLI guide... you should be able to piece together commands that build IPSEC and IKE configs for your tunnels.
Raymond, I am not sure that anyone has sample scripts. We all would start with reading the Admin Guide and then copying/pasting the information and building the scripts/command from scratch.
My recommendation is to take a single VPN that you have gotten configured via the GUI and then look at the command structure to build that VPN via the CLI and then you can easily duplicate most of the Phase1 and Phase2 information.
You biggest hurdle may be ensuring that your ProxyIDs match between your remote Cisco and Palo Alto FWs.
scantwell's reply covers everything I was thinking... getting a tunnel built using the web GUI and then using Palo Alto's config audit feature to determine the backend CLI commands that are used to build a tunnel is exactly the approach I'd take to scripting tunnel config, with the CLI guide as a command reference if needed
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!