Palo alto Active/passive HA on azure with IPsec VPN tunnel

Reply
Highlighted
L0 Member

Palo alto Active/passive HA on azure with IPsec VPN tunnel

Hello,

 

I am deploying an Active/Passive Palo Alto HA VM's on Azure with an external and internal loadbalancer topology (picture below), I know that the NAT is done by the public Loadbalancer so no need for public IP address on the VM's interfaces so need for public IP on interfaces for this purpose, but i need to set a VPN IPsec connections between my PA-VM's and other sites, so how would I configure the VPN IPsec tunnels, should I put the Public IP of the loadBalancer on the peer IP or the private IP of the VM's or should I literally configure my PA-VM's with Public IP on external interfaces.

 

I am really blocked with this point, if anyone could help i will be really grateful.

 

Question forum palo ip public optimized.PNGThank you in advance

 

Louey

Highlighted
L2 Linker

@louey11 

 

You can use the private ip address on the firewall itself but make sure you use local identifier and remote identifier option on both sides of the tunnel to make this work. (imagine if your side ip is dynamic ip then how do you configure, the same way)

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClHVCA0

 

Cheers!

Suresh

Cyber Elite

@louey11,

If you don't want to use a dynamic configuration, which is by far the easiest, I would recommend that you setup a public IP directly on the PAs and not go through the load balancer. While it will work, it'll take a bit of tweaking to ensure that the load balancer isn't causing any issues since it'll be considered a long running session. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!