04-24-2019 01:52 PM
We have IPSEC tunnel working fine with vendor device.
Vendor Lan subnet is 192.168.80.x
Our lan subnet is 10.10.x.x
Proxy ID on PA is
Local Remote
10.10.x.x 192.168.80.x
Also Vendor has another Lan subnet 192.168.81.x that need to talk to internet IP say 23.x.x.x
This traffic needs to come to PA and then go to internet.
So what proxy id should i put for this in PA?
04-24-2019 07:49 PM
I was asking about the need of the tunnel, I was asking if you actually needed to utilize Proxy IDs or not. You only need to utilize Proxy-IDs if the peer device is policy-based instead of route-based.
Trying to direct certain websites through your firewall could be tricky from a routing standpoint depending on the website and all of the calls that the site makes. You'll essentially need the peer device to have route statements in place that direct all traffic from their network to 24.x.x.x to actually have a next-hop network of your firewall. You'll then need the proper security policies and routing statements in place to actually process the traffic.
04-25-2019 05:55 AM
Having a tunnel does not automatically require you specify Proxy-IDs. Unless you are dealing with a policy-based peer it doesn't actually make sense to specify Proxy-IDs at all.
policy-based VPNs would be like Cisco ASAs as an example. Policy-Based VPNs negotiate between the peers what traffic will actually attempt to be sent through the tunnel as part of the phase 2 negotiation and they have to match for the tunnel to form up properly.
Route-Based VPNs (like the Palo-Alto) will send by default IDs of 0.0.0.0/0, 0.0.0.0/0, and any protocol when they negotiate phase 2. This is because you simply utilize the route table to tell the firewall what traffic you actually want to send through the tunnel interface, and then just need a security policy allowing the traffic.
The following KB article is a good place to start with knowing when you should be specifying Proxy-IDs and going through the actual negotiation process. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUFCA0
04-24-2019 07:22 PM
I have to ask just to be sure, are you positive that you actually need to utilize proxy IDs for this deployment?
The proxy IDs need to match what the other end is sending you. When working with Proxy IDs you really need to know how both ends are configured and the actual device in question; different vendors will do things extremely different in how the tunnel is actually negotiated.
For the other subnet, you would need the other admins to configure a route statement that actually sends the traffic through the tunnel, and then create an associated security policy allowing access along with the correct routing statements on your firewall.
04-24-2019 07:28 PM
We have LAN subnets on both ends and they have private IP address.
Yes we need tunnel for that.
Also we want for security purposes if they access specfic Internet sites it should goi via PA.
So Vendor will put the Route for that if they need to access specfic Internet IP they will come via Tunnel.
So for this traffic I just need security Policy right if traffic coming from say 192.168.x.x to 24.x.x.x go via PA outside Interface.
So for this traffic I do not need any PRoxy ID right?
Thanks for help
04-24-2019 07:49 PM
I was asking about the need of the tunnel, I was asking if you actually needed to utilize Proxy IDs or not. You only need to utilize Proxy-IDs if the peer device is policy-based instead of route-based.
Trying to direct certain websites through your firewall could be tricky from a routing standpoint depending on the website and all of the calls that the site makes. You'll essentially need the peer device to have route statements in place that direct all traffic from their network to 24.x.x.x to actually have a next-hop network of your firewall. You'll then need the proper security policies and routing statements in place to actually process the traffic.
04-24-2019 08:05 PM
To be honest we need tunnel from security point of view as this is requirement from our info security.
When you say that other device is policy based you mean
if it supports security rules or not?
04-25-2019 05:55 AM
Having a tunnel does not automatically require you specify Proxy-IDs. Unless you are dealing with a policy-based peer it doesn't actually make sense to specify Proxy-IDs at all.
policy-based VPNs would be like Cisco ASAs as an example. Policy-Based VPNs negotiate between the peers what traffic will actually attempt to be sent through the tunnel as part of the phase 2 negotiation and they have to match for the tunnel to form up properly.
Route-Based VPNs (like the Palo-Alto) will send by default IDs of 0.0.0.0/0, 0.0.0.0/0, and any protocol when they negotiate phase 2. This is because you simply utilize the route table to tell the firewall what traffic you actually want to send through the tunnel interface, and then just need a security policy allowing the traffic.
The following KB article is a good place to start with knowing when you should be specifying Proxy-IDs and going through the actual negotiation process. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUFCA0
04-25-2019 07:43 AM
Seems in our case Vendor device is a Modem that supports Ikev2
Will check with Vendor if there modem supports policy-based VPN or not?
04-27-2019 07:11 AM
Many thanks for answering the question
04-27-2019 12:10 PM
Good article about the question of "why use a VPN proxy ID?":
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUFCA0
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
