Security Zone Site to Site VPN

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Security Zone Site to Site VPN

L4 Transporter

Hey guys,

 

We do have a headquarter and a branch office.

 

All services are located in the HQ, in the branch office there are just workstations that access the services of the HQ.

 

So I have to set up a site to site vpn connection between the BO and HQ.

 

Let's start with the Palo Alto in the branch office.

 

I have to create a tunnel interface and choose a security zone.

 

According to the manual:

 

"Security Zone: (select the layer 3 internal zone from which the traffic will originate)"

 

I don't understand that. there are more than one client interfaces/networks in the BO, and each interface is a single zone. So there are more than one internal zones which originate traffic to the HQ.

 

1) Which zone do I have to choose?

 

And my second question: 2) When I set up the security policies, which destination zone do I have to use for the traffic that's destination is the HQ ?

 

and 3) the destination zone in the security policies and the security zone of the tunnel interface, are these the same?

 

Thanks for any help!

11 REPLIES 11

Cyber Elite
Cyber Elite

@MPI-AE

there are 2 levels that need to be considered when building VPN tunnels and allowing traffic through

 

first you need to be able to create the VPN tunnel itself, this works at a lower 'network' level as you bind the tunnel to an interface (either physical or loopback)

so typically you will use your untrust interface to initiate the tunnel

 

once the tunnel is established, you need to allow user connections to enter the tunnel: creating the tunnel has also created a new interface: the tunnel interface

so any security policies that allow users to connect to the tunnel, will need to be from the user zones to the tunnel interface zone, and reverse in case HQ needs to make connections into the BO (think IT doing remote takeovers)

 

please check out this article to help you get started: Getting Started: VPN

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

@reaper

 

I'm talking about that one: (That's from an instruction video)

 

pa.JPG

 

Which security zone do I have to choose here?

 

 

 

This is where you create the tunnel interface: it is best practice to assign it it's own zone (create a new one, for example 'vpn-to-HQ') so you can control what goes in and out through security policies; from a security perspective it will behave as a physical interface with a zone

from trust to vpn-to-hq allow

from vpn-to-hq to trust allow

 

you can also choose to put it in the user zone and let the default intrazone poloicy simply allow everything in and out

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Thank you, that will help me!

 

Another question, though:

 

My PA-820 is on 8.0.2 and my PA-3020 is on 7.1.7

 

1) is that a problem?

 

2) I want to update my PA-3020 in two months to Version 8, too. Will the Site to Site vpn remain?

1. No

2. Yes

 

ipsec parameters on both PAN-OS are identical so version mismatch is no problem and after an upgrade the configuration will remain identical and the tunnel will immediately work as before

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

That's good to know!

 

I think there is a last question.

 

We do have a /22 public ip addresses.

 

And our Global Protect Gateway listens on one of that public addresses. The external interface on our firewall, however, is an ip from our ISP, so it's different from our public space.

 

The question is, for the site to site vpn. when I set up the IKE Gateway, can I use an address from our public space as a peer or do I need to use the external interface with the IP of our ISP?

 

For example with a loopback interface?

you can either add your public space to your external interface and use that addrss, or create a loopback interface and place it in the external zone (or a different zone and then control ipsec/ike with security policy)

 

if you need proxy-arp, you'll need to add the public IP range to the interface, and can then still add a loopback for a specific IP. If your ISP is forwarding the entire range to your firewall MAC, you can use the loopback without adding the range to your external interface

 

 

hope this makes sense 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

yeah that makes sense, I will try that:)

 

I finsihed the configuration on my remote firewall.

 

I'm wondering why I don't see any logs in the traffic monitor that the firewall wants to reach the gateway peer ip address?

 

Is that normal?

The actual packets are probably flowing untrust to untrust (originating on the external interface heading out to the internet)
If you don't have a specific security policy, these packets will hit the default intrazone policy which has logging disabled by default

The negotiation should be visible in the 'system' log
Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

@reaper

 

Thanks for your help, the tunnel is working now.

 

When I want to connect to the firewall via https over the tunnel, the monitor traffic log says:

 

Application: incomplete

To Port: 443

Action: allow

Reason: Aged Out.

 

Can you tell me why it doesn't recognize ssl?

 

The same problem with ssh..

Is the encryption too strong?

once the tunnels are up, you need to make sure routing is fine on both sides for the sessions that need to go into the tunnel

 

you'll need to add a route on the virtual router with the remote subnet pointed at the local tunnel interface. you will also need security policies to allow in- and egress sessions to be created so you'll probably need a few "trust to vpn" and "vpn to trust" rules

 

 

are you trying to connect to the managment interface througfh the vpn tunnel? 

is the management on the remote end connected to the 'lan' interface or is it in it's own network. you'll need to make sure the whole 'chain' can be reached 

eg. routing from your client to your local firewall, routing from your local firewall into the tunnel, security policy on your local firewall to allow the connection. security policy on the remote fiorewall to allow the packets from the tunnel onto the lan, routing to your mgmt interface, routing from the mgmt interface to your client's ip (if there's a router in between you will need to add routing to the firewall), routing on the firewall to return the packet into the tunnel

 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
  • 4652 Views
  • 11 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!