Site-To-Site VPN Question

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Site-To-Site VPN Question

L2 Linker

If we deploy a Site-To-Site VPN to one of our remote locations with a Palo Alto NGFW will our main hub firewall control the Threat/URL, etc... and Security/NAT rules for the other Palo Alto? 

6 REPLIES 6

Community Team Member

Hi @DuggiFresh ,

 

Creating a tunnel to a remote site does not give the hub control over the remote site's subscriptions/services as the remote fw will have its own subscriptions/services. You will still need to configure the security policies on the remote site that allow traffic to the hub along with the security profiles you have access to. 

LIVEcommunity team member
Stay Secure,
Jay
Don't forget to Like items if a post is helpful to you!

Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

Cyber Elite
Cyber Elite

@DuggiFresh,

The answer to your question is ... it depends. @JayGolf is correct in that the answer to this question is generally no. If your goal with this setup is to have the remote site pass everything to your main site and using those subscriptions for all traffic and managing all rules from a single node, you could have the remote site send everything across the tunnel and process everything on the main site. This would have the main site have full control over all traffic, handle any NAT for the remote site, and generally be treated as an extension of the main site.

 

There's some consequences with this sort of configuration however. The configuration on both sides is slightly more complex to handle everything correctly, it's an abnormal configuration for someone coming into the environment, and you'll have additional latency tunneling all of that traffic back and forth from the main site when accessing resources that don't actually require the use of the tunnel (IE: all normal internet traffic).

That may or may not be a large concern for your environment depending on requirements and the added latency when going across the tunnel for everything.

L2 Linker

That is what I was wanting to do is to have my remote site pass everything to my main site. These are very small remote sites and our main site is hardly using much resources of the PA it maybe peaks CPU load 10% sometimes but other than that its 2-4% averaging. How easy is passing is it to accomplish passing everything to the main site with a tunnel? 

 

Also, are there better alternatives than a tunnel if we are wanting to direct all traffic to our main site? 

Cyber Elite
Cyber Elite

Hello,

I would recommend the tunnel as it is the most secure option without spending additional money on a point2point circuit. Just route all traffic out of your 'hub' to control the traffic.

 

https://www.cisa.gov/resources-tools/resources/trusted-internet-connections-tic-30-core-guidance-doc...

 

This helps greatly in managing and supporting the users when they have issues accessing an internet resource.

 

Regards,

What are some good resources on how to do that? Would I just need to create a static route from the remote site to the IPsec vpn tunnel? I don't want to use those remote sites for managing any of the policies and only use the hub to manage the policies. 

Cyber Elite
Cyber Elite

Hello,

If you only have the one VPN tunnel and way to get to the hub device, then yes a static route would be the easiest.

 

Regards,

  • 1433 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!