VPNs between Palo and Check Point

Reply
L4 Transporter

VPNs between Palo and Check Point

Hello all,

I'm hoping that somebody may be able to answer a few questions I have about the configuration of Palo Alto firewalls please?

Most of my experience in recent years has been with Check Point firewalls.  I've found that most things can be done in a very similar way with Palo Altos but I have a few questions - about site to site VPNs in particular.

I have set up a simple testbed with a Check Point firewall (traditional mode) and a Palo Alto firewall each with an inside and outside interface.  For end to end testing there is a Windows XP machine behind each as below.

WinXP(192.168.1.2/24)---(192.168.1.1/24)PaloAlto(172.16.1.1/30)====(172.16.1.2/30)CheckPoint(192.168.5.1/24)---(192.168.5.2/24)WinXP

In order to get this working I have:

     1) Confired IKE and IPSec Cryptos in PA to match CP
     2) Created tunnel interface and selected virtual router and new zone
     3) Created IKE gateway specifying local interface, local IP, remote IP, pre-shared key and selected IKE crypto profile
     4) Created IPSec tunnel specifying tunnel interface, IKE gateway (pulling in some values) and selecting IPSec crypto profile
     4a) Added a proxy ID with Local of 192.168.1.0/24 and remote of 192.168.5.0/24
     5) Add a static route to virtual router with destination of 192.168.5.0/24 and tunnel created above as interface

I've done the equivalent on the CP box and allowed all traffic between both subnets in both policies.  All seems to work fine.


So my questions are:

     1) Is this the best way do do this please?  If so, when the CP box is replaced with a PA box will it still be the best way?

     2) Most of my sites have at least three networks behind them.  Do I need to add proxy IDs for every possible combination please?

For example,

If
     site A had subnets 192.168.1.0/24, 192.168.2.0/24 and 192.168.3.0/24
and
     site B had subnets 192.168.5.0/24, 192.168.6.0/24 and 192.168.7.0/24

would I need

     Proxy ID name proxy01 Local ID 192.168.1.0/24 Remote ID 192.168.5.0/24 Protocol Any
     Proxy ID name proxy02 Local ID 192.168.1.0/24 Remote ID 192.168.6.0/24 Protocol Any
     Proxy ID name proxy03 Local ID 192.168.1.0/24 Remote ID 192.168.7.0/24 Protocol Any
     Proxy ID name proxy04 Local ID 192.168.2.0/24 Remote ID 192.168.5.0/24 Protocol Any
     Proxy ID name proxy05 Local ID 192.168.2.0/24 Remote ID 192.168.6.0/24 Protocol Any
     Proxy ID name proxy06 Local ID 192.168.2.0/24 Remote ID 192.168.7.0/24 Protocol Any
     Proxy ID name proxy07 Local ID 192.168.3.0/24 Remote ID 192.168.5.0/24 Protocol Any
     Proxy ID name proxy08 Local ID 192.168.3.0/24 Remote ID 192.168.6.0/24 Protocol Any
     Proxy ID name proxy09 Local ID 192.168.3.0/24 Remote ID 192.168.7.0/24 Protocol Any

I'm sorry if these questions seem silly or this has been covered elsewhere.  I've had a good look around and not found much info.

Any help would really be appreciated!

Many thanks,
Dave


Accepted Solutions
Highlighted
L6 Presenter

Re: VPNs between Palo and Check Point

@dyoung:

The limit is per unique tunnel. Each tunnel can have up to 10 proxy IDs. If you need more proxy IDs to the remote location you can configure a second tunnel to the VPN peer for the other proxy IDs.

-benjamin

View solution in original post


All Replies
Highlighted
L6 Presenter

Re: VPNs between Palo and Check Point

You have configured it appropriately. PA implements route based VPNs so the default network IDs or Proxy IDs will be 0.0.0.0/0. The default limit on the number of supported Proxy ID's is 10 so the IDs listed falls under that limit. Otherwise, you look good.

-Renato

Highlighted
L4 Transporter

Re: VPNs between Palo and Check Point

Thanks for your reply Renato!

I'm glad that I'm going the right way although slightly concerned about the limit of 10 Proxy IDs.  I'm not sure that this will be enough in some cases.

Do you know if the limit can be increased please?

Thanks,

Dave

Highlighted
L6 Presenter

Re: VPNs between Palo and Check Point

Hi Dave,

Unfortunately, increasing the limit would be considered a feature request and those go through your SE.

Regards,

Renato

Highlighted
L6 Presenter

Re: VPNs between Palo and Check Point

@dyoung:

The limit is per unique tunnel. Each tunnel can have up to 10 proxy IDs. If you need more proxy IDs to the remote location you can configure a second tunnel to the VPN peer for the other proxy IDs.

-benjamin

View solution in original post

Highlighted
Not applicable

Re: VPNs between Palo and Check Point

Hi,

we have some customers working like this, you need to create a phase1 to remote peer and if you need 20 proxyIDs you must  create 2 tunnels with the same phase1 but diferrent phase2 each tunnel with 10 proxyID, remember to add the correct routes to each new tunnel.

But this works perfectly!!!

Regards

Albert Estevez

Highlighted
L4 Transporter

Re: VPNs between Palo and Check Point

That's great - many thanks for your help everybody!

Highlighted
L0 Member

Re: VPNs between Palo and Check Point

aestevez ha scritto:

Hi,

we have some customers working like this, you need to create a phase1 to remote peer and if you need 20 proxyIDs you must  create 2 tunnels with the same phase1 but diferrent phase2 each tunnel with 10 proxyID, remember to add the correct routes to each new tunnel.

But this works perfectly!!!

Regards

Albert Estevez

Hi!

Do I need to create 2 different tunnel interfaces (tab Network -> Interfaces)  or only 2 differents phase2 with the same tunnel interface?

Thanks

Highlighted
L7 Applicator

Re: VPNs between Palo and Check Point

Hi Iceman,

you will need to define 2 different tunnels and define the correct static routes to return the traffic for each tunnel interface.

I hope this help to you.

Remember that at the end you will have 2 ipsec tunnels sharing the same ike gateway and the same phase1 and phase2 but each ipsec tunnel will be attached to a different tunnel interface and routes how maximum 10 () proxy-id by tunnel.

Rergards

Albert

Highlighted
L3 Networker

Re: VPNs between Palo and Check Point

Checkpoint allows setting upp only one tunnel between ike gateways. That means there is no need to specify each and every proxy-id or worrying about having multiple tunnel interfaces with their respective routes. Simply use the default proxy-id in the PAN (0.0.0.0/0)

If I remember correctly this is a setting on the "interop device" in CP.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!