- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
02-08-2011 06:28 AM
Hello all,
I'm hoping that somebody may be able to answer a few questions I have about the configuration of Palo Alto firewalls please?
Most of my experience in recent years has been with Check Point firewalls. I've found that most things can be done in a very similar way with Palo Altos but I have a few questions - about site to site VPNs in particular.
I have set up a simple testbed with a Check Point firewall (traditional mode) and a Palo Alto firewall each with an inside and outside interface. For end to end testing there is a Windows XP machine behind each as below.
WinXP(192.168.1.2/24)---(192.168.1.1/24)PaloAlto(172.16.1.1/30)====(172.16.1.2/30)CheckPoint(192.168.5.1/24)---(192.168.5.2/24)WinXP
In order to get this working I have:
1) Confired IKE and IPSec Cryptos in PA to match CP
2) Created tunnel interface and selected virtual router and new zone
3) Created IKE gateway specifying local interface, local IP, remote IP, pre-shared key and selected IKE crypto profile
4) Created IPSec tunnel specifying tunnel interface, IKE gateway (pulling in some values) and selecting IPSec crypto profile
4a) Added a proxy ID with Local of 192.168.1.0/24 and remote of 192.168.5.0/24
5) Add a static route to virtual router with destination of 192.168.5.0/24 and tunnel created above as interface
I've done the equivalent on the CP box and allowed all traffic between both subnets in both policies. All seems to work fine.
So my questions are:
1) Is this the best way do do this please? If so, when the CP box is replaced with a PA box will it still be the best way?
2) Most of my sites have at least three networks behind them. Do I need to add proxy IDs for every possible combination please?
For example,
If
site A had subnets 192.168.1.0/24, 192.168.2.0/24 and 192.168.3.0/24
and
site B had subnets 192.168.5.0/24, 192.168.6.0/24 and 192.168.7.0/24
would I need
Proxy ID name proxy01 Local ID 192.168.1.0/24 Remote ID 192.168.5.0/24 Protocol Any
Proxy ID name proxy02 Local ID 192.168.1.0/24 Remote ID 192.168.6.0/24 Protocol Any
Proxy ID name proxy03 Local ID 192.168.1.0/24 Remote ID 192.168.7.0/24 Protocol Any
Proxy ID name proxy04 Local ID 192.168.2.0/24 Remote ID 192.168.5.0/24 Protocol Any
Proxy ID name proxy05 Local ID 192.168.2.0/24 Remote ID 192.168.6.0/24 Protocol Any
Proxy ID name proxy06 Local ID 192.168.2.0/24 Remote ID 192.168.7.0/24 Protocol Any
Proxy ID name proxy07 Local ID 192.168.3.0/24 Remote ID 192.168.5.0/24 Protocol Any
Proxy ID name proxy08 Local ID 192.168.3.0/24 Remote ID 192.168.6.0/24 Protocol Any
Proxy ID name proxy09 Local ID 192.168.3.0/24 Remote ID 192.168.7.0/24 Protocol Any
I'm sorry if these questions seem silly or this has been covered elsewhere. I've had a good look around and not found much info.
Any help would really be appreciated!
Many thanks,
Dave
02-08-2011 09:17 AM
@dyoung:
The limit is per unique tunnel. Each tunnel can have up to 10 proxy IDs. If you need more proxy IDs to the remote location you can configure a second tunnel to the VPN peer for the other proxy IDs.
-benjamin
02-08-2011 08:27 AM
You have configured it appropriately. PA implements route based VPNs so the default network IDs or Proxy IDs will be 0.0.0.0/0. The default limit on the number of supported Proxy ID's is 10 so the IDs listed falls under that limit. Otherwise, you look good.
-Renato
02-08-2011 08:54 AM
Thanks for your reply Renato!
I'm glad that I'm going the right way although slightly concerned about the limit of 10 Proxy IDs. I'm not sure that this will be enough in some cases.
Do you know if the limit can be increased please?
Thanks,
Dave
02-08-2011 09:16 AM
Hi Dave,
Unfortunately, increasing the limit would be considered a feature request and those go through your SE.
Regards,
Renato
02-08-2011 09:17 AM
@dyoung:
The limit is per unique tunnel. Each tunnel can have up to 10 proxy IDs. If you need more proxy IDs to the remote location you can configure a second tunnel to the VPN peer for the other proxy IDs.
-benjamin
02-10-2011 12:44 AM
Hi,
we have some customers working like this, you need to create a phase1 to remote peer and if you need 20 proxyIDs you must create 2 tunnels with the same phase1 but diferrent phase2 each tunnel with 10 proxyID, remember to add the correct routes to each new tunnel.
But this works perfectly!!!
Regards
Albert Estevez
02-10-2011 02:10 AM
That's great - many thanks for your help everybody!
05-24-2011 03:57 AM
aestevez ha scritto:
Hi,
we have some customers working like this, you need to create a phase1 to remote peer and if you need 20 proxyIDs you must create 2 tunnels with the same phase1 but diferrent phase2 each tunnel with 10 proxyID, remember to add the correct routes to each new tunnel.
But this works perfectly!!!
Regards
Albert Estevez
Hi!
Do I need to create 2 different tunnel interfaces (tab Network -> Interfaces) or only 2 differents phase2 with the same tunnel interface?
Thanks
05-24-2011 07:16 AM
Hi Iceman,
you will need to define 2 different tunnels and define the correct static routes to return the traffic for each tunnel interface.
I hope this help to you.
Remember that at the end you will have 2 ipsec tunnels sharing the same ike gateway and the same phase1 and phase2 but each ipsec tunnel will be attached to a different tunnel interface and routes how maximum 10 () proxy-id by tunnel.
Rergards
Albert
07-07-2011 01:42 AM
Checkpoint allows setting upp only one tunnel between ike gateways. That means there is no need to specify each and every proxy-id or worrying about having multiple tunnel interfaces with their respective routes. Simply use the default proxy-id in the PAN (0.0.0.0/0)
If I remember correctly this is a setting on the "interop device" in CP.
07-07-2011 02:03 AM
Hi Oskar,
I remember trying that (using 3.1.7) and I found that tunnels from Palo to CP established OK but tunnels from CP to Palo failed because the Palo complained about not having a matching proxy id.
In the end I had to create a proxyid to match each network I had defined in the Check Point firewall object topology.
All worked OK then. Maybe this behaviour has changed in later versions.
Regards,
Dave
07-07-2011 02:14 AM
No issues what so ever. Have used it a couple of times. In fact, I have been forced to get it working when having a CP firewall in a large VPN-mesh. The CP had loads of small networks that would require a ridiculous amount of routes and tunnel interfaces on all the PAN devices. I'd say it wasn’t an option in that particular case. R65 versions and later (Checkpoint) work as far as I know.
07-07-2011 02:34 AM
Interesting. Was your CP in "Traditional" or "Simple" mode as this may affect how the tunnels are negotiated?
I had quite a few little networks on CP too! Would have preferred to get it working as you suggested,
Thanks,
Dave
07-07-2011 02:50 AM
Always used simple mode when setting it up this way.
Hope you get it working!
Cheers,
/Oskar
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!