We have 2 palo alot firewalls & we are trying to establish a ipsec tunnel between both. We proved that all vpn configurations are correct and were able to establish the tunnel & pass traffic but only if we add a firewall rule saying allow any/any/any/any at the very top of the rule base, which goes against our security requirements. Once we deleted the firewall rule the tunnels stopped working. Simply put, we need to open firewall rules for site to site tunnels to work in our environment. Does anyone know the Palo Alto TCP/UDP ports to open in order for phase 1 & 2 to go green?
Solved! Go to Solution.
Usually vpn is terminated on UNTRUST interface.
Unless you have added "block any" rule to the end this traffic is permitted already by "interzone-default" policy.
If you terminate vpn on on some other interface (TRUST, LOOPBACK etc) and have NAT in place then you need to adjust your security policy accordingly.
Hi I think I had typo in my answer about interzone. If traffic stays in same zone it is intrazone.
Basically rules are evaluated top to down.
First one that matches will take effect. Either allows or blocks and based on security profile will check for viruses or not (only allow rules).
If no rule matches then one of last 2 will match.
intrazone-default will match if traffic source and destination is in same zone. For example if traffic from vpn peer will come from internet and you have configured IPSec gateway on WAN interface then this rule will match.
If traffic (based on NAT and virtual router) is destined to some other zone then "interzone-default" will match.
Those default rules will not log by default so you don't see any traffic that matches those rules.
To gain this visibility you have to click on the rule and choose "override".
Click on the rule name.
On "Actions" tab check "Log at session end".
Hi! I suggest install and setting VeePN and servers.
This vpn differs from other vpn providers:
1) Besides vpn you are provided with fully working vps
a) Personalized configurations for your vpn
b) Regulated logs
c) Generating your own services, such as http
d) There is no 3rd silent persons, after setting up you are going to be the only owner
I am currently encountering an issue, UDP 500 and 4500 are not enough to get site to site vpn tunnel up and running. Is that esp also required to be allowed?
I went beyond ports and use the L7 Applications. Including the screen shot below. I also allow ping as some devices send ping to monitor tunnel status.
Hope that helps.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!