About Neo.The.One

Hi I configured an IPSec site to site VPN between Palo Alto Firewall and Checkpoint Firewall. Everything works perfectly as expected, but I get constant Logs : IKE-Phase 2 negotiation failed when processing proxy ID. cannot find matching phase 2 tunnel for received proxy ID. I have configured the proxy IDs and tunnel seems to work. But still I get the above mentioned log constantly with severity "informatikonal". Any idea what is going wrong?? Thanks! ... View more

Hello I have a Palo Alto Firewall which wants to have IPsec Tunnel with a peer firewall which is a Checkpoint Firewall. Any of the firewalls can initiate VPN Traffic. Can someone kindly let me know, what proxy IDs can be set on my Palo alto firewall for the following 2 cases. Case 1: My internal networks for VPN (Palo Alto Firewall) : 172.16.10.0/24 , 10.31.0.0/16, 10.40.40.0/24 Networks behind the peer (Checkpoint Firewall) : Unknown Case 2 My internal networks for VPN (Palo Alto Firewall) : 172.16.10.0/24 , 10.31.0.0/16, 10.40.40.0/24 Networks behind the peer (Checkpoint Firewall) : Exactly same i.e. 172.16.10.0/24 , 10.31.0.0/16, 10.40.40.0/24 Thanks a lot !! ... View more

Hallo Before going to my question, please assume the following scenario: There is a Non-Palo Alto Firewall in internet (lets call it FW-Extern). There is another Non Palo Alto Firewall inside my network (lets call it FW-intern). The FW-Extern initiates IPSec VPN to FW-Intern. The VPN connections are always initiated by the FW-Extern in the direction of FW-Intern on the public IP of FW-Intern. Now, I put a Palo Alto Firewall (lets call it PA-FW) between these two Non Palo Alto Firewalls. The PA-FW, should allow all this IPSec traffic between these two Non Palo Alto firewalls. The VPN tunnel should NOT terminate on PA-FW. The FW-Extern has a Dynamic Public IP. The FW-Intern, has a public IP address (lets say, for example, 1.2.3.4) and a private IP address (lets, say, for example, 192.168.1.1). So when PA-FW, receives the connection for the IP 1.2.3.4, it performs destination NAT and changes the destination IP to 192.168.1.1. Note that the PA-FW has an interface called e1/1, which is connected to the FW-Intern and that interface on PA-FW has an IP of 192.168.1.5. Question: Now there is a new requirement that when the PA-FW forwards packets to FW-Intern, then the PA-FW should also do Source Address Translation and change the source address to 192.168.1.5. (which is of its interface) This means that the FW-Intern should talk only to PA-FW, and the FW-Intern has no idea about any external world. How should the NAT, Security Policy and Routing for such a scenario configured? Thanks!! ... View more

Hallo i am setting up a new PA 3050 FW. I dont want to use the management port to connect to internet and download updates. So I am following the admin guide to "Set up an External Data Port" for updates. Now as per that: 1. I set up a port, say e1/4 on PA 3050, as an internal port in "L3-Trust " Zone and give it a static IP address 192.168.35.100. 2. I set up an external facing port, say e1/5, in zone "L3-Untrust". This port is connected to my ISP Router and has a publicly routable IP. Where should I cable the internal facing port e1/4 mentioned in point 1 above? Can I somehow NAT the private address to use the Interface e1/5 IP address? Thanks! ... View more

Hallo i am looking for the following documentation. I searched the knowledge base but could not find any document: 1. IPSEC Configuration Guide with PAN OS 6.0 2. Configuring PA Firewall for Remote Access Management. Could anyone give me an exact link with documents addressing above issues? (I could not find the above things in admin guide) Thanks a lot! ... View more

Hallo all, i have only one phyical ethernet interface on firewall which is facing the internet. I also want to make this PA firewall as an IPSEC Tunnel endpoint. So all my internal traffic uses this ethernet interface to go to internet. And VPN traffic should terminate on the same interface. Is this possible? If yes, how can I implement it? Any documentation or procedures? Thanks a lot! ... View more