VPNs between Palo and Check Point

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

VPNs between Palo and Check Point

L4 Transporter

Hello all,

I'm hoping that somebody may be able to answer a few questions I have about the configuration of Palo Alto firewalls please?

Most of my experience in recent years has been with Check Point firewalls.  I've found that most things can be done in a very similar way with Palo Altos but I have a few questions - about site to site VPNs in particular.

I have set up a simple testbed with a Check Point firewall (traditional mode) and a Palo Alto firewall each with an inside and outside interface.  For end to end testing there is a Windows XP machine behind each as below.

WinXP(192.168.1.2/24)---(192.168.1.1/24)PaloAlto(172.16.1.1/30)====(172.16.1.2/30)CheckPoint(192.168.5.1/24)---(192.168.5.2/24)WinXP

In order to get this working I have:

     1) Confired IKE and IPSec Cryptos in PA to match CP
     2) Created tunnel interface and selected virtual router and new zone
     3) Created IKE gateway specifying local interface, local IP, remote IP, pre-shared key and selected IKE crypto profile
     4) Created IPSec tunnel specifying tunnel interface, IKE gateway (pulling in some values) and selecting IPSec crypto profile
     4a) Added a proxy ID with Local of 192.168.1.0/24 and remote of 192.168.5.0/24
     5) Add a static route to virtual router with destination of 192.168.5.0/24 and tunnel created above as interface

I've done the equivalent on the CP box and allowed all traffic between both subnets in both policies.  All seems to work fine.


So my questions are:

     1) Is this the best way do do this please?  If so, when the CP box is replaced with a PA box will it still be the best way?

     2) Most of my sites have at least three networks behind them.  Do I need to add proxy IDs for every possible combination please?

For example,

If
     site A had subnets 192.168.1.0/24, 192.168.2.0/24 and 192.168.3.0/24
and
     site B had subnets 192.168.5.0/24, 192.168.6.0/24 and 192.168.7.0/24

would I need

     Proxy ID name proxy01 Local ID 192.168.1.0/24 Remote ID 192.168.5.0/24 Protocol Any
     Proxy ID name proxy02 Local ID 192.168.1.0/24 Remote ID 192.168.6.0/24 Protocol Any
     Proxy ID name proxy03 Local ID 192.168.1.0/24 Remote ID 192.168.7.0/24 Protocol Any
     Proxy ID name proxy04 Local ID 192.168.2.0/24 Remote ID 192.168.5.0/24 Protocol Any
     Proxy ID name proxy05 Local ID 192.168.2.0/24 Remote ID 192.168.6.0/24 Protocol Any
     Proxy ID name proxy06 Local ID 192.168.2.0/24 Remote ID 192.168.7.0/24 Protocol Any
     Proxy ID name proxy07 Local ID 192.168.3.0/24 Remote ID 192.168.5.0/24 Protocol Any
     Proxy ID name proxy08 Local ID 192.168.3.0/24 Remote ID 192.168.6.0/24 Protocol Any
     Proxy ID name proxy09 Local ID 192.168.3.0/24 Remote ID 192.168.7.0/24 Protocol Any

I'm sorry if these questions seem silly or this has been covered elsewhere.  I've had a good look around and not found much info.

Any help would really be appreciated!

Many thanks,
Dave

1 accepted solution

Accepted Solutions

@dyoung:

The limit is per unique tunnel. Each tunnel can have up to 10 proxy IDs. If you need more proxy IDs to the remote location you can configure a second tunnel to the VPN peer for the other proxy IDs.

-benjamin

View solution in original post

13 REPLIES 13

L6 Presenter

You have configured it appropriately. PA implements route based VPNs so the default network IDs or Proxy IDs will be 0.0.0.0/0. The default limit on the number of supported Proxy ID's is 10 so the IDs listed falls under that limit. Otherwise, you look good.

-Renato

Thanks for your reply Renato!

I'm glad that I'm going the right way although slightly concerned about the limit of 10 Proxy IDs.  I'm not sure that this will be enough in some cases.

Do you know if the limit can be increased please?

Thanks,

Dave

Hi Dave,

Unfortunately, increasing the limit would be considered a feature request and those go through your SE.

Regards,

Renato

@dyoung:

The limit is per unique tunnel. Each tunnel can have up to 10 proxy IDs. If you need more proxy IDs to the remote location you can configure a second tunnel to the VPN peer for the other proxy IDs.

-benjamin

Hi,

we have some customers working like this, you need to create a phase1 to remote peer and if you need 20 proxyIDs you must  create 2 tunnels with the same phase1 but diferrent phase2 each tunnel with 10 proxyID, remember to add the correct routes to each new tunnel.

But this works perfectly!!!

Regards

Albert Estevez

That's great - many thanks for your help everybody!

aestevez ha scritto:

Hi,

we have some customers working like this, you need to create a phase1 to remote peer and if you need 20 proxyIDs you must  create 2 tunnels with the same phase1 but diferrent phase2 each tunnel with 10 proxyID, remember to add the correct routes to each new tunnel.

But this works perfectly!!!

Regards

Albert Estevez

Hi!

Do I need to create 2 different tunnel interfaces (tab Network -> Interfaces)  or only 2 differents phase2 with the same tunnel interface?

Thanks

Hi Iceman,

you will need to define 2 different tunnels and define the correct static routes to return the traffic for each tunnel interface.

I hope this help to you.

Remember that at the end you will have 2 ipsec tunnels sharing the same ike gateway and the same phase1 and phase2 but each ipsec tunnel will be attached to a different tunnel interface and routes how maximum 10 () proxy-id by tunnel.

Rergards

Albert

Checkpoint allows setting upp only one tunnel between ike gateways. That means there is no need to specify each and every proxy-id or worrying about having multiple tunnel interfaces with their respective routes. Simply use the default proxy-id in the PAN (0.0.0.0/0)

If I remember correctly this is a setting on the "interop device" in CP.

Hi Oskar,

I remember trying that (using 3.1.7) and I found that tunnels from Palo to CP established OK but tunnels from CP to Palo failed because the Palo complained about not having a matching proxy id.

In the end I had to create a proxyid to match each network I had defined in the Check Point firewall object topology.

All worked OK then.  Maybe this behaviour has changed in later versions.

Regards,

Dave

No issues what so ever. Have used it a couple of times. In fact, I have been forced to get it working when having a CP firewall in a large VPN-mesh. The CP had loads of small networks that would require a ridiculous amount of routes and tunnel interfaces on all the PAN devices. I'd say it wasn’t an option in that particular case.  R65 versions and later (Checkpoint) work as far as I know.

Interesting.  Was your CP in "Traditional" or "Simple" mode as this may affect how the tunnels are negotiated?

I had quite a few little networks on CP too!  Would have preferred to get it working as you suggested,

Thanks,

Dave

Always used simple mode when setting it up this way.

Hope you get it working!

Cheers,

/Oskar

  • 1 accepted solution
  • 6596 Views
  • 13 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!