Chapter 4. Cloud Technologies
4.1 IPsec VPN between Palo Alto on Premise and Microsoft Azure
Learning Objectives
- Configure a Virtual Network in Microsoft Azure
- Set up and configure the Azure VPN Gateway for IPsec VPN
- Implement Network Security Groups (NSGs) in Azure for traffic control
- Monitor and troubleshoot IPsec VPN connections on Palo Alto
Azure Configuration
- Create a resource group in Azure as follows:
- Resource group: Pal
- Region: West US
- Create a virtual network as follows:
- Resource group: Pal
- Name: Azure-Pal
- Region: West US
- Change the default subnet: 10.0.1.0/24
- Create a virtual network gateway as following:
- Name: Azure-VPN-Pal
- Region: West US
- Generation: Generation1
- Gateway subnet address range: 10.0.0.0/24
- Public IP address name: AzurePublic
Click on Create and Review. It takes around 25 minutes to deploy a virtual network gateway in Azure.
- Create a local network gateway as follows:
- Resource Group: Pal
- Region: West US
- Name: PaloAlto
- IP Address: IP_Address_of_Port1_FortiGate(On Prem)
- Address Space: IP_Address_LocalNetwork
- Go to Virtual network gateway and create a connection in Virtual network gateways > Azure-VPN-Pal > connections > Add
Based on the Microsoft article “About cryptographic requirements and Azure VPN gateways”, by default, integrity is SHA384, SHA256, SHA1, MD5, and encryption is AES256, AES192, AES128, DES3, DES. So, we’ll select SHA1 and AES128 in FortiGate. After doing this step, you should receive a Public IP address in the Overview tab.
Palo Alto Configuration
- First, we’ll configure Ports IP address.
Then, create a tunnel.
Then, commit the configuration!
- Create a static route to tunnel1 and ethernet1/1 as following figures. Traffic related to 10.0.0.0/16 should go through the tunnel. The rest of the traffic should go through the default Gateway.
- Go to Network > Network Profiles > Create an IKE Crypto.
- Go to Network > Network Profiles > Create an IPsec Crypto Profile.
- Go to Network > Network Profiles > Create an IKE Crypto Gateways.
- Go to Network > IPsec Tunnels > Add. Select the previous profile you have created as Figure 4.34.
- Create a firewall policy from LAN to VPN zone and from VPN to LAN.
Don’t forget to commit the configuration!
Verify Connections
If you navigate to IPsec Tunnel, the status should be up.