Chapter 4. Cloud Technologies
4.1 IPsec VPN between Palo Alto on Premise and Microsoft Azure
Learning Objectives
- Configure a Virtual Network in Microsoft Azure
- Set up and configure the Azure VPN Gateway for IPsec VPN
- Implement Network Security Groups (NSGs) in Azure for traffic control
- Monitor and troubleshoot IPsec VPN connections on Palo Alto
Scenario: We are going to connect on-premise Palo Alto to Azure Virtual Gateway. This is going to be IPsec VPN between Palo Alto and Azure. First, we’ll configure Azure and then connect Palo Alto through Port1 to Azure Virtual Gateway.
Azure Configuration
- Create a resource group in Azure as follows:
- Resource group: Pal
- Region: West US
Figure 4.2: Create a resource group 
Figure 4.3: Create a resource group 
Figure 4.4: Create a resource group - Create a virtual network as follows:
- Resource group: Pal
- Name: Azure-Pal
- Region: West US
- Change the default subnet: 10.0.1.0/24
Figure 4.5: Create a virtual network 
Figure 4.6: Create a virtual network (Change default subnet) 
Figure 4.7: Create a virtual network 
Figure 4.8: Create a virtual network 
Figure 4.9: Create a virtual network - Create a virtual network gateway as following:
- Name: Azure-VPN-Pal
- Region: West US
- Generation: Generation1
- Gateway subnet address range: 10.0.0.0/24
- Public IP address name: AzurePublic
Click on Create and Review. It takes around 25 minutes to deploy a virtual network gateway in Azure.
Figure 4.10: Create a virtual network gateway 
Figure 4.11: Create a virtual network gateway 
Figure 4.12: Create a virtual network gateway 
Figure 4.13: Create a virtual network gateway 
Figure 4.14: Create a virtual network gateway (deployment) 
Figure 4.15: Deployment of virtual network gateway - Create a local network gateway as follows:
- Resource Group: Pal
- Region: West US
- Name: PaloAlto
- IP Address: IP_Address_of_Port1_FortiGate(On Prem)
- Address Space: IP_Address_LocalNetwork
Figure 4.16: Create a local network gateway 
Figure 4.17: Create a local network gateway 
Figure 4.18: Create a local network gateway (review + create) 
Figure 4.19: Verify local network gateway deployment - Go to Virtual network gateway and create a connection in Virtual network gateways > Azure-VPN-Pal > connections > Add
Figure 4.20: Connection configuration Based on the Microsoft article “About cryptographic requirements and Azure VPN gateways”, by default, integrity is SHA384, SHA256, SHA1, MD5, and encryption is AES256, AES192, AES128, DES3, DES. So, we’ll select SHA1 and AES128 in FortiGate. After doing this step, you should receive a Public IP address in the Overview tab.
Figure 4.21: Verify the public IP address
Palo Alto Configuration
- First, we’ll configure Ports IP address.
Figure 4.22: Ethernet 1/1 Config 
Figure 4.23: Ethernet 1/1 IPV4 
Figure 4.24: Ethernet 1/2 Config 
Figure 4.25: Ethernet 1/2 IPv4 Then, create a tunnel.
Figure 4.26: Create a tunnel 1 
Figure 4.27: Verify Tunnel1 Then, commit the configuration!
- Create a static route to tunnel1 and ethernet1/1 as following figures. Traffic related to 10.0.0.0/16 should go through the tunnel. The rest of the traffic should go through the default Gateway.
Figure 4.28: Create a static route to ethernet 1/1 
Figure 4.29: Create a static route to tunnel.1 - Go to Network > Network Profiles > Create an IKE Crypto.
Figure 4.30: Create an IKE Crypto Profile - Go to Network > Network Profiles > Create an IPsec Crypto Profile.
Figure 4.31: Create an IPsec Crypto Profile - Go to Network > Network Profiles > Create an IKE Crypto Gateways.
Figure 4.32: Create an IKE Gateway 
Figure 4.33: Select IKE Crypto Profile - Go to Network > IPsec Tunnels > Add. Select the previous profile you have created as Figure 4.34.
Figure 4.34: Create an IPsec Tunnel - Create a firewall policy from LAN to VPN zone and from VPN to LAN.
Figure 4.35: Create a security policy “LAN-AZ” 
Figure 4.36: Create a security policy “LAN-AZ.” Select the source zone as LAN. 
Figure 4.37: Create a security policy “LAN-AZ.” Select destination zone as VPN. 
Figure 4.38: Create a security policy “AZ-LAN” 
Figure 4.39: Create a security policy “AZ-LAN.” Select source zone as VPN. 
Figure 4.40: Create a security policy “AZ-LAN.” Select destination zone as LAN. Don’t forget to commit the configuration!
Verify Connections
If you navigate to IPsec Tunnel, the status should be up.
