Chapter 4. Cloud Technologies

4.1 IPsec VPN between Palo Alto on Premise and Microsoft Azure

Learning Objectives

  • Configure a Virtual Network in Microsoft Azure
  • Set up and configure the Azure VPN Gateway for IPsec VPN
  • Implement Network Security Groups (NSGs) in Azure for traffic control
  • Monitor and troubleshoot IPsec VPN connections on Palo Alto
Scenario: We are going to connect on-premise Palo Alto to Azure Virtual Gateway. This is going to be IPsec VPN between Palo Alto and Azure. First, we’ll configure Azure and then connect Palo Alto through Port1 to Azure Virtual Gateway.
Site-to-Site VPN between Palo Alto on-prem and Microsoft Azure
Figure 4.1: Main scenario

Azure Configuration

  1. Create a resource group in Azure as follows:
    • Resource group: Pal
    • Region: West US
    Step1-Create a resource group
    Figure 4.2: Create a resource group
    Step 2- create a resource group
    Figure 4.3: Create a resource group
    Step3- create a resource group
    Figure 4.4: Create a resource group
  2. Create a virtual network as follows:
    • Resource group: Pal
    • Name: Azure-Pal
    • Region: West US
    • Change the default subnet: 10.0.1.0/24
    Step1- create a virtual network
    Figure 4.5: Create a virtual network
    Step2- create a virtual network(Change default subnet)
    Figure 4.6: Create a virtual network (Change default subnet)
    Step3- create a virtual network
    Figure 4.7: Create a virtual network
    Step4- create a virtual network
    Figure 4.8: Create a virtual network
    Step5- create a virtual network
    Figure 4.9: Create a virtual network
  3. Create a virtual network gateway as following:
    • Name: Azure-VPN-Pal
    • Region: West US
    • Generation: Generation1
    • Gateway subnet address range: 10.0.0.0/24
    • Public IP address name: AzurePublic

    Click on Create and Review. It takes around 25 minutes to deploy a virtual network gateway in Azure.

    Step1- create a virtual network gateways
    Figure 4.10: Create a virtual network gateway
    Step 2- create a virtual network gateway
    Figure 4.11: Create a virtual network gateway
    Step3- create a virtual network gateway
    Figure 4.12: Create a virtual network gateway
    Step4- create a virtual network gateway
    Figure 4.13: Create a virtual network gateway
    Step 5- create a virtual network gateway( Deployment)
    Figure 4.14: Create a virtual network gateway (deployment)
    Step 6- Deployment of virtual network gateway
    Figure 4.15: Deployment of virtual network gateway
  4. Create a local network gateway as follows:
    • Resource Group: Pal
    • Region: West US
    • Name: PaloAlto
    • IP Address: IP_Address_of_Port1_FortiGate(On Prem)
    • Address Space: IP_Address_LocalNetwork
    Step 1- create a local network gateway
    Figure 4.16: Create a local network gateway
    Step 2- create a local network gateway
    Figure 4.17: Create a local network gateway
    Step 3- create a local network gateway (Review + create)
    Figure 4.18: Create a local network gateway (review + create)
    Step 4- Verify local network gateway deployment
    Figure 4.19: Verify local network gateway deployment
  5. Go to Virtual network gateway and create a connection in Virtual network gateways > Azure-VPN-Pal > connections > Add
    Connection configuration
    Figure 4.20: Connection configuration

    Based on the Microsoft article “About cryptographic requirements and Azure VPN gateways”, by default, integrity is SHA384, SHA256, SHA1, MD5, and encryption is AES256, AES192, AES128, DES3, DES. So, we’ll select SHA1 and AES128 in FortiGate. After doing this step, you should receive a Public IP address in the Overview tab.

    Verify public IP address
    Figure 4.21: Verify the public IP address

Palo Alto Configuration

  1. First, we’ll configure Ports IP address.
    Ethernet 1/1 Config
    Figure 4.22: Ethernet 1/1 Config
    Ethernet 1/1 IPV4
    Figure 4.23: Ethernet 1/1 IPV4
    Ethernet 1/2 Config
    Figure 4.24: Ethernet 1/2 Config
    Ethernet 1/2 IPv4
    Figure 4.25: Ethernet 1/2 IPv4

    Then, create a tunnel.

    Create a tunnel 1
    Figure 4.26: Create a tunnel 1
    Verify Tunnel1
    Figure 4.27: Verify Tunnel1

    Then, commit the configuration!

  2. Create a static route to tunnel1 and ethernet1/1 as following figures. Traffic related to 10.0.0.0/16 should go through the tunnel. The rest of the traffic should go through the default Gateway.
    Create a static route to ethernet 1/1
    Figure 4.28: Create a static route to ethernet 1/1
    Create a static route to tunnel.1
    Figure 4.29: Create a static route to tunnel.1
  3. Go to Network > Network Profiles > Create an IKE Crypto.
    Create an IKE Crypto Profile
    Figure 4.30: Create an IKE Crypto Profile
  4. Go to Network > Network Profiles > Create an IPsec Crypto Profile.
    Create an IPSEC Crypto Profile
    Figure 4.31: Create an IPsec Crypto Profile
  5. Go to Network > Network Profiles > Create an IKE Crypto Gateways.
    Create an IKE Gateway
    Figure 4.32: Create an IKE Gateway
    Select IKE Crypto Profile
    Figure 4.33: Select IKE Crypto Profile
  6. Go to Network > IPsec Tunnels > Add. Select the previous profile you have created as Figure 4.34.
    Create an IPSEC Tunnel
    Figure 4.34: Create an IPsec Tunnel
  7. Create a firewall policy from LAN to VPN zone and from VPN to LAN.
    Create a security policy "LAN-AZ"
    Figure 4.35: Create a security policy “LAN-AZ”
    Create a security policy "LAN-AZ" - Select source zone as LAN
    Figure 4.36: Create a security policy “LAN-AZ.” Select the source zone as LAN.
    Create a security policy "LAN-AZ" - Select destination zone as VPN
    Figure 4.37: Create a security policy “LAN-AZ.” Select destination zone as VPN.
    Create a security policy "AZ-LAN"
    Figure 4.38: Create a security policy “AZ-LAN”
    Create a security policy "AZ-LAN" - Select source zone as VPN
    Figure 4.39: Create a security policy “AZ-LAN.” Select source zone as VPN.
    Create a security policy "AZ-LAN" - Select destination zone as LAN
    Figure 4.40: Create a security policy “AZ-LAN.” Select destination zone as LAN.

    Don’t forget to commit the configuration!

Verify Connections

If you navigate to IPsec Tunnel, the status should be up.

Verify IPSEC Tunnel
Figure 4.41: Verify IPsec Tunnel
Verify Connections in Azure
Figure 4.42: Verify connections in Azure
Verify ping from Windows to webterm
Figure 4.43: Verify ping from Windows to webterm
Verify ping from webterm to Windows in Azure
Figure 4.44: Verify ping from webterm to Windows in Azure

License

Icon for the Creative Commons Attribution 4.0 International License

Palo Alto Firewall Copyright © 2023 by Hamid Talebi, Xavier Cawley is licensed under a Creative Commons Attribution 4.0 International License, except where otherwise noted.