Chapter 4. Cloud Technologies

4.3 Site-to-Site VPN between Palo Alto on Premise and Palo Alto in the Azure

Learning Objectives

  • Configure a Virtual Network in Microsoft Azure
  • Set up and configure the Azure VPN Gateway for IPsec VPN
  • Implement Network Security Groups (NSGs) in Azure for traffic control
  • Monitor and troubleshoot IPsec VPN connections on Palo Alto
Scenario: In this lab, we will create a site-to-site VPN from Palo Alto on-premise to Palo Alto in the Azure. Knowing the configuration of section 4.2 is necessary for this lab. I have created management and ethernet1/1 as a DHCP, so they will receive an IP address from Cloud.
Main scenario - Site to Site VPN between Palo Alto on-prem and Palo Alto in the Azure
Figure 4.68: Main scenario

On-Premise Palo Alto Configuration

Devices Interface IP address
Palo Alto Management DHCP Client
Ethernet 1/1 DHCP Client
Ethernet 1/2 192.168.10.1/24
WebTerm Eth0 192.168.10.2/24
  1. Configure the interfaces of the firewall. Set Ethernet1/1 as a Untrust Zone and Ethernet1/2 as a Trust Zone.
    Firewall Interfaces
    Figure 4.69: Firewall Interfaces
  2. Create a tunnel.1 and set the tunnel as Untrust zone.
    Create a tunnel
    Figure 4.70: Create a tunnel
  3. Create two static routes, one pointing to 142.232.197.254 (on-Prem Default Gateway) and the other one sending the traffic of Azure through the tunnel.
    Create a static route to default gateway
    Figure 4.71: Create a static route to default gateway
    Create a static route to Azure
    Figure 4.72: Create a static route to Azure
  4. For setting up, site-to-site VPN we will use default IKE Crypto, IPsec Crypto profiles and we will only set IKE Gateway and IPsec Tunnel as following figures. You have to configure local and peer identification.
    Create an IKE Gateway
    Figure 4.73: Create an IKE Gateway
    Create an IPsec Tunnel
    Figure 4.74: Create an IPsec Tunnel
  5. Finally, create two security policies, one from Trust to Untrust zone and the other from Untrust to Trust zone.
    Create two security policies
    Figure 4.75: Create two security policies

Azure Configuration

  1. Create a Palo Alto firewall in Azure and configure the interfaces. You need to do all steps in section 4.1 and assign public IP address to Ethernet 1 (Untrust Zone).
  2. Create a route in Azure pointing to Trust interface.
    Step1- create a route table
    Figure 4.76: Create a route table
    Step2- create a route table
    Figure 4.77: Create a route table
    Step3- create a route table(verify and create)
    Figure 4.78: Create a route table (verify and create)
    Step4 - Add a Route
    Figure 4.79: Add a Route
    Step5 - Add a default route pointing to 10.0.2.4(Trust Interface)
    Figure 4.80: Add a default route pointing to 10.0.2.4 (Trust Interface)
    Step 6 - Associate Trust route to Trust Subnet
    Figure 4.81: Associate Trust route to Trust Subnet
    Step 7 - Associate fwVNET to Trust Subnet
    Figure 4.82: Associate fwVNET to Trust Subnet
  3. Set static routes as figures 4.83 and 4.84.
    Static route pointing to default gateway
    Figure 4.83: Static route pointing to default gateway
    Static route pointing to tunnel
    Figure 4.84: Static route pointing to tunnel
  4. For setting up, site-to-site VPN we will use default IKE Crypto, IPsec Crypto profiles and we will only set IKE Gateway and IPsec Tunnel as figures 4.85 and 4.86.
    Create an IKE Gateway
    Figure 4.85: Create an IKE Gateway
    Create an IPsec Tunnel
    Figure 4.86: Create an IPsec Tunnel
  5. Finally, create two security policies, one from Trust to Untrust zone and the other from Untrust to Trust zone.
    Create two security policies
    Figure 4.87: Create two security policies
  6. Add windows or Linux VM to Trust Subnet. This VM is for testing ping from Azure side to on-prem. We will not create a public IP address for the VM.
    Create a VM
    Figure 4.88: Create a VM
    Assign Trust subnet with no public IP
    Figure 4.89: Assign Trust subnet with no public IP
  7. Now, you should be able to ping and your tunnel should be green.
    ping from WebTerm to Azure
    Figure 4.90: Ping from WebTerm to Azure
    Ping from Azure to WebTerm
    Figure 4.91: Ping from Azure to WebTerm
    Tunnel Status
    Figure 4.92: Tunnel Status

License

Icon for the Creative Commons Attribution 4.0 International License

Palo Alto Firewall Copyright © 2023 by Hamid Talebi, Xavier Cawley is licensed under a Creative Commons Attribution 4.0 International License, except where otherwise noted.