Palo Alto Firewall VM Configuration

Use this configuration when pairing a Palo Alto firewall VM instance and CloudEOS and vEOS Router instance as tunnel endpoints of an IPsec VTI IPsec tunnel.

Note: Refer to the Palo Alto firewall VM documentation for configuration details, including the different interfaces to use to complete the configuration and all the parameters and options.

Supported Tunnel Types

Set up IPsec VTI tunnels when using the Palo Alto firewall VM as a peer router instance with a CloudEOS and vEOS Router instance. IPsec GRE-over-IPsec tunnels using this combination of router instances as peers is not permitted.

Configuration Guidelines

The following are guidelines to follow when configuring the Palo Alto firewall VM.

  • IP address settings.

    Configure the first interface to be configured (typically named eth0), as the management interface. Use the public IP address on this interface to open the GUI of the Palo Alto firewall VM.

  • Management interface.

    Use this interface only for control plane traffic.

  • Management profile.

    When configuring the profile, select all of the protocols allowed on the management interface.

Procedure

  1. Create a new management profile. Select all of the protocols allowed on the management interface.
  2. Create a new tunnel interface and specify the following parameters.
    • Name: (for example, tunnel 1.)
    • Virtual router: (Select the existing virtual router.)
    • Security Zone: (Select the layer 3 internal zone, which is the zone from which the traffic originates.)
    • IP address: (Tunnel IP address.)
  3. Add a new IKE Crypto profile and specify the IKE options.
    Note: Make sure the settings match the IKE settings on the other end of the tunnel (the CloudEOS and vEOS Router instance). This setting ensures that the IKE negotiation is successful.
    • Name: (can be any name.)
    • Virtual router: (Select the existing virtual router.)
    • Security Zone: (Select the layer 3 internal zone, which is the zone from which the traffic originates.)
    • IP address: (Tunnel IP address.)
  4. Configure the IKE gateway.
    Note: Make sure the pre-shared key matches the key defined on the other end of the tunnel (the CloudEOS and vEOS Router instance).
  5. Add a new IKE Crypto profile for the IKE options.
    Note: Make sure the settings match the IKE settings on the other end of the tunnel (the CloudEOS and vEOS Router instance). This setting ensures that the IKE negotiation of IPsec SAs is successful.
  6. Create a new IPsec tunnel, and select the tunnel interface, IKE gateway, IKE crypto profile, and IKE crypto profile defined earlier in the procedure. Selecting these elements binds them to the new tunnel interface.
    Note: Enter the destination IP address of the tunnel interface of the CloudEOS and vEOS Router in the Destination IP option (one of the Tunnel Monitor settings on the Palo Alto firewall VM).
  7. Create a new static route for the network that is behind the remote tunnel endpoint. This new static route ensures that the traffic flows through the tunnel to the other tunnel endpoint.
  8. Commit (save) the configuration.