Setting up site-to-site on Palo Alto


Note: If you are unsure whether site-to-site is the best solution for you, please take a look at our Remote Access article first. What is more, if your device/service supports SHA256 and DH group 14, it is recommended to use these settings instead.

 

Configuring the tunnel in the Palo Alto WebGUI

1. Open the Palo Alto WebGUI, and select the Network tab

2. Select Interfaces and open the Tunnel tab

01_Configuring_the_tunnel_in_the_Palo_Alto_WebGUI.png

3. Click Add

02_Configuring_the_tunnel_in_the_Palo_Alto_WebGUI.png

4. Assign the parameters with the following information

  • Virtual Router: Select the virtual router you would like your tunnel interface to reside in.
  • Security Zone: Configure a new zone for the tunnel interface for more granular control of traffic ingress/egressing the tunnel. If the tunnel interface is in a zone different from the zone where the traffic will originate or depart, then a policy is required to allow the traffic to flow from the source zone to the zone containing the tunnel interface.

03_Configuring_the_tunnel_in_the_Palo_Alto_WebGUI.png

5. Open the Network tab

6. Select Network Profiles and go to IKE Crypto

04_Configuring_the_tunnel_in_the_Palo_Alto_WebGUI.png

7. Click Add (at the bottom of the page) and define the IKE Crypto profile (IKEv1 Phase-1) parameters

05_Configuring_the_tunnel_in_the_Palo_Alto_WebGUI.png

  • Name: Choose the name of your own choice.
  • DH Group: 14
  • Encryption: aes-256-cbc
  • Authentication: sha256
  • Key Lifetime: 8 Hours
  • IKEv2 Authentication Multiple: 0

8. Open the Network tab. Select Network Profiles and go to IKE Gateway

9. Select Add and fill in the following information:

06_Configuring_the_tunnel_in_the_Palo_Alto_WebGUI.png

  • Name: Choose the name of your own choice
  • Version: IKEv1 (IKEv2 recommended)
  • Address Type: IPv4
  • Interface: The external interface connected to the internet
  • Local IP Address: Choose the external IP address
  • Peer IP Address Type: IP
  • Peer Address: the IP of your NordLayer dedicated server
  • Authentication: Pre-Shared Key
  • Pre-Shared Key: Enter a string of your own choice containing lower-case characters, upper-case characters, and a number. Please write down this value as we will also need this value on our end.
  • Local Identification: None (the gateway will use the local IP as the local identification value)
  • Peer Identification: None (the gateway will use the peer IP as the peer identification value)

10. Open the Network tab. Select Network Profiles and go to IPSec Crypto

11. Select Add and fill in the following information:

07_Configuring_the_tunnel_in_the_Palo_Alto_WebGUI.png

  • Name: NordLayer-Phase2
  • IPSec Protocol: ESP
  • DH Group: 14
  • Encryption: aes-256-cbc
  • Lifetime: 1 hour
  • Authentication: sha256

12. Open the Network tab. Select IPSec Tunnels, then Add and fill in the following information:

08_Configuring_the_tunnel_in_the_Palo_Alto_WebGUI.png

  • Name: Choose the name of your own choice
  • Tunnel Interface: Choose the appropriate interface
  • Type: Auto Key
  • Address Type: IPv4
  • IKE Gateway: Choose the gateway that was defined earlier
  • IPSec Crypto Profile: Choose the profile that was defined earlier

13. Open the Network tab

14. Select Virtual Routers, then select Static Routes and click Add. Fill in the following information:

09_Configuring_the_tunnel_in_the_Palo_Alto_WebGUI.png

  • Name: Choose the name of your own choice
  • Destination: 10.6.0.0 (if such an object does not exist yet make sure to define it)
  • Interface: Choose the appropriate interface
  • Next Hop: None
  • Metric: 10
  • Route Table: Unicast
  • BFD Profile: Disable BFD

15. Open the Policies tab and select Security

10_Configuring_the_tunnel_in_the_Palo_Alto_WebGUI.png

By default, IKE negotiation and IPSec/ESP packets are allowed.

11_Configuring_the_tunnel_in_the_Palo_Alto_WebGUI.png

16. If you see somewhat differently or if you wish to have more granular traffic control, select ADD, and create an appropriate rule

 

Ending note:

In order to finalize the site-to-site setup on our end, we will need these values:

  • Pre-shared key - you can generate it or we can provide it
  • Encryption  details (AES, SHA and DH group) - AES256, SHA256 and DH group 14 are recommended (also must support IKEv2)
  • Remote gateway/router public IP (must be reachable while connected to the dedicated server)
  • Remote subnet and mask (the subnet is used in your local network)

Lastly, it is important to know what device or cloud network is being used (Ubiquiti, Fortigate, AWS, Google Cloud, etc.)

You can provide all of these values to us securely via privnote.com

In case you are experiencing different results, make sure that you have you carefully gone through all the steps. Having said that, in case the issue persists please feel free to contact our 24/7 customer support team.


Return to top