Palo Alto and Firebox BOVPN Integration Guide

Deployment Overview

WatchGuard provides integration instructions to help our customers configure WatchGuard products to work with products created by other organizations. If you need more information or technical support about how to configure a third-party product, see the documentation and support resources for that product.

This integration guide describes how to configure a Branch Office VPN (BOVPN) tunnel between a WatchGuard Firebox and a Palo Alto PA-220 firewall.

Integration Summary

The hardware and software used in this guide include:

  • WatchGuard Firebox T55-W with Fireware v12.5.6
  • Palo Alto PA-220 v10.0.3

Integration Topology

This diagram shows the topology for a BOVPN connection between a Firebox and a Palo Alto PA-220 firewall.

Topology diagram

Configure the Firebox

On the Firebox, configure a Branch Office VPN (BOVPN) connection:

  1. Log in to Fireware Web UI.
  2. Select VPN > Branch Office VPN.
    The Branch Office VPN configuration page appears.
  3. In the Gateways section, click Add.
  4. In the Gateway Name text box, type a name to identify this Branch Office VPN gateway.
  5. From the Address Family drop-down list, select IPv4 Addresses.
  6. In the Credential Method section, select Use Pre-Shared Key.
  7. In the adjacent text box, type the pre-shared key.

Screenshot of Firebox, picture11

  1. In the Gateway Endpoint section, click Add.
    The Gateway Endpoint Settings dialog box appears.
  2. From the External Interface drop-down list, select External.
  3. From the Interface IP Address drop-down list, select Primary Interface IPv4 Address.
  4. Select By IP Address.
  5. In the adjacent text box, type the primary IP address of the External Firebox interface.

Screenshot of Firebox, picture12

  1. Select the Remote Gateway tab.
  2. Select Static IP Address.
  3. In the adjacent text box, type the IP address of your Palo Alto WAN connection.
  4. Select By IP Address.
  5. In the adjacent text box, type the IP address of your Palo Alto WAN connection.

Screenshot of Firebox, picture13

  1. Click OK.
  2. In the Gateway Endpoint section, check the Start Phase 1 tunnel when Firebox starts check box.

Screenshot of Firebox, picture14

  1. Select the Phase 1 Settings tab.
  2. From the Version drop-down list, select IKEv2.
  3. Keep all other Phase 1 settings as the default values.

Screenshot of Firebox, picture15

  1. Click Save.
  2. In the Tunnels section, click Add.

Screenshot of Firebox, picture16

  1. From the Gateway drop-down list, select the gateway that you configured.
  2. In the Addresses section, click Add.

Screenshot of Firebox, picture17

  1. In the Local IP section, from the Choose Type drop-down list, select Network IPv4.
  2. In the Network IP text box, type the local IP segment. This is the local network protected by the Firebox.
  3. In the Remote IP section, from the Choose Type drop-down list, select Network IPv4.
  4. In the Network IP text box, type the remote IP segment. This is the local network protected by the Palo Alto firewall.

Screenshot of Firebox, picture18

  1. Click OK.
  2. Keep the default values for all of the Phase 2 Settings.

Screenshot of Firebox, picture19

  1. Click Save.

Configure the Palo Alto Firewall

Configure Basic Settings

  1. Log in to the Palo Alto Web UI at https://<IP address of the Palo Alto device>.
    The default IP address is https://192.168.1.1.
  2. Configure the Palo Alto interface. For information about how to configure interface, see the Palo Alto documentation.

Screenshot of Palo Alto, picture new1

  1. Configure the Palo Alto zone. For information about how to configure zone, see the Palo Alto documentation.

Screenshot of Palo Alto, picture new2

  1. Configure the Palo Alto firewall to route to the Internet. For information about how to configure the route, see the Palo Alto documentation.

Screenshot of Palo Alto, picture new3

Configure a Tunnel Interface

  1. Select Network > Interfaces > Tunnel.
  2. Click Add.

Screen shot of Palo Alto, picture new4

  1. In the Interface Name text box, specify a numeric suffix. In our example, we specify .1.
  2. On the Config tab, from the Virtual Router drop-down list, select default.
  3. From the Security Zone drop-down list, select New Zone.
  4. On the Zone page, in the Name text box, type a name for the zone. In our example, the name is vpn-tun.

Screenshot of Palo Alto, picture new5

  1. Click OK.
  2. Click OK.

Screenshot of Palo Alto, picture new6

Configure a Static Route

  1. Select Network > Virtual Routers.
  2. Select the default.

Screenshot of Palo Alto, picture new7

  1. Click Static Routes.
  2. Click Add.
  3. In the Name text box, type a name for the route.
  4. In the Destination text box, type the destination address.
  5. From the Interface drop-down list, select tunnel.1.
  6. From the Next Hop drop-down list, select None.

Screenshot of Palo Alto, picture new8

  1. Click OK.

Screenshot of Palo Alto, picture new9

  1. Click OK.

Configure the Palo Alto IKE Crypto Profile

  1. Select Network > Network Profiles > IKE Crypto.
  2. Click Add.
  3. In the Name text box, type a name for the profile.
  4. In the DH Group section, click Add and select group14.
  5. In the Encryption section, click Add and select aes-256-cbc.
  6. In the Authentication section, click Add and select sha256.
  7. Keep the default values for all other settings.

Screenshot of Palo Alto, picture new10

  1. Click OK.

Configure the Palo Alto IPSec Crypto Profile

  1. Select Network > Network Profiles > IPSec Crypto.
  2. Click Add.
  3. In the Name text box, type a name for the IPSec Crypto profile.
  4. From the IPSec Protocol drop-down list, select ESP.
  5. In the ENCRYPTION section, click Add and select aes-256-cbc.
  6. From the DH GROUP drop-down list, select group14.
  7. In the AUTHENTICATION section, click Add and select sha256 (NIST rating 256-bit strength).
  8. Keep the default values for all other settings.

Screenshot of Palo Alto, picture new11

  1. Click OK.

Configure the Palo Alto IKE Gateway

  1. Select Network > Network Profiles > IKE Gateways.
  2. Click Add.
  3. In the General section, in the Name text box, type a name.
  4. From the Version drop-down list, select IKEv2 only mode.
  5. For Address Type, select IPv4.
  6. From the Interface drop-down list, select ethernet1/1.
  7. From the Local IP Address drop-down list, select 198.51.100.2/24, which is the Palo Alto WAN connection.
  8. For Peer IP Address Type, select IP.
  9. In the Peer Address text box, type 203.0.113.2, which is the primary IP address of the external Firebox interface.
  10. For Authentication, select Pre-Shared Key.
  11. In the Pre-Shared Key text box, type the pre-shared key.
  12. In the Confirm Pre-Shared Key text box, type the pre-shared key again.
  13. From the Local Identification drop-down list, select None.
  14. From the Peer Identification drop-down list, select None.

Screenshot of Palo Alto, picture new12

  1. Select the Advanced Options tab.
  2. In the IKEv2 section, from the IKE Crypto Profile drop-down list, select the IKE-phase1-profile that you created above.

Screenshot of Palo Alto, picture new13

  1. Click OK.

Configure the Palo Alto IPSec Tunnel

  1. Select Network > IPSec Tunnels.
  2. Click Add.
  3. In the General section, in the Name text box, type a name for the tunnel.
  4. From the Tunnel Interface drop-down list, select the tunnel that you created above (tunnel.1).
  5. For the Type, select Auto Key.
  6. For the Address Type, select IPv4.
  7. From the IKE Gateway drop-down list, select the gateway that you created above (IKE-GW).
  8. From the IPSec Crypto Profile drop-down list, select the IPSec-phase2-profile that you created above.
  9. Select Show Advanced Options.
  10. Select Enable Replay Protection.

Screenshot of Palo Alto, picture new14

  1. Select the Proxy IDs tab.
  2. Click IPv4.
  3. Click Add.
  4. In the Proxy ID text box, type a Proxy ID name.
  5. In the Local text box, type the IP address or subnet for the VPN gateway.
  6. In the Remote text box, type the IP address or subnet for the VPN gateway.
  7. From the Protocol drop-down list, select Any.

Screenshot of Palo Alto, picture new15

  1. Click OK.

Screenshot of Palo Alto, picture new16

  1. Click OK.

Configure the Palo Alto Security Policy

  1. Select Policies > Security.
  2. Click Add.
  3. On the General tab, in the Name text box, type a name for the policy.

Screenshot of Palo Alto, picture new17

  1. Select the Source tab, in the Source Zone section, click Add and select trust.

Screenshot of Palo Alto, picture new18

  1. Select the Destination tab, in the Destination Zone section, click Add and select vpn-tun.

Screenshot of Palo Alto, picture new19

  1. Keep all other settings as the default values.
  2. Click OK.
  3. Repeat steps 1–7 to create another security policy.

Screenshot of Palo Alto, picture new20

  1. Click Commit.
  2. Click Commit.
  3. Click Close.

Test the Integration

To test the integration, from Fireware Web UI:

  1. Select System Status > VPN Statistics.
  2. Select the Branch Office VPN tab.
  3. Verify that the VPN is established.

Screenshot of Firebox, picture20

  1. Verify that Host 1 (behind the Firebox) and Host 2 (behind the Palo Alto firewall) can ping each other.