Palo Alto and Firebox Policy-Based BOVPN Integration Guide

This integration guide describes how to configure a policy-based Branch Office VPN (BOVPN) between a WatchGuard Firebox and a Palo Alto PA-220 firewall.

Contents

Integration Summary

The hardware and software used in this guide include:

  • Firebox with Fireware v12.11.2
  • Palo Alto PA-220 v10.2.4

Integration Topology

This diagram shows the topology for a policy-based BOVPN connection between a Firebox and a Palo Alto PA-220 firewall.

Diagram of WatchGuard Firebox and Palo Alto topology

Before You Begin

Before you begin these procedures, make sure that:

  • If you want to use a cloud-managed Firebox, you have a WatchGuard Cloud account and have added the Firebox to WatchGuard Cloud as a cloud-managed device. You also have configured an external network with the external (public) IP address of the Firebox and at least one internal network on the Firebox.
  • If you want to use a locally-managed Firebox, you have configured an external interface with the external (public) IP address of the Firebox and at least one internal interface on the Firebox.
  • You have configured the Palo Alto PA-220 with Layer 3 interfaces, Trust and Untrust security zones, and a static route to the Internet. For more information go to the Palo Alto documentation.

Configure the Firebox

You can configure your Firebox for a policy-based BOVPN from WatchGuard Cloud for a cloud-managed Firebox or Fireware Web UI for a locally-managed Firebox.

  1. Log in to WatchGuard Cloud.
    If you log in with a Service Provider account, you must select a Subscriber account from the Account Manager.
  2. From the navigation menu, select Configure > VPNs.
    The BOVPN page opens.
  3. Click Add BOVPN.
    The Add BOVPN page opens.

    4. Screenshot of endpoint definition in WatchGuard Cloud Add BOVPN page

  4. In the Name text box, type a descriptive name for the BOVPN. In this example, we type To_Palo-Alto.
  5. From the VPN Connection Type drop-down list, select Policy-Based IPSec to Locally-Managed Firebox / Third-Party.
  6. From the Address Family drop-down list, select IPv4 Addresses.
  7. In the Endpoint A section, select your cloud-managed Firebox.
  8. In the Endpoint B section, in the Endpoint Name text box, type a name to identify the remote VPN endpoint. In our example, we type Palo Alto.
  9. Click Next.
    The VPN Gateways settings page opens.

    10. Screenshot of WatchGuard Cloud Add BOVPN > VPN Gateways page

  10. For your cloud-managed Firebox, select External.
  11. In the IP or Domain Name or User on Domain text box, select an IP address, domain name, or user on domain that resolves to the Firebox external network IP address.
  12. For the remote VPN endpoint, in the IP or Domain Name or User on Domain text box, type the IP address of your Palo Alto WAN connection. In this example, we type 198.51.100.2.
  13. To encrypt and decrypt the data that goes through the VPN tunnel, in the Pre-Shared Key text box, type a shared key. This pre-shared key matches the pre-shared key you will configure for the IKE Gateway on the Palo Alto firewall.
  14. Click Next.
    The Traffic settings page opens.

    15. Screenshot of WatchGuard Cloud Add BOVPN > Traffic page

  15. For your cloud-managed Firebox, select the internal networks that you want to be accessible through the VPN tunnel.
  16. For the Palo Alto VPN endpoint, click Add Network Resource.
  17. In the Network Resource text box, type the private network protected by the Palo Alto firewall. In our example, we type 192.168.13.0/24.
  18. Click Add.
  19. Keep the default values for all other settings.
  20. Click Next.
    The Tunnel Routes page opens.

    21. Screenshot of WatchGuard Cloud Add BOVPN > Tunnel Routes page

  21. Keep the default values for all settings.
  22. Click Next.
    The security settings page opens.

    23. Screenshot of WatchGuard Cloud Add BOVPN > Security page

  23. In the Phase 1 Settings section:
    1. From the Authentication drop-down list, select SHA2-256.
    2. From the Encryption drop-down list, select AES-CBC (256-bit).
    3. In the SA Life text box, type 8.
    4. From the Diffie-Hellman Group drop-down list, select Diffie-Hellman Group14.
  24. In the Phase 2 Settings section:
    1. From the Authentication drop-down list, select SHA2-256.
    2. From the Encryption drop-down list, select AES-CBC (256-bit).
    3. Select the Use Perfect Forward Secrecy (PFS) check box.
    4. From the PFS Group drop-down list, select Diffie-Hellman Group14.
  25. Keep all default values for all other settings.
  26. Click Add.
  27. (Optional) To open the VPN Configuration Summary page for the cloud-managed Firebox, click View Guide.

    To establish the VPN connection, configure the required settings on the Palo Alto firewall. For more information, go to Configure the Palo Alto Firewall.

  28. Click Finish.
    WatchGuard Cloud creates and deploys a configuration update for the cloud-managed Firebox.
  1. Log in to Fireware Web UI.
  2. Select VPN > Branch Office VPN.
    The Branch Office VPN configuration page opens.
  3. In the Gateways section, click Add.
    The Add page opens.

    4. Screenshot of Fireware Web UI, Branch Office VPN page

  4. In the Gateway Name text box, type a name to identify this BOVPN gateway. In this example, we type gateway.1.
  5. From the Address Family drop-down list, select IPv4 Addresses.
  6. In the Credential Method section:
    1. Select Use Pre-Shared Key.

    2. In the Use Pre-Shared Key text box, type the pre-shared key. This pre-shared key matches the pre-shared key you will configure for the IKE Gateway on the Palo Alto firewall.
    3. From the drop-down list, select String-Based.
  7. In the Gateway Endpoint section, click Add.
    The Gateway Endpoint Settings dialog box opens.

    8. Screenshot of Fireware Web UI, Branch Office VPN > Add page > Gateway Endpoint Settings dialog box with local gateway settings

  8. From the External Interface drop-down list, select the interface that has the external (public) IP address of the Firebox.
  9. From the Interface IP Address drop-down list, select Primary Interface IPv4 Address.
    The Primary Interface IP Address is the primary IP address you configured on the selected external interface.
  10. For Specify the Gateway ID for Tunnel Authentication, select By IP Address.
  11. In the adjacent text box, type the primary IP address of the Firebox external interface. In this example, we type 203.0.113.2.
  12. Select the Remote Gateway tab.
    The Remote Gateway page opens.

    13. Screenshot of Fireware Web UI, Branch Office VPN > Add page > Gateway Endpoint Settings dialog box with remote gateway settings

  13. For Specify the Remote Gateway IP Address for a Tunnel, select Static IP Address.
  14. In the adjacent text box, type the IP address of your Palo Alto WAN connection. In this example, we type 198.51.100.2.
  15. For Specify the Remote Gateway ID for Tunnel Authentication, select By IP Address.
  16. In the adjacent text box, type the IP address of your Palo Alto WAN connection. In this example, we type 198.51.100.2.
  17. Click OK.
    The gateway endpoint you added appears in the Gateway Endpoint section.

    18. Screenshot of Screenshot of Fireware Web UI, Branch Office VPN > Add page with new gateway endpoint

  18. In the Gateway Endpoint section, select the Start Phase 1 Tunnel When Firebox Starts check box.
  19. Select the Phase 1 Settings tab.
    The Phase 1 Settings page opens.

    20. Screenshot of Fireware Web UI, Branch Office VPN > Add page with Phase 1 settings

  20. From the Version drop-down list, select IKEv2.
  21. Keep the default values for all other Phase 1 settings.
  22. Click Save.
    The gateway you added appears on the Branch Office VPN page.

    23. Screenshot of Screenshot of Fireware Web UI, Branch Office VPN page with gateway added

  23. In the Tunnels section, click Add.
    The tunnel settings page opens.

    24. Screenshot of Screenshot of Fireware Web UI, Branch Office VPN > Add page with tunnel settings

  24. In the Name text box, type a name to identify the tunnel. In this example, we type tunnel.1.
  25. From the Gateway drop-down list, select the gateway you just configured. In this example, we select gateway.1.
  26. From the Addresses section, click Add.
    The Tunnel Route Settings dialog box opens.

    27. Screenshot of Screenshot of Fireware Web UI, Branch Office VPN > Add page > Tunnel Route Settings

  27. In the Local IP section:
    1. From the Choose Type drop-down list, select Network IPv4.
    2. In the Network IP text box, type the local IP address. This IP address is the internal network that the VPN protects. In this example, we type 192.168.35.0.
  28. In the Remote IP section:
    1. From the Choose Type drop-down list, select Network IPv4.
    2. In the Network IP text box, type the remote IP address. This IP address is the internal network that the VPN protects. In this example, we type 192.168.13.0.
  29. Click OK.
  30. Keep the default values for all Phase 2 settings.

    31. Screenshot of Fireware Web UI, Branch Office VPN > Add page with Phase 2 settings

  31. Click Save.
    The settings you configured are saved.

Configure the Palo Alto Firewall

To configure the Palo Alto firewall, complete these steps:

  1. Configure a Tunnel Interface
  2. Configure a Static Route
  3. Configure the IKE Crypto Profile
  4. Configure the IPSec Crypto Profile
  5. Configure the IKE Gateway
  6. Configure the IPSec Tunnel
  7. Configure the Security Policy

Configure a Tunnel Interface

To configure a tunnel interface on the Palo Alto firewall:

  1. Log in to the Palo Alto Web UI at: https://<IP address of the Palo Alto device>.
    The default IP address is https://192.168.1.1.
  2. Select Network > Interfaces > Tunnel.
    The Tunnel page opens.
  3. Click Add.
    The Tunnel Interface dialog box opens.

    4. Screenshot of Palo Alto, Tunnel Interface dialog box

  4. In the Interface Name text box, type a numeric suffix. In our example, we type 1.
  5. Select the Config tab.
  6. From the Virtual Router drop-down list, select Default.
  7. From the Security Zone drop-down list, select New Zone.
    The Zone dialog box opens.

    8. Screenshot of Palo Alto, Zone dialog box

  8. In the Name text box, type a name for the zone. In this example, we type vpn-tun.
  9. To save the zone, click OK.
  10. To save the tunnel interface, click OK.
    The tunnel interface is added and appears on the Tunnel page.

    11. Screenshot of Palo Alto, Tunnel page with new tunnel interface list

Configure a Static Route

To configure a static route on the Palo Alto firewall, from the Palo Alto Web UI:

  1. Select Network > Virtual Routers.
    The list of existing virtual routers opens.

    2. Screen shot of Palo Alto, Virtual Routers page with list of virtual routers

  2. In the list of virtual routers, click the Default virtual router.
  3. Click Static Routes.
  4. Click Add.
    The static route settings open.

    5. Screenshot of Palo Alto, Virtual Router dialog box

  5. In the Name text box, type a name for the route. In this example, we type route1.
  6. In the Destination text box, type the destination address. In this example, we type 192.168.35.0/24.
  7. From the Interface drop-down list, select tunnel.1.
  8. From the Next Hop drop-down list, select None.
  9. To save the static route settings, click OK.

    10. Screenshot of Palo Alto, Virtual Router dialog box with new static route

  10. To save the virtual router settings, click OK.
    The updates to the Default virtual router configuration are saved.

Configure the IKE Crypto Profile

To configure the IKE crypto profile on the Palo Alto firewall, from the Palo Alto Web UI:

  1. Select Network > Network Profiles > IKE Crypto.
    The list of existing IKE crypto profiles opens.
  2. Click Add.
    The IKE Crypto Profile dialog box opens.

    3. Screenshot of Palo Alto, IKE Crypto Profile dialog box

  3. In the Name text box, type a name for the profile. In this example, we type IKE-phase1-profile.
  4. In the DH Group section, click Add, then select the group14 check box.
  5. In the Encryption section, click Add, then select the aes-256-cbc check box.
  6. In the Authentication section, click Add, then select the sha256 check box.
  7. Keep the default values for all other settings.
  8. Click OK.
    The profile is added to the list of IKE crypto profiles.

Configure the IPSec Crypto Profile

To configure the IPSec crypto profile on the Palo Alto firewall, from the Palo Alto Web UI:

  1. Select Network > Network Profiles > IPSec Crypto.
    The list of existing IPSec crypto profiles opens.
  2. Click Add.
    The IPSec Crypto Profile dialog box opens.

    3. Screenshot of Palo Alto, IPSec Crypto Profile dialog box

  3. In the Name text box, type a name for the IPSec Crypto profile. In this example, we type IPSec-phase2-profile.
  4. From the IPSec Protocol drop-down list, select ESP.
  5. In the Encryption section, click Add, then select the aes-256-cbc check box.
  6. From the DH Group drop-down list, select group14.
  7. In the Authentication section, click Add, then select the sha256 check box.
  8. Keep the default values for all other settings.
  9. Click OK.
    The profile is added to the list of IPSec crypto profiles.

Configure the IKE Gateway

To configure the IKE gateway on the Palo Alto firewall, from the Palo Alto Web UI:

  1. Select Network > Network Profiles > IKE Gateways.
    The list of existing IKE gateways opens.
  2. Click Add.
    The IKE Gateway dialog box opens with the General tab selected by default.

    3. Screenshot of Palo Alto, IKE Gateway dialog box

  3. In the Name text box, type a name for the IKE gateway. In this example, we type IKE-GW.
  4. From the Version drop-down list, select IKEv2 Only Mode.
  5. For Address Type, select IPv4.
  6. From the Interface drop-down list, select Ethernet1/1.
  7. From the Local IP Address drop-down list, select the IP address for the Palo Alto WAN connection. In this example, we select 198.51.100.2/24.
  8. For Peer IP Address Type, select IP.
  9. In the Peer Address text box, type the primary IP address of the external Firebox interface. In this example, we type 203.0.113.2.
  10. For Authentication, select Pre-Shared Key.
  11. In the Pre-Shared Key text box, type the same pre-shared key you configured on the Firebox.
  12. In the Confirm Pre-Shared Key text box, type the pre-shared key again.
  13. From the Local Identification drop-down list, select None.
  14. From the Peer Identification drop-down list, select None.
  15. Select the Advanced Options tab.
    The Advanced Options page opens.

    16. Screenshot of Palo Alto, IKE Gateway dialog box with Advanced Options

  16. In the IKEv2 section, from the IKE Crypto Profile drop-down list, select the IKE crypto profile you created in the Configure the IKE Crypto Profile section. In this example, we select IKE-phase1-profile.
  17. Click OK.
    The gateway is added to the list of IKE gateways.

Configure the IPSec Tunnel

To configure the IPSec tunnel on the Palo Alto firewall, from the Palo Alto Web UI:

  1. Select Network > IPSec Tunnels.
    The list of existing IPSec tunnels opens.
  2. Click Add.
    The IPSec Tunnel dialog box opens with the General tab selected by default.

    3. Screenshot of Palo Alto, IPSec Tunnel dialog box with general settings

  3. In the Name text box, type a name for the tunnel. In this example, we type IPSec-tunnel.
  4. From the Tunnel Interface drop-down list, select the tunnel interface you created in the Configure a Tunnel Interface section. In this example, we type tunnel.1.
  5. For Type, select Auto Key.
  6. For Address Type, select IPv4.
  7. From the IKE Gateway drop-down list, select the gateway you created in the Configure the IKE Gateway section. In this example, we select IKE-GW.
  8. From the IPSec Crypto Profile drop-down list, select the IPSec crypto profile you created in the Configure the IPSec Crypto Profile section. In this example, we select IPSec-phase2-profile.
  9. Select the Show Advanced Options check box.
  10. Select the Enable Replay Protection check box.
  11. Select the Proxy IDs tab.
  12. Click IPv4.
  13. Click Add.
    The Proxy ID dialog box opens.

    14. Screen shot of Palo Alto, Proxy ID dialog box

  14. In the Proxy ID text box, type a Proxy ID name. In this example, we type Proxy.
  15. In the Local text box, type the IP address or subnet for the local VPN gateway. In this example, we type 192.168.13.0/24.
  16. In the Remote text box, type the IP address or subnet for the remote VPN gateway. In this example, we type 192.168.35.0/24.
  17. From the Protocol drop-down list, select Any.
  18. Click OK.

    19. Screenshot of Palo Alto, IPSec Tunnel dialog box with new proxy ID

  19. Click OK.
    The tunnel is added to the list of IPSec tunnels.

Configure the Security Policy

To configure a security policy on the Palo Alto firewall, from the Palo Alto Web UI:

  1. Select Policies > Security.
    The list of existing security policies opens.
  2. Click Add.
    The Security Policy Rule dialog box opens with the General tab selected by default.

    3. Screenshot of Palo Alto, Security Policy Rule dialog box

  3. In the Name text box, type a name for the policy. In this example, we type trust-vpn-tun.
  4. Select the Source tab.
    The Source page opens.

    5. Screenshot of Palo Alto, Security Policy Rule dialog box with Source settings

  5. In the Source Zone section, click Add, then select Trust.
  6. Select the Destination tab.
    The Destination page opens.

    7. Screenshot of Palo Alto, Security Policy Rule dialog box with Destination settings

  7. In the Destination Zone section, click Add, then select the security zone you created in the Configure a Tunnel Interface section. In this example, we select vpn-tun.
  8. Keep the default values for all other settings.
  9. Click OK.
  10. To create another security policy, repeat Steps 1-9.

    11. Screenshot of Palo Alto, Security page with list of security policies

  11. Click Commit.
    The firewall can take several minutes to save your change.
  12. Click Close.

Test the Integration

  1. Log in to WatchGuard Cloud.
    If you log in with a Service Provider account, you must select a Subscriber account from the Account Manager.
  2. Select the cloud-managed Firebox.
  3. Select Monitor > Live Status > VPN.
    The VPN page opens with the Branch Office VPN tab selected by default.

    4. Screenshot of WatchGuard Cloud VPN page

  4. Verify that Host 1 (behind the Firebox) and Host 2 (behind the Palo Alto firewall) can ping each other.
  1. Log in to Fireware Web UI.
  2. Select System Status > VPN Statistics.
    The VPN Statistics page opens.
  3. Select the Branch Office VPN tab.
    The Branch Office VPN page opens.

    4. Screenshot of Fireware Web UI VPN Statistics page

  4. Verify that the VPN is established.
  5. Verify that Host 1 (behind the Firebox) and Host 2 (behind the Palo Alto firewall) can ping each other.
  1. Log in to Palo Alto Firewall.
  2. Select Network > IPSec Tunnels.
  3. Make sure all the status columns are up and the status icons are green.

    4. Screenshot of PA-220, IPSec tunnel status