Palo Alto and Firebox BOVPN Integration Guide

Deployment Overview

WatchGuard provides integration instructions to help our customers configure WatchGuard products to work with products created by other organizations. If you need more information or technical support about how to configure a third-party product, see the documentation and support resources for that product.

This integration guide describes how to configure a Branch Office VPN (BOVPN) tunnel between a WatchGuard Firebox and a Palo Alto PA-220 firewall.

Integration Summary

The hardware and software used in this guide include:

  • WatchGuard Firebox T55-W with Fireware v12.5.3
  • Palo Alto PA-220 v9.1.2-h1

Integration Topology

This diagram shows the topology for a BOVPN connection between a Firebox and a Palo Alto PA-220 firewall.

Topology diagram

Configure the Firebox

On the Firebox, configure a Branch Office VPN (BOVPN) connection:

  1. Log in to Fireware Web UI.
  2. Select VPN > Branch Office VPN.
    The Branch Office VPN configuration page appears.
  3. In the Gateways section, click Add.
  4. In the Gateway Name text box, type a name to identify this Branch Office VPN gateway.
  5. From the Address Family drop-down list, select IPv4 Addresses.
  6. In the Credential Method section, select Use Pre-Shared Key.
  7. In the adjacent text box, type the pre-shared key.

Screen shot of Firebox, picture1

  1. In the Gateway Endpoint section, click Add.
    The Gateway Endpoint Settings dialog box appears.
  2. From the External Interface drop-down list, select External.
  3. From the Interface IP Address drop-down list, select Primary Interface IPv4 Address.
  4. Select By IP Address.
  5. In the adjacent text box, type the primary IP address of the External Firebox interface.

Screen shot of Firebox, picture2

  1. Select the Remote Gateway tab.
  2. Select Static IP Address.
  3. In the adjacent text box, type the IP address of your Palo Alto WAN connection.
  4. Select By IP Address.
  5. In the adjacent text box, type the IP address of your Palo Alto WAN connection.

Screen shot of Firebox, picture3

  1. Click OK.
  2. In the Gateway Endpoint section, check the Start Phase 1 tunnel when Firebox starts check box.

Screen shot of Firebox, picture4

  1. Select the Phase 1 Settings tab.
  2. From the Version drop-down list, select IKEv2.
  3. Keep all other Phase 1 settings as the default values.

Screen shot of Firebox, picture5

  1. Click Save.
  2. In the Tunnels section, click Add.

Screen shot of Firebox, picture6

  1. From the Gateway drop-down list, select the gateway that you configured.
  2. In the Addresses section, click Add.

Screen shot of Firebox, picture7

  1. In the Local IP section, from the Choose Type drop-down list, select Network IPv4.
  2. In the Network IP text box, type the local IP segment. This is the local network protected by the Firebox.
  3. In theRemote IP section, from the Choose Type drop-down list, select Network IPv4.
  4. In the Network IP text box, type the remote IP segment. This is the local network protected by the Palo Alto firewall.

Screen shot of Firebox, picture8

  1. Click OK.
  2. Keep the default values for all of the Phase 2 Settings.

Screen shot of Firebox, picture9

  1. Click Save.

Configure the Palo Alto Firewall

Configure Basic Settings

  1. Log in to the Palo Alto Web UI at https://<IP address of the Palo Alto device>.
    The default IP address is https://192.168.1.1.
  2. Configure the Palo Alto interfaces.
    For information about how to configure interfaces, zone, and route, see the Palo Alto documentation.

Screen shot of Palo Alto, picture1

Screen shot of Palo Alto, picture2

Screen shot of Palo Alto, picture3

Configure a Tunnel Interface

  1. Select Network > Interfaces > Tunnel.
  2. Click Add.

Screen shot of Palo Alto, picture5

  1. In the Interface Name text box, specify a numeric suffix. In our example, we specify .1.
  2. On the Config tab, from the Virtual Router drop-down list, select default.
  3. From the Security Zone drop-down list, select New Zone.
  4. On the Zone page, in the Name text box, type a name for the zone. In our example, the name is vpn-tun.

Screen shot of Palo Alto, picture4

  1. Click OK.
  1. Click OK.

Screen shot of Palo Alto, picture6

Configure a Static Route

  1. Select Network > Virtual Routers.
  2. Select the default.

Screen shot of Palo Alto, picture7

  1. Click Static Routes.
  2. Click Add.
  3. In the Name text box, type a name for the route.
  4. In the Destination text box, type the destination address.
  5. From the Interface drop-down list, select tunnel.1.
  6. From the Next Hop drop-down list, select None.

Screen shot of Palo Alto, picture8

  1. Click OK.

Screen shot of Palo Alto, picture9

  1. Click OK.

Configure the Palo Alto IKE Crypto Profile

  1. Select Network > Network Profiles > IKE Crypto.
  2. Click Add.
  3. In the Name text box, type a name for the profile.
  4. In the DH Group section, click Add and select group14.
  5. In the Encryption section, click Add and select aes-256-cbc.
  6. In the Authentication section, click Add and select sha256.
  7. Keep the default values for all other settings.

Screen shot of Palo Alto, picture10

  1. Click OK.

Configure the Palo Alto IPSec Crypto Profile

  1. Select Network > Network Profiles > IPSec Crypto.
  2. Click Add.
  3. In the Name text box, type a name for the IPSec Crypto profile.
  4. From the IPSec Protocol drop-down list, select ESP.
  5. In the Encryption section, click Add and select aes-256-cbc.
  6. From the DH Group drop-down list, select group14.
  7. In the Authentication section, click Add and select sha256 (NIST rating 256-bit strength).
  8. Keep the default values for all other settings.

Screen shot of Palo Alto, picture11

  1. Click OK.

Configure the Palo Alto IKE Gateway

  1. Select Network > Network Profiles > IKE Gateways.
  2. Click Add.
  3. In the General section, in the Name text box, type a name.
  4. From the Version drop-down list, select IKEv2 only mode.
  5. For Address Type, select IPv4.
  6. From the Interface drop-down list, select ethernet1/1.
  7. From the Local IP Address drop-down list, select 198.51.100.2/24.
  8. For Peer IP Address Type, select IP.
  9. In the Peer Address text box, type 203.0.113.2.
  10. For Authentication, select Pre-Shared Key.
  11. In the Pre-Shared Key text box, type the pre-shared key.
  12. In the Confirm Pre-Shared Key text box, type the pre-shared key again.
  13. From the Local Identification drop-down list, select None.
  14. From the Peer Identification drop-down list, select None.

Screen shot of Palo Alto, picture12

  1. Select the Advanced Options tab.
  2. In the IKEv2 section, from the IKE Crypto Profile drop-down list, select the IKE-phase1-profile that you created above.

Screen shot of Palo Alto, picture13

  1. Click OK.

Configure the Palo Alto IPSec Tunnel

  1. Select Network> IPSec Tunnels.
  2. Click Add.
  3. In the General section, in the Name text box, type a name for the tunnel.
  4. From the Tunnel Interface drop-down list, select the tunnel that you created above (tunnel.1).
  5. For the Type, select Auto Key.
  6. For the Address Type, select IPv4.
  7. From the IKE Gateway drop-down list, select the gateway that you created above (IKE-GW).
  8. From the IPSec Crypto Profile drop-down list, select you created above (IPSec-phase2-profile)
  9. Select Show Advanced Options.
  10. Select Enable Replay Protection.

Screen shot of Palo Alto, picture14

  1. Select the Proxy IDs tab.
  2. Click IPv4.
  3. Click Add.
  4. In the Proxy ID text box, type a Proxy ID name.
  5. In the Local text box, type the IP address or subnet for the VPN gateway.
  6. In the Remote text box, type the IP address or subnet for the VPN gateway.
  7. From the Protocol drop-down list, select Any.

Screen shot of Palo Alto, picture15

  1. Click OK.

Screen shot of Palo Alto, picture16

  1. Click OK.

Configure the Palo Alto Security Policy

  1. Select Policies > Security.
  2. Click Add.
  3. On the General tab, in the Name text box, type a name for the policy.

Screen shot of Palo Alto, picture17

  1. On the Source tab, in the Source Zone section, click Add and select trust.

Screen shot of Palo Alto, picture18

  1. On the Destination tab, in the Destination Zone section, click Add and select vpn-tun.

Screen shot of Palo Alto, picture19

  1. Keep all other settings as the default values.
  2. Click OK.
  3. Repeat steps 1–7 to create another security policy.

Screen shot of Palo Alto, picture20

  1. Click Commit.
  2. Click Commit.
  3. Click Close.

Test the Integration

To test the integration, from Fireware Web UI:

  1. Select System Status > VPN Statistics.
  2. Select the Branch Office VPN tab.
  3. Verify that the VPN is established.

Screenshot of Firebox, picture10

  1. Verify that Host 1 (behind the Firebox) and Host 2 (behind the Palo Alto firewall) can ping each other.