Aviatrix Gateway to Palo Alto Firewall

This document describes how to build an IPSec tunnel based Site2Cloud connection between an Aviatrix Gateway and a Palo Alto Networks Firewall. To simulate an on-prem Firewall, we use a VM-Series in an AWS VPC.

Network setup is as following:

VPC1 (with Aviatrix Gateway)

VPC1 CIDR: 10.0.0.0/16

VPC1 Public Subnet CIDR: 10.0.1.0/24

VPC1 Private Subnet CIDR: 10.0.2.0/24

VPC2 (with Palo Alto Networks VM-series)

VPC2 CIDR: 10.13.0.0/16

VPC2 Public Subnet CIDR: 10.13.0.0/24

VPC2 Private Subnet CIDR: 10.13.1.0/24

Configuration Workflow

  1. Launch a Palo Alto Networks VM-series with at least two network interfaces - One interface serves as a WAN port and is in VPC2’s public subnet. The other interface serves as a LAN port and is in VPC2’s private subnet. Collect the public IP address of the WAN port.

  2. At the Aviatrix Controller, go to Gateway > New Gateway to launch an Aviatrix Gateway at VPC1’s public subnet. Collect both the public and private IP address of the Gateway.

  3. At the Aviatrix Controller, go to Site2Cloud and click Add New to create a Site2Cloud connection:

    Field Value
    VPC ID/VNet Name Choose VPC ID of VPC1
    Connection Type Unmapped
    Connection Name Arbitrary (e.g. avx-pan-s2c)
    Remote Gateway Type Generic
    Tunnel Type UDP
    Algorithms Uncheck this box
    Encryption over DirectConnect Uncheck this box
    Enable HA Uncheck this box
    Primary Cloud Gateway Select Aviatrix Gateway created above
    Remote Gateway IP Address Public IP of Palo Alto Networks VM Series WAN port
    Pre-shared Key Optional (auto-generated if not entered)
    Remote Subnet 10.13.1.0/24 (VPC2 private subnet)
    Local Subnet 10.0.2.0/24 (VPC1 private subnet)
  4. At the Aviatrix Controller, go to the Site2Cloud page. From the Site2Cloud connection table, select the connection created above (e.g. avx-pan-s2c). Select Generic from the Vendor drop down list and click the Download Configuration button to download the Site2Cloud configuration. Save the configuration file for configuring a Palo Alto Network VM.

  5. Log into the Palo Alto Networks VM Series and configure it as following:

    1. Go to Network > Interface > Tunnel, click Add to create a new tunnel interface and assign the following parameters.

      image0

      Field Value
      Interface Name tunnel.1
      Virtual Router Select the existing default virtual router
      Security Zone Select the layer 3 internal zone from which traffic originates

      Note

      If the tunnel interface is in a zone different from the one where the traffic will originate, a policy needs to be created to allow the traffic to flow from the source zone to the zone containing the tunnel interface.

    2. Go to Network > Network Profiles > IKE Crypto, click Add and define the IKE Crypto profile (IKEv1 Phase-1) parameters.

      image1

    3. Go to Network > Network Profiles > IKE Gateways to configure the IKE Phase-1 Gateway. These parameters should match on the site2cloud configuration downloaded at Step 4.

      image2

      Field Value
      Interface Palo Alto Networks WAN port
      Peer IP Address Aviatrix Gateway public IP
      Pre-shared Key Key from Site2Cloud configuration downloaded at Step 4
      Peer Identification IP Address & Aviatrix Gateway private IP

      image3

      Field Value
      IKE Crypto Profile Select the profile created at Step 5.2
    4. Under Network > Network Profiles > IPSec Crypto, click Add to create a new profile. Define the IPSec crypto profile (IKEv1 Phase-2). These parameters should match on the Site2Cloud configuration downloaded at Step 4.

      image4

    5. Under Network > IPSec Tunnels, click Add to create a new IPSec Tunnel. At the General window:

      image5

      Field Value
      Tunnel Interface Tunnel interface created at Step 5.1
      IKE Gateway IKE gateway created at Step 5.3
      IPSec Crypto Profile IPSec crypto profile created at Step 5.4
    6. At Proxy IDs window:

      image6

      Field Value
      Local VPC2 private subnet CIDR
      Remote VPC1 private subnet CIDR
      Protocol Any
    7. Under Network > Virtual Routers, click on the virtual router profile, then click Static Routes, add a new route destinating to VPC1 private subnet.

      image7

      Field Value
      Destination VPC1 private subnet CIDR
      Interface Tunnel interface created at Step 5.1
    8. Commit the configuration.

  6. At the AWS portal, configure the VPC Route Table associated with the private subnet of VPC2. Add a route destinating to VPC1’s private subnet with the Palo Alto Networks VM LAN port as the gateway.

  7. Send traffic between VPC1’s and VPC2’s private subnets. At the Aviatrix Controller, go to the Site2Cloud page to verify the Site2Cloud connection status.

image8

For troubleshooting, go to Site2Cloud > Diagnostics and select various commands from Action drop down list.

image9