External Device to Palo Alto VM-Series¶
This document describes how to build Transit connection between Aviatrix Transit Gateway and Palo Alto Networks Firewall. To simulate an on-prem Firewall, we use a VM-Series in an AWS VPC.
Network setup is as following:
VPC1 (with Aviatrix Transit Gateway)
VPC1 CIDR: 10.5.0.0/16
VPC1 Public Subnet CIDR: 10.5.3.0/24
VPC1 Private Subnet CIDR: 10.5.2.0/24
VPC2 (with Palo Alto Networks VM-series)
VPC2 CIDR: 10.0.0.0/16
VPC2 Public Subnet CIDR: 10.0.0.0/24
VPC2 Private Subnet CIDR: 10.0.1.0/24
Sample subnet advertised with the help of BGP - 192.168.0.24/32(loopback interface on PaloAlto)
From the Controller go to Transit Network -> Setup -> Launch a Transit VPC GW.
- Connect the transit VPC GW to Palo Alto. Go to Transit Network -> Setup -> Connect to VGW/External Device. Select External Device and input the following parameters.
- BGP Local AS number: ASN of the transit VPC GW
- BGP Remote AS number: ASN of the Palo Alto
- Remote Gateway IP Address: Palo Alto WAN interface public IP.
If using private IP as remote gateway IP, please make sure to check “Over DirectConnect”.
Download the configuration by going to Site2Cloud -> Click on the Connection. Select generic and Download Configuration and configure on the router accordingly.
Log into Palo Alto Networks VM Series and configure it as following:
Go to Network > Interface > Tunnel, click Add to create a new tunnel interface and assign the following parameters.
Field Value Interface Name tunnel.45(any name) Virtual Router Select the existing default virtual router Security Zone Select the layer 3 internal zone from which traffic originates
If the tunnel interface is in a zone different from the one where the traffic will originate, a policy needs to be created to allow the traffic to flow from the source zone to the zone containing the tunnel interface.
Go to Network > Network Profiles > IKE Crypto, click Add and define the IKE Crypto profile (IKEv1 Phase-1) parameters.
Go to Network > Network Profiles > IKE Gateways to configure the IKE Phase-1 Gateway. These parameters should match on the site2cloud configuration downloaded at Step 4.
Field Value Interface Palo Alto Networks WAN port Peer IP Address Aviatrix Gateway public IP Pre-shared Key Key from site2cloud configuration downloaded at Step 3 Peer Identification IP Address & Aviatrix Gateway public IP
If using remote private IP on Step 2, Peer IP Address should be the remote private IP while Peer Identification should be remote public IP.
Field Value IKE Crypto Profile Select the profile created at Step 4.b
Under Network > Network Profiles > IPSec Crypto, click Add to create a new profile. Define the IPSec crypto profile (IKEv1 Phase-2). These parameters should match on the site2cloud configuration downloaded at Step 4.
Under Network > IPSec Tunnels, click Add to create a new IPSec Tunnel. At General window:
Field Value Tunnel Interface Tunnel interface created at Step 4.a IKE Gateway IKE gateway created at Step 4.c IPSec Crypto Profile IPSec crypto profile created at Step 4.d
Note: There is no need to configure proxy-id
Commit the configuration. We should see the IPSec tunnel is up in green.
Steps to configure BGP:
Go to Network > Virtual Routers Default > BGP > peer group click add give any name(e.g bgppeering) and then click on the left bottom to add BGP peer
Add Peer > Created name > Enter the Peer AS > Local address: tunnel interface and Tunnel interface IP address > Peer address: remote tunnel address
After everything is created, the output looks like below, and Commit the configuration.
Router ID is taken from the config file downloaded.(it should be the IP address of the tunnel created )
Create a redistribution profile: Network -> default -> Redistribution Profile -> Add -> Name: redis -> check Redist -> Source Type: connect
Next click on redistribution rules and do the following: Network -> default -> BGP -> Redistribution Rules -> Click on Add -> select “redis”
Configure Export: Select Export, Add a name in the Rules field, and Enable the Export rule. Add the Peer Group from which the routes will be imported. Select Match and define the options used to filter routing information.
After the BGP route has been advertised it shows like the following image. Go to Network -> More runtime stats -> BGP -> RIB out.
At AWS portal, configure the VPC Route Table associated with the private subnet of VPC2. Add a route destinating to VPC1 private subnet with Palo Alto Networks VM LAN port as the gateway.
Go to Transit Network -> Advanced Config on the Controller and Click on Diagnostics and select the GW name from the dropdown list and select Show Ip bgp Command from the predefined Show list to verify the BGP Routes.