Transit Connection to Palo Alto VM-Series
This document describes how to build Transit connection between Aviatrix Transit Gateway and Palo Alto Networks Firewall. To simulate an on-prem Firewall, we use a VM-Series in an AWS VPC.
Network setup is as following:
VPC1 (with Aviatrix Transit Gateway)
VPC1 CIDR: 10.5.0.0/16
VPC1 Public Subnet CIDR: 10.5.3.0/24
VPC1 Private Subnet CIDR: 10.5.2.0/24
VPC2 (with Palo Alto Networks VM-series)
VPC2 CIDR: 10.0.0.0/16
VPC2 Public Subnet CIDR: 10.0.0.0/24
VPC2 Private Subnet CIDR: 10.0.1.0/24
Sample subnet advertised with the help of BGP - 192.168.0.24/32(loopback interface on PaloAlto)
Configuration WorkFlow:
-
From the Controller go to Transit Network → Setup → Launch a Transit VPC GW.
Connect the transit VPC GW to Palo Alto. Go to Transit Network → Setup → Connect to VGW/External Device. Select External Device and input the following parameters.
-
BGP Local AS number: ASN of the transit VPC GW
-
BGP Remote AS number: ASN of the Palo Alto
-
Remote Gateway IP Address: Palo Alto WAN interface public IP.
If using private IP as remote gateway IP, please make sure to check "Over DirectConnect".
-
-
Download the configuration by going to Site2Cloud → Click on the Connection. Select generic and Download Configuration and configure on the router accordingly.
The following is a sample configuration based on the site2cloud configuration above.
-
Log into Palo Alto Networks VM Series and configure it as following:
-
Go to Network > Interface > Tunnel, click Add to create a new tunnel interface and assign the following parameters.
Field Value Interface Name
tunnel.45(any name)
Virtual Router
Select the existing default virtual router
Security Zone
Select the layer 3 internal zone from which traffic originates
If the tunnel interface is in a zone different from the one where the traffic will originate, a policy needs to be created to allow the traffic to flow from the source zone to the zone containing the tunnel interface.
For the tunnel created above assign the IP address by going to Network > Interface > IPv4 > assign the tunnel IP address from the configuration downloaded above.
-
-
Go to Network > Network Profiles > IKE Crypto, click Add and define the IKE Crypto profile (IKEv1 Phase-1) parameters.
-
Go to Network > Network Profiles > IKE Gateways to configure the IKE Phase-1 Gateway. These parameters should match on the site2cloud configuration downloaded at Step 4.
Field Value Interface
Palo Alto Networks WAN port
Peer IP Address
Aviatrix Gateway public IP
Pre-shared Key
Key from site2cloud configuration downloaded at Step 3
Peer Identification
IP Address & Aviatrix Gateway public IP
If using remote private IP on Ste
p 2, Peer IP Address should be the remote private IP while Peer Identification should be remote public IP.
Field
Value
IKE Crypto Profile
Select the profile created at Step 4.b
-
Under Network > Network Profiles > IPSec Crypto, click Add to create a new profile. Define the IPSec crypto profile (IKEv1 Phase-2). These parameters should match on the site2cloud configuration downloaded at Step 4.
-
Under Network > IPSec Tunnels, click Add to create a new IPSec Tunnel. At General window:
Field Value Tunnel Interface
Tunnel interface created at Step 4.a
IKE Gateway
IKE gateway created at Step 4.c
IPSec Crypto Profile
IPSec crypto profile created at Step 4.d
Note: There is no need to configure proxy-id
-
Commit the configuration. We should see the IPSec tunnel is up in green.
-
Steps to configure BGP:
-
-
Go to Network > Virtual Routers Default > BGP > peer group click add give any name(e.g bgppeering) and then click on the left bottom to add BGP peer
-
Add Peer > Created name > Enter the Peer AS > Local address: tunnel interface and Tunnel interface IP address > Peer address: remote tunnel address
-
After everything is created, the output looks like below, and Commit the configuration.
Router ID is taken from the config file downloaded.(it should be the IP address of the tunnel created )
-
Create a redistribution profile: Network → default → Redistribution Profile → Add → Name: redis → check Redist → Source Type: connect
-
Next click on redistribution rules and do the following: Network → default → BGP → Redistribution Rules → Click on Add → select "redis"
-
Configure Export: Select Export, Add a name in the Rules field, and Enable the Export rule. Add the Peer Group from which the routes will be imported. Select Match and define the options used to filter routing information.
-
After the BGP route has been advertised it shows like the following image. Go to Network → More runtime stats → BGP → RIB out.
-
At AWS portal, configure the VPC Route Table associated with the private subnet of VPC2. Add a route destinating to VPC1 private subnet with Palo Alto Networks VM LAN port as the gateway.
-
Go to Transit Network → Advanced Config on the Controller and Click on Diagnostics and select the GW name from the dropdown list and select Show Ip bgp Command from the predefined Show list to verify the BGP Routes.
-