1. Palo Alto VPN Site to Site
• Before VPN Technology
• VPN Benefits
• Palo alto VPN Deployments
• Palo Alto VPN Site to Site concepts
• IPsec Technologies
• Palo Alto IKE Phase1
• Palo Alto IKE Phase2
4. Palo alto VPN Deployments
The Palo Alto Networks firewall supports the following VPN deployments:
1. Site-to-Site VPN.
2. Remote User-to-Site (GlobalProtect)
5.
6. a client that is secured by VPN Peer A needs content from a server located at the other site,
1. VPN Peer A initiates a connection request to VPN Peer B.
2. If the security policy permits the connection, VPN Peer A uses the IKE Crypto profile parameters
(IKE phase 1) to establish a secure connection and authenticate VPN Peer B.
3. Then, VPN Peer A establishes the VPN tunnel using the IPSec Crypto profile, which defines the IKE phase 2
parameters to allow the secure transfer of data between the two sites.
VPN Site to Site concepts
20. • Palo alto IKE Phase 1
1. the firewalls use the parameters defined in the IKE Gateway configuration and the IKE Crypto
profile to authenticate each other and set up a secure control channel.
2. IKE Phase supports the use of preshared keys or digital certificates for mutual authentication of
the VPN peers.
The IKE Crypto profile defines the following options that are used in the IKE SA negotiation:
1. Diffie‐Hellman (DH) group for generating symmetrical keys for IKE
2. Authentication algorithms - sha1, sha 256, sha 384, sha 512, or md5
3. Encryption algorithms- 3des, aes‐128‐cbc, aes‐192‐cbc, aes‐256‐cbc, or des
21. • Palo alto IKE Phase 2 (IP Sec)
IKE Phase 2 uses the keys that were established in Phase 1 of the process and the IPSec Crypto
profile, which defines the IPSec protocols and keys used for the SA in IKE Phase 2.
The IPSEC uses the following protocols to enable secure communication:
1. Encapsulating Security Payload (ESP) allows you to encrypt the entire IP packet, and authenticate the
source and verify integrity of the data.
Note: you can choose to only encrypt or only authenticate by setting the encryption option to Null.
2. Authentication Header (AH) authenticates the source of the packet and verifies data integrity.
AH does not encrypt the data
22. • Methods of Securing IPSec VPN Tunnels (IKE Phase 2)
IPSec VPN tunnels can be secured using manual keys or auto keys.
Manual Key Manual key is typically used if the Palo Alto Networks firewall is establishing a VPN
tunnel with a legacy device, or if you want to reduce the overhead of generating session keys.
If using manual keys, the same key must be configured on both peers.
Manual keys are not recommended for establishing a VPN tunnel because the session keys can be
compromised when relaying the key information between the peers; if the keys are compromised,
the data transfer is no longer secure.
Auto Key Auto Key allows you to automatically generate keys for setting up and maintaining the
IPSec tunnel based on the algorithms defined in the IPSec Crypto profile.