https://www.facebook.com/MostafaElLathyIT mostafa.it@hotmail.com https://www.youtube.com/channel/UCAEiVvBP3DbIKUcoZBcaHvQ

1. Palo Alto VPN Site to Site
• Before VPN Technology
• VPN Benefits
• Palo alto VPN Deployments
• Palo Alto VPN Site to Site concepts
• IPsec Technologies
• Palo Alto IKE Phase1
• Palo Alto IKE Phase2

2. Before VPN Technology
• Leased Line
• Frame Relay
• MPLS

3. • Cost Savings
• Security
• Scalability
• Compatibility
VPN Benefits:

4. Palo alto VPN Deployments
The Palo Alto Networks firewall supports the following VPN deployments:
1. Site-to-Site VPN.
2. Remote User-to-Site (GlobalProtect)

6. a client that is secured by VPN Peer A needs content from a server located at the other site,
1. VPN Peer A initiates a connection request to VPN Peer B.
2. If the security policy permits the connection, VPN Peer A uses the IKE Crypto profile parameters
(IKE phase 1) to establish a secure connection and authenticate VPN Peer B.
3. Then, VPN Peer A establishes the VPN tunnel using the IPSec Crypto profile, which defines the IKE phase 2
parameters to allow the secure transfer of data between the two sites.
VPN Site to Site concepts

7. What Are VPN Tunneling Protocols? Phase 1
• Generic Routing Encapsulation (GRE)
• Point-to-Point Tunneling Protocol (PPTP)
• Secure Socket Tunneling Protocol (SSTP)
• Layer 2 Tunneling Protocol (L2TP)/IPSec
• SSL VPN
• OpenVPN
• IPSec ( IKE V1 )
• Internet Key Exchange (IKEv2)/IPSec

8. IPsec Framework

9. • Confidentiality
Confidentiality with Encryption:

10. • Encryption Algorithms:

11. • Integrity
• Hash Algorithms
• Security of Hash Algorithms

12. • Authentication
1. Pre-Shared keys (PSK)
• Peer Authentication Methods

13. • Authentication (Cont.)
2. Digital Certificate (RSA)

14. • Secure Key Exchange
Diffie-Hellman Key Exchange
DH Group

15. • IPsec Protocols

16. • Authentication Header ) AH (

17. • Encapsulating Security Payload (ECP)

18. IPsec Examples
IPsec Framework
IPsec Technologies

19. • Internet Key Exchange (IKE)
The IKE Protocol

20. • Palo alto IKE Phase 1
1. the firewalls use the parameters defined in the IKE Gateway configuration and the IKE Crypto
profile to authenticate each other and set up a secure control channel.
2. IKE Phase supports the use of preshared keys or digital certificates for mutual authentication of
the VPN peers.
The IKE Crypto profile defines the following options that are used in the IKE SA negotiation:
1. Diffie‐Hellman (DH) group for generating symmetrical keys for IKE
2. Authentication algorithms - sha1, sha 256, sha 384, sha 512, or md5
3. Encryption algorithms- 3des, aes‐128‐cbc, aes‐192‐cbc, aes‐256‐cbc, or des

21. • Palo alto IKE Phase 2 (IP Sec)
IKE Phase 2 uses the keys that were established in Phase 1 of the process and the IPSec Crypto
profile, which defines the IPSec protocols and keys used for the SA in IKE Phase 2.
The IPSEC uses the following protocols to enable secure communication:
1. Encapsulating Security Payload (ESP) allows you to encrypt the entire IP packet, and authenticate the
source and verify integrity of the data.
Note: you can choose to only encrypt or only authenticate by setting the encryption option to Null.
2. Authentication Header (AH) authenticates the source of the packet and verifies data integrity.
AH does not encrypt the data

22. • Methods of Securing IPSec VPN Tunnels (IKE Phase 2)
IPSec VPN tunnels can be secured using manual keys or auto keys.
 Manual Key Manual key is typically used if the Palo Alto Networks firewall is establishing a VPN
tunnel with a legacy device, or if you want to reduce the overhead of generating session keys.
If using manual keys, the same key must be configured on both peers.
Manual keys are not recommended for establishing a VPN tunnel because the session keys can be
compromised when relaying the key information between the peers; if the keys are compromised,
the data transfer is no longer secure.
 Auto Key Auto Key allows you to automatically generate keys for setting up and maintaining the
IPSec tunnel based on the algorithms defined in the IPSec Crypto profile.