Palo Alto Redundant Tunnel

This guide explains how to configure a Site-to-Site High Availability (HA) redundant VPN tunnel between your Harmony SASE network and a Palo Alto Firewall, including both firewall and Harmony SASE console configuration.

Pre-requisites

Before you begin, ensure that you have:

  • An active Harmony SASE account and a functioning network.

  • The Harmony SASE application installed on your devices.

  • An active Palo Alto Firewall account with administrative permissions.

Configuration in Palo Alto WebGUI

Step 1: Configure Tunnel Interfaces

  1. Open the Palo Alto WebGUI and go to Network.

  2. Select Interfaces and go to Tunnel.

  3. Click Add.

  4. Configure these parameters:

    • Virtual Router: Select the virtual router for the tunnel interface.

    • Security Zone: Create a dedicated zone for tunnel traffic. If the tunnel interface is in a different zone than the source or destination, create a security policy to allow the traffic.

  5. Click the IPv4 tab and click Add. Enter the internal address for the first tunnel (use the 169.254.x.x range).

  6. Click OK.

  7. Repeat the steps to create the second tunnel interface.

Step 2: Configure IKE Crypto Profile

  1. Go to Network Profiles > IKE Crypto.

  2. Click Add and define the IKE Crypto profile (IKEv1 Phase 1) parameters:

    Field

    Enter
    Name Enter a descriptive name
    DH Group 14
    Encryption aes-256-cbc
    Authentication sha256
    Key Lifetime 8 Hours
    IKEv2 Authentication Multiple 0

Step 3: Configure IKE Gateway

  1. Go to Network Profiles > IKE Gateway.

  2. Click Add and fill these details:

    Field

    Enter
    Name Name for the gateway.
    Version

    Select IKEv2 (or IKEv1 if unsupported)
    Address IPv4
    Interface External interface connected to the internet.
    Local IP Address External IP address.
    Peer IP Address Type IP

    Peer Address

    Public IP address of the Harmony SASE gateway.

    Authentication

    Pre-Shared Key

    Pre-shared Key

    Enter a strong key (mix of uppercase, lowercase, and numbers). Make a note of the key.

    Local Identification

    None (Gateway uses the local IP as the local identification value)

    Peer Identification

    None (Gateway uses the peer IP as the peer identification value)

  3. Repeat the steps for the second Harmony SASE gateway.

Step 4: Configure IPsec Crypto Profile

  1. Go to Network Profiles > IPsec Crypto.

  2. Click Add and enter these details:

    Field

    Enter
    Name P81-Phase2
    IPsec Protocol ESP
    DH Group 14
    Encryption aes-256-cbc
    Lifetime 1 hour
    Authentication sha256

Step 5: Configure IPsec Tunnels

  1. Go to Network Profiles > IPsec Tunnels.

  2. Click Add and enter these details:

    Field

    Enter
    Name Name for the tunnel.
    Tunnel Interface An appropriate interface.
    Type Auto Key
    Address IPv4
    IKE Gateway Select the previously defined gateway.
    IPsec Crypto Profile Select the previously defined profile.

  3. Repeat the steps for the second IPsec tunnel.

Step 6: Configure BGP

  1. Go to Network Profile > Virtual Routers.

  2. Click BGP and enter these details:

    • Router ID: Internal address for the first tunnel (from Step 1).

    • AS Number: AS number for the Palo Alto Firewall.

Add BGP Peer Group and Peers (for redundancy)

  1. Under Peer Group, click Add and enter a name for the Peer Group.

  2. Under Peer, click Add.

    In the Peer window, configure these details:

    Field

    Enter
    Name Enter a descriptive name.
    Peer AS Harmony SASE AS number (default: 65000).
    Local Address

    • Interface: Select the first tunnel interface created in Step 1.

    • IP: Select the internal address assigned to the first tunnel.
    Peer Address

    Internal (BGP) address for the first Harmony SASE gateway.

  3. Go to Connection Options, set Multi Hop to 3.

  4. Repeat for the second tunnel interface.

    The Peer Group configuration should resemble the example shown below.

Step 7: Configure Redistribution Profile and BGP Import Rules

Redistribution Profile

  1. Go to Virtual Router > Redistribution Profile > Add.

  2. Configure:

    • Name and Priority

    • Enable Redist

    • Under General Filter, check Static

  3. Click OK.

BGP Import Rules

  1. Go to BGP > Import > Add.

  2. Enter a Name for the rule.

  3. Click Add and select the created peer group.

  4. Under Match, configure:

    • AS Path Regular Expression: _<SASE AS>$ (replace with the actual Harmony SASE AS)

    • FROM PEER: Select the two tunnel interfaces created previously.

  5. Under Action, choose Allow.

  6. Under Redist Rules, click Add and select the redistribution profile created earlier.

  7. Click OK.

Step 8: Configure Security Policies

  1. Open the Policies tab and select Security.

  2. By default, IKE negotiation and IPsec/ESP packets are permitted.

  3. If behavior differs or if you require more granular traffic control, click Add and create an appropriate Security policy rule.

  4. Click Commit to apply the configuration changes.

Configuring the tunnel in the Management Platform

Step 1 : Configuring Tunnel and Routes Table

  1. Access the Harmony SASE Administrator Portal and click Networks.

  2. Select the network.

  3. Click .

  4. Select Add Tunnel for the gateway from which you want to add the IPsec Site-to-Site VPN tunnel.

    1. Click IPsec Site-2-Site Tunnel and click Continue.

      ipsec site-to-site tunnel

    2. Click Redundant Tunnels and click Continue.

      ipsec site-to-site single tunnel

    3. In the Tunnel name field, enter a logical name.

    4. Expand Tunnel 1 and specify these:

      • Shared Secret – The value previously set on the first IKE Gateway.

      • Harmony SASE Gateway Internal IP - The Harmony SASE internal IP address as you configured in the first PEER Group.

      • Remote Public IP - Enter the firewalls external Interface IP. This can be found in Palo Alto WebGUI under Network /Interfaces /Ethernet.

      • Remote Gateway Internal IP - The firewall internal IP address as you configured in the first PEER Group.

      • Remote Gateway ASN - The ASN of the Palo Alto Firewall.

      • Remote ID - Enter the same value as per Public IP. If behind NAT, enter the internal LAN IP of the Palo Alto Device (example 192.168.1.1).

    5. Expand Tunnel 2 and specify these:

      • Gateway - Select the second Harmony SASE Gateway for the tunnel.

      • Shared Secret - The value previously set on the second IKE Gateway.

      • Harmony SASE Gateway Internal IP - The Harmony SASE internal IP address as you configured in the second PEER Group.

      • Remote Public IP - Enter the firewalls external Interface IP.

      • Remote Gateway Internal IP - The firewall internal IP address as you configured in the second PEER Group.

      • Remote Gateways ASN - The ASN of the Palo Alto Firewall.

      • Remote ID - Enter the same value as you did Public IP. If behind NAT, enter the internal LAN IP of the Palo Alto Device (example 192.168.1.1).

    6. Expand Shared Settings and specify these:

      • Harmony SASE Gateway Proposal Subnets - Leave Any (0.0.0.0/0) selected.

      • Remote Gateway Proposal Subnets - Leave Any (0.0.0.0/0) selected.

      • Autonomous System Number (ASN) - Default value is 64512, if not set, enter the AS Number for the Harmony SASE network.

    7. In the Advanced Settings section, specify these:

      Field

      Enter
      IKE Version V2
      IKE Lifetime 8h
      Tunnel Lifetime 1h
      Dead Peer Detection Delay 10s
      Dead Peer Detection Timeout 30s
      Phase 1
      • Encryption (Phase 1): aes256

      • Integrity (Phase 1): sha256

      • Key Exchange Method: modp2048

      Phase 2

      • Encryption (Phase 2): aes256

      • Integrity (Phase 2): sha256

      • Key Exchange Method: modp2048

    8. Click Add Tunnel.

  5. Select Routes Table:

    1. Click Add Route.

      The Add Route window appears.

    2. Enter all the Subnets on the remote side of the tunnel and then click Add Route.

      Note - Make sure that in the Tunnel list, you have selected the previously entered Tunnel name.

  6. Click Apply Configuration.

Step 2: Verifying the Setup

Once you complete the above steps, the tunnel becomes active.

  1. Verify the setup in the Harmony SASE Administrator Portal:

    1. Click Networks.

    2. Locate the tunnel you created, and check the tunnel status.

      It should indicate that the tunnel is Up, signifying a successful connection.

  2. Verify the setup in the Harmony SASE Agent:

    1. Connect to your network using the Harmony SASE Agent.

    2. Access one of the resources in your environment.