Palo Alto Firewall

To configure the tunnel in the Palo Alto Management Portal:

1. Log in to the Palo Alto Management Portal with the Administrator account.

2. Go to Interfaces and click the Tunnel tab.

   

3. Click Add.

   

   The Tunnel Interface window appears.

   

4. From the Virtual Router list, select the virtual router for the tunnel interface.

5. From the Security Zone list, select a zone for the tunnel interface

   Note - Configure a new zone for the tunnel interface for granular control of traffic ingress and egress through the tunnel. If the tunnel interface zone is different from the zone where the traffic originates or departs, then configure a policy to allow the traffic from the source zone to the tunnel interface zone.

6. Click OK.

7. Go to Network Profiles > IKE Crypto.

   

8. In the Networks tab, click Add.

   The IKE Crypto Profile window appears.

   

9. Enter these:

   Field	Enter
   Name	Name for the profile.
   DH Group	14
   Encryption	aes-256-cbc
   Authentication	sha256
   Key Lifetime	8 Hours
   IKEv2 Authentication Multiple	0

10. Go to Network Profiles > IKE Gateways.

11. In the Networks tab, click Add.

    The IKE Gateway window appears.

    

12. In the General tab:

    Field	Enter
    Name	Name for the gateway.
    Version	IKEv2 only mode. If the firewall does not support IKEv2 , select IKEv1.
    Address	IPv4
    Interface	External interface connected to the internet.
    Local IP Address	External IP address.
    Peer IP Address Type	IP
    Peer Address	Public IP address of the Harmony SASE gateway.
    Authentication	Pre-Shared Key
    Pre-shared Key	An alphanumeric string. Make a note of the key.
    Local Identification	None
    Peer Identification	None

13. Click OK.

14. Go to Network Profiles > IPSec Crypto.

15. In the Networks tab, click Add.

    The IPSec Crypto Profile window appears.

    

16. Enter these:

    Field	Enter
    Name	Name for the profile.
    IPSec Protocol	ESP
    DH Group	14
    Encryption	aes-256-cbc
    Lifetime	1 hour
    Authentication	sha256

17. Click OK.

18. Click IPSec Tunnels.

19. In the Networks tab, click Add.

    The IPSec Tunnel window appears.

    

20. Enter these:

    Field	Enter
    Name	Name for the tunnel.
    Tunnel Interface	An appropriate interface.
    Type	Auto Key
    Address	IPv4
    IKE Gateway	Gateway that was defined previously.
    IPSec Crypto Profile	Profile that was defined previously.

21. Click Virtual Routers.

22. Click Static Routes and click Add.

    The Virtual Router - Static Route - IPv4 window appears.

    

23. Enter these:

    Field	Enter
    Name	Name for the static route.
    Destination	Harmony SASE subnet.
    Interface	An appropriate interface.
    Next Hop	None
    Metric	10
    Route Table	Unicast
    BFD Profile	Disable BFD

24. Go to Network Profiles > IKE Crypto.

25. Click the Policies tab. By default, IKE negotiation and IPSec/ESP packets are allowed. If they are not, create an appropriate rule.