Palo Alto and Firebox BOVPN Virtual Interface Integration Guide

WatchGuard provides integration instructions to help our customers configure WatchGuard products to work with products created by other organizations. If you need more information or technical support about how to configure a third-party product, go to the documentation and support resources for that product.

This guide describes how to configure a BOVPN virtual interface between a WatchGuard Firebox and a Palo Alto PA-220 firewall.

Contents

Integration Summary

The hardware and software used in this guide include:

  • WatchGuard Firebox with Fireware v12.10
  • Palo Alto PA-220 v10.2

Integration Topology

This diagram outlines the topology used in this integration:

The Screenshot for BOVPN Virtual Interface Topology

Configure the Firebox

To configure a BOVPN virtual interface on your Firebox:

  1. Log in to Fireware Web UI.
  2. Select VPN > BOVPN Virtual Interfaces.
    The BOVPN Virtual Interfaces configuration page opens.
  3. Click Add.
  4. In the Interface Name text box, type a name to identify this BOVPN virtual interface.
  5. From the Remote Endpoint Type drop-down list, select Cloud VPN or Third-Party Gateway.
  6. From the Gateway Address Family drop-down list, select IPv4 Addresses.
  7. In the Credential Method section, select Use Pre-Shared Key. Type the pre-shared key.

Screenshot of Firebox, picture9

  1. In the Gateway Endpoint section, click Add.
    The Gateway Endpoint Settings dialog box opens.
  2. From the Physical drop-down list, select External.
  3. From the Interface IP Address drop-down list, select Primary Interface IPv4 Address.
    The Primary Interface IP Address is the primary IP address you configured on the selected external interface.
  4. Select By IP Address.
  5. In the By IP Address text box, type the primary IP address of the external Firebox interface.

Screenshot of Firebox, picture10

  1. Select the Remote Gateway tab.
  2. Select Static IP Address. Type the IP address of your Palo Alto WAN connection.
  3. Select By IP Address. Type the IP address of your Palo Alto WAN connection.

Screenshot of Firebox, picture11

  1. Click OK.
  2. In the Gateway Endpoint section, select the Start Phase 1 tunnel when it is inactive check box.
  3. Select the Add this tunnel to the BOVPN-Allow policies check box.

Screenshot of Firebox, picture12

  1. Select the VPN Routes tab.
  2. Click Add.

Screenshot of Firebox, picture13

  1. From the Choose Type drop-down list, select Network IPv4.
  2. In the Route To text box, type the network IP address of a route that will use this virtual interface.

Screenshot of Firebox, picture17

  1. Click OK.
  2. Select the Phase 1 Settings tab.
  3. From the Version drop-down list, select IKEv2.
  4. Keep all other values as default Phase 1 Settings.

Screenshot of Firebox, picture14

  1. Keep all Phase 2 Settings as the default values.

Scree shot of Firebox, picture15

  1. Click Save.

For more information about BOVPN virtual interface configuration on the Firebox, go to BOVPN Virtual Interfaces.

Configure the Palo Alto Firewall

Configure Basic Settings

  1. Log in to the Palo Alto Web UI at https://<IP address of the Palo Alto device>.
    The default IP address is https://192.168.1.1.
  2. Configure the Palo Alto interface. For information about how to configure interface, go to the Palo Alto documentation.

Screenshot of Palo Alto, picture new1

  1. Configure the Palo Alto zone. For information about how to configure zone, go to the Palo Alto documentation.

Screenshot of Palo Alto, picture new2

  1. Configure the Palo Alto firewall to route to the Internet. For information about how to configure route, go to the Palo Alto documentation.

Screen shot of Palo Alto, picture new3

Configure a Tunnel Interface

  1. Select Network > Interfaces > Tunnel.
  2. In the lower-left corner, click Add.
  3. In the Interface Name text box, specify a numeric suffix. In our example, we specify .1.
  4. On the Config tab, from the Virtual Router drop-down list, select default.

Screen shot of Palo Alto, picture new4

  1. From the Security Zone drop-down list, select New Zone.
  2. On the Zone page, in the Name text box, type a name for the zone. In our example, the name is vpn-tun.

Screen shot of Palo Alto, picture new5

  1. Click OK, and click OK again.

Screenshot of Palo Alto, picture new6

Configure a Static Route

  1. Select Network > Virtual Routers.
  2. Select the default.

Screen shot of Palo Alto, picture new7

  1. Click Static Routes.
  2. Click Add.
  3. In the Name text box, type a name for the route.
  4. In the Destination text box, type the destination address.
  5. From the Interface drop-down list, select tunnel.1.
  6. From the Next Hop drop-down list, select None.

Screenshot of Palo Alto, picture new8

  1. Click OK.

Screenshot of Palo Alto, picture new9

  1. Click OK.

Configure the Palo Alto IKE Crypto Profile

  1. Select Network > Network Profiles > IKE Crypto.
  2. In the lower-left corner, click Add.
  3. In the Name text box, type a name for the profile.
  4. In the DH GROUP section, click Add and select group14.
  5. In the ENCRYPTION section, click Add and select aes-256-cbc.
  6. In the AUTHENTICATION section, click Add and select sha256.
  7. Keep the default values for all other settings.

Screenshot of Palo Alto, picture new10

  1. Click OK.

Configure the Palo Alto IPSec Crypto Profile

  1. Select Network > Network Profiles > IPSec Crypto.
  2. In the lower-left corner, click Add.
  3. In the Name text box, type a name for the IPSec Crypto profile.
  4. From the IPSec Protocol drop-down list, select ESP.
  5. In the Encryption section, click Add and select aes-256-cbc.
  6. From the DH Group drop-down list, select group14.
  7. In the Authentication section, click Add and select sha256 (NIST rating 256-bit strength).
  8. Keep the default values for all other settings.

Screenshot of Palo Alto, picture new11

  1. Click OK.

Configure the Palo Alto IKE Gateway

  1. Select Network > Network Profiles > IKE Gateways.
  2. In the lower-left corner, click Add.
  3. In the General section, in the Name text box, type a name.
  4. From the Version drop-down list, select IKEv2 only mode.
  5. For Address Type, select IPv4.
  6. From the Interface drop-down list, select ethernet1/1.
  7. From the Local IP Address drop-down list, select 198.51.100.2/24, which is the Palo Alto WAN connection.
  8. For Peer IP Address Type, select IP.
  9. In the Peer Address text box, type 203.0.113.2, which is the primary IP address of the external Firebox interface.
  10. For Authentication, select Pre-Shared Key.
  11. In the Pre-Shared Key text box, type the pre-shared key.
  12. In the Confirm Pre-Shared Key text box, type the pre-shared key again.
  13. From the Local Identification drop-down list, select None.
  14. From the Peer Identification drop-down list, select None.

Screenshot of Palo Alto, picture new12

  1. Select the Advanced Options tab.
  2. In the IKEv2 section, from the IKE Crypto Profile drop-down list, select the IKE-phase1-profile that you created previously.

Screenshot of Palo Alto, picture new13

  1. Click OK.

Configure the Palo Alto IPSec Tunnel

  1. Select Network > IPSec Tunnels.
  2. In the lower-left corner, click Add.
  3. In the General section, in the Name text box, type a name for the tunnel.
  4. From the Tunnel Interface drop-down list, select the tunnel that you created previously (tunnel.1).
  5. For the Type, select Auto Key.
  6. For the Address Type, select IPv4.
  7. From the IKE Gateway drop-down list, select the gateway that you created previously (IKE-GW).
  8. From the IPSec Crypto Profile drop-down list, select the IPSec-phase2-profile that you created previously.
  9. Select the Show Advanced Options check box.
  10. Select the Enable Replay Protection check box.

Screen shot of Palo Alto, picture new14

  1. Click OK.

Configure the Palo Alto Security Policy

  1. Select Policies > Security.
  2. In the lower-left corner, click Add.
  3. On the General tab, in the Name text box, type a name for the policy.

Screenshot of Palo Alto, picture new15

  1. Select the Source tab, in the Source Zone section, click Add and select trust.

Screenshot of Palo Alto, picture new16

  1. Select the Destination tab, in the Destination Zone section, click Add and select vpn-tun.

Screenshot of Palo Alto, picture new17

  1. Keep all other settings as the default values.
  2. Click OK.
  3. Repeat Steps 1–7 to create another security policy.

Screenshot of Palo Alto, picture new18

  1. In the upper-right corner, click Commit.
    The firewall can take up several minutes to save your change.
  2. Click Close.

Test the Integration

To test the integration, from Fireware Web UI:

  1. Select System Status > VPN Statistics.
  2. Select the Branch Office VPN tab.
  3. Verify that the VPN is established.

Screenshot of Firebox, test VPN Statistic

  1. Verify that Host 1 (behind the Firebox) and Host 2 (behind the Palo Alto firewall) can ping each other.