Configuring the Palo Alto Networks Device as an IPSec Passthrough

Configuring the Palo Alto Networks Device as an IPSec Passthrough

112478
Created On 09/25/18 17:27 PM - Last Modified 11/19/19 05:19 AM


Environment


Exception : PA-7000, PA-5200 and PA-3200 series

Resolution


Overview

This document describes how to configure the Palo Alto Networks firewall to behave as an IPSec passthrough between VPN terminating devices.

 

Details

Configure a security policy to allow the "ipsec" application traffic between the tunnel endpoints. This will enable the Palo Alto Networks firewall to act as vpn passthrough for traffic between vpn peers.

 

For example

The screenshot below shows devices 198.51.100.1 and 203.0.113.1 (10.0.0.1 internally)  as the vpn peers. The application, "ipsec", is specified under the Application column.

 

ipsec passthrough.png

 

The ipsec application contains the following sub-apps:

  • ike
  • ipsec-ah
  • ipsec-esp
  • ipsec-esp-udp(NAT-T)

The sub-apps above are allowed implicitly when the ipsec application is configured as allowed.

 

owner: saryan

Additional Information


On PA-7000, PA-5200 and PA-3200 series, due to an architectural difference, we use a different technique for session creation of IPSec pass-through traffic.
Security policies must be configured to allow pass-through ESP traffic in both directions on PA-7000, PA-5200 and PA-3200 series platforms.
Please refer to this article.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClpXCAS
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFRCA0&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language