Proxy-ID for VPNs Between Palo Alto Networks and Firewalls with Policy-based VPNs

Proxy-ID for VPNs Between Palo Alto Networks and Firewalls with Policy-based VPNs

Created On 09/25/18 19:21 PM - Last Modified 08/05/19 20:11 PM


Difference between policy-based VPNs and route-based VPNs are:

Policy-based VPNs                                                                                                                                                                       

  1. The IPSEC tunnel is invoked during policy lookup for traffic matching the interesting traffic.                                  
  2. There are no tunnel interfaces. The remote end of the interesting traffic has a route pointed out through the default gateway.                                
  3. As there are no tunnel interfaces, we cannot have routing over VPNs.                                                                
  4. The polices/access-lists configured for the interesting traffic serve as the proxy-IDs for the tunnels.                        
  5. Firewalls that support policy-based VPNs: Juniper SRX, Juniper Netscreen, ASA, and Checkpoint.                                 

Route-based VPNs

  1. The IPSec tunnel is invoked during route lookup for the remote end of the proxy-IDs.
  2. The remote end of the interesting traffic has a route pointing out through the tunnel interface.
  3. Support routing over VPNs.
  4. Proxy-IDs are configured as part of the VPN setup.
  5. Firewalls that support route-based Firewalls: Palo Alto Firewalls, Juniper SRX, Juniper Netscreen, and Checkpoint.

Palo Alto Network firewalls do not support policy-based VPNs. The policy-based VPNs have specific security rules/policies or access-lists (source addresses, destination addresses and ports) configured for permitting the interesting traffic through IPSec tunnels. These rules are referenced during the quick mode/IPSec phase 2, and are exchanged in the 1st or the 2nd messages as the proxy-ids. If the Palo Alto Firewall is not configured with the proxy-id settings, the ikemgr daemon sets the proxy-id with the default values of source ip:, destination ip: and application:any, and these are exchanged with the peer during the 1st or the 2nd message of the quick mode. A successful phase 2 negotiation requires not only that the security proposals match, but also the proxy-ids on either peer, be a mirror image of each other.

So it is mandatory to configure the proxy-IDs whenever you establish a tunnel between the Palo Alto Network firewall and the firewalls configured for policy-based VPNs.

owner: kprakash

  • Print
  • Copy Link

Choose Language