How To Configure Tunnel Monitoring and PBF Monitoring for Symantec WSS Tunnel
46392
Created On 04/18/19 04:45 AM - Last Modified 04/18/19 20:59 PM
Objective
Implement Symantec Web Security Services (WSS) in the cloud using firewall or VPN access method
– Monitor IPSec site-to-site VPN tunnel: set IPSec tunnel down if the monitored IP is unreachable
– Monitor Policy Based Forwarding (PBF) rule: disable PBF rule if the monitored IP is unreachable
Expected behavior
– When IPSec tunnel is UP: PBF rule is enabled and HTTP traffic will be forwarded to Symantec WSS tunnel.
– When IPSec tunnel is DOWN: PBF rule is disabled and HTTP traffic will be routed as per active routing table.
Environment
- Palo Alto Networks firewall onsite
- Symantec WSS in the cloud
- Using Trans-Proxy (Explicit Proxy over IPSec) design
- IPSec site-to-site VPN tunnel is configured on both Palo Alto Networks firewall and Symantec WSS Admin console
- PBF rule is configured on Palo Alto Networks firewall to forward HTTP traffic to Symantec WSS tunnel
Procedure
In this example, we are using the following parameters
Local site network (user subnet):
– 10.1.1.0/24 (firewall zone: trust)
Palo Alto Networks firewall:
– Tunnel interface: tunnel.1 with IP address 192.168.1.254/32 (firewall zone: WSS_tunnel)
– IKE gateway: WSS_IKE_Gateway_1 with Peer IP 199.19.248.164 (this is Symantec datacenter IP)
– IPSec tunnel: WSS_Tunnel_1 with Local Proxy ID 10.1.1.0/24 (to match Local site network above)
– PBF rule: WSS_OverIPsec_1 with Egress Interface tunnel.1
– Necessary security policy rule to allow HTTP traffic from trust zone to WSS_tunnel zone
Assuming that both Palo Alto Networks firewall and Symantec WSS admin console are properly configured, we should see Tunnel Interface Status is UP (Green) under Network > IPSec Tunnels
Tunnel Monitoring
To monitor the IPSec tunnel, we need to enable Tunnel Monitor properties in IPSec Tunnel configuration under Network > IPSec Tunnels > tunnel_name. Palo Alto Networks firewall will send keep-alive using tunnel interface IP as the source address.
The existing IPSec tunnel WSS_Tunnel_1 is configured with Local Proxy ID 10.1.1.0/24. It does not match tunnel.1 interface IP 192.168.1.254/32.
Referring to Symantec WSS guide (p. 90), we can only specify one Proxy ID for WSS Tunnel configuration.
Solution
To be able to properly monitor the IPSec tunnel, we need to create a new IPSec tunnel with the following parameters:
– IPSec tunnel name: WSS_Tunnel_2
– Tunnel interface: tunnel.1
– Type: <follow WSS_Tunnel_1 settings>
– IKE gateway: WSS_IKE_Gateway_1
– IPSec Crypto profile: <follow WSS_Tunnel_1 settings>
– Select Tunnel Monitor
– Enter Destination IP 199.19.248.164 (this is Symantec datacenter IP)
– Select Monitor Profile
– Click Proxy IDs tab > Add > WSS_Tunnel_2_proxy
– Local Proxy ID 192.168.1.254/32
– Remote Proxy ID 199.19.248.164/32
– Click OK to close all the dialog window, follow by Commit
After configuring commit, we should see a new tunnel WSS_Tunnel_2 interface status is UP (Green).
To check Tunnel Monitoring status from CLI, see this article: How to Verify if IPSec Tunnel Monitoring is Working
Ideally we will see monitor: on and monitor status: up with respective monitor counters. This indicates Tunnel Monitoring is working.
PBF Monitoring
After successfully configuring Tunnel Monitoring, we can configure PBF rule monitoring under Policies > Policy Based Forwarding. Palo Alto Networks firewall will send a keep-alive using Egress Interface IP as the source address.
In this example, PBF keep-alive will be sent from tunnel.1 interface (192.168.1.254) to destination 199.19.248.164. This traffic matches IPSec tunnel WSS_Tunnel_2 configured above.
1) Select existing PBF rule WSS_OverIPsec_1, click on Forwarding tab.
2) Select Monitor checkbox.
3) Select Monitor Profile the same as IPSec tunnel WSS_Tunnel_2 Monitor Profile
4) Select 'Disable this rule if nexthop/monitor ip is unreachable'
5) Specify IP Address 199.19.248.164 (this is Symantec datacenter IP)
6) Click OK to close all the dialog window, follow by Commit
After configuration commit, we can check PBF monitoring status from CLI: Policy based forwarding rule is not applied when the monitoring host is unreachable
Ideally we will see NextHop Status: UP with respective keep-alive counters KA sent: and KA got: greater than 0 (zero). This indicates PBF Monitoring is working.
Testing
To test if the Tunnel Monitoring and PBF Monitoring are working as expected, we can simulate to bring down the tunnel by changing Tunnel Peer IP in Symantec WSS Admin console.
Additional Information
About Trans-Proxy (Explicit Proxy over IPSec):
A trans-proxy deployment is one where the same web request is instigated by the browser as an explicit proxy connection but viewed by the Symantec Web Security Service as a transparent request. This is achieved by the installed PAC files on browsers that route to the firewall device, which then provides an IPSec connection to the Web Security Service.
Initial IPSec VPN setup between Palo Alto Networks firewall and Symantec WSS is provided on page 84-97 of Symantec Web Security Service: Firewall/VPN Access Method Guide (version 6.10.4.3/29 Mar 2019).
For additional information, please review the following articles:
How to Configure IPSec VPN
How to Verify if IPSec Tunnel Monitoring is Working
Policy based forwarding rule is not applied when the monitoring host is unreachable
Understanding behavior of PBF and Tunnel monitoring probes
External links:
Symantec Web Security Service: Firewall/VPN Access Method Guide (version 6.10.4.3/29 Mar 2019: Palo Alto Networks Firewall section on p.84-97)
Data Center IP addresses for Symantec Web Security Service