Is it Required To Allow Tunnel Interface IP Addresses With A Security Policy On The Firewall?

Is it Required To Allow Tunnel Interface IP Addresses With A Security Policy On The Firewall?

12715
Created On 09/15/22 03:21 AM - Last Modified 03/18/23 01:53 AM


Question


Is it Required To Allow Tunnel Interface IP Addresses With A Security Policy On The Firewall?

Environment


  • Palo Alto Networks firewalls.
  • Supported PAN-OS.
  • IPSec Tunnels.
  • Tunnel Monitoring.

Answer


  1. When a Site-to-Site tunnel is configured with Static routing, the tunnel interface does not require an IP address. To enable tunnel monitoring, Consider adding an IP address.
  2. If Path monitoring is enabled on the Static route for VPN tunnel and, it is configured to monitor the VPN peer's Tunnel interface IP addresses, then it is necessary to allow the Tunnel interface IP addresses in a security policy to keep the tunnel up.
  3. While narrowing down the security policy to allow specific source and destination addresses/address objects/groups, make sure that the Tunnel interface IP addresses are allowed in the security policy in case of above configuration scenario.
  4. If the tunnel IP addresses are not allowed in a security rule, path monitoring will bring the tunnels down as the pings will fail.
  5. One can configure the path monitoring to monitor any other IP address behind the VPN tunnel instead of the tunnel interface IP address. This configuration will not require to allow tunnel interface IP addresses in a security policy.

Additional Information
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000sZ7KCAU&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language