Configuring a GRE tunnel between Palo Alto Networks Firewalls

Configuring a GRE tunnel between Palo Alto Networks Firewalls

41740
Created On 06/30/22 13:17 PM - Last Modified 10/17/25 13:32 PM


Objective


  • GRE tunnel configuration is explained in the Documentation
  • This article provides additional help to configure the GRE tunnel between two PaloAlto Firewalls with an example to reach the server behind the Firewall B over the GRE tunnel

Environment


  • PaloAlto Firewall
  • Supported PAN-OS.
  • GRE tunnels

Procedure


Topology:

image.png
Ethernet1/2 of both firewalls are preconfigured with IP addresses as per the diagram.

Firewall A:

1. Login to GUI of PaloAlto firewall A and configure a tunnel interface
  • Navigate to Network -> Interfaces -> Tunnel -> click on Add
  • Enter the interface number and select the Virtual router and Zone under the "Config" tab
  • Under "IPv4" Tab enter the IP address

image.png

2. Configure GRE tunnel
  • Navigate to Network -> GRE tunnels-> Click "Add"
  • Enter Interface, local address, Peer address, and Tunnel Interface as shown in the picture
image.png
3. Configure a static route to reach the remote network via GRE tunnel
  • Navigate to Network -> Virtual Routers -> edit the virtual router -> Static -> Add under IPv4
  • Configure the static route as shown in the picture


 
image.png

4. Configure security policy to allow traffic over GRE. In this example, GRE interface and inside interface are part of the same zone so Intrazone policy allows the traffic.

5. Commit

Firewall B:

1. Login to GUI of PaloAlto firewall B and configure a tunnel interface
  • Navigate to Network -> Interfaces -> Tunnel -> click on Add
  • Enter the interface number and select the Virtual router and Zone under the "Config" tab
  • Under "IPv4" Tab enter the IP address


image.png
2. Configure GRE tunnel
  • Navigate to Network -> GRE tunnels-> Click "Add"
  • Enter Interface, local address, Peer address, and Tunnel Interface as shown in the picture
image.png

3. Configure security policy to allow traffic over GRE. In this example, GRE interface and inside interface are part of the same zone so Intrazone policy allows the traffic.

4. Commit

Verification:

From Firewall A login to CLI and ping remote server 10.10.100.1 
admin@sanwall> ping source 192.168.1.1 host 10.10.100.1
PING 10.10.100.1 (10.10.100.1) from 192.168.1.1 : 56(84) bytes of data.
64 bytes from 10.10.100.1: icmp_seq=1 ttl=64 time=12.8 ms
64 bytes from 10.10.100.1: icmp_seq=2 ttl=64 time=12.0 ms
64 bytes from 10.10.100.1: icmp_seq=3 ttl=64 time=12.9 ms

 
 
 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000wkp1CAA&lang=en_US%E2%80%A9&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language