Configurations on Palo Alto

Describes how to configure IPsec tunnels on Palo Alto device using IKEv2.

Note: This document does not specify the security zones that the interfaces must be configured in. Depending on the network setup, admins must configure the zones appropriately and ensure that there are rules to allow traffic between the zones.

In the following example guide, ethernet1/1 is the internet facing interface and ethernet1/2 is the internal client facing interface.

Following are the high level steps to configure Palo Alto device:

Steps

  1. Configure two tunnel interfaces for primary and secondary connections.
  2. Configure IKE crypto profile.
  3. Configure IPsec crypto profile.
  4. Configure the primary and secondary IKE gateways to the Forcepoint ONE SSE cloud.
  5. Configure a profile for monitoring the tunnel.
  6. Configure IPsec tunnels and associate the IKE gateway and tunnel interface.
  7. Configure two policy based forwarding rules to route traffic through the primary tunnel and secondary tunnel when primary is down.