Palo Alto Integration by Using IPsec Tunnels
Palo Alto networks deliver cloud-based security infrastructure for protecting remote networks. It provides security by allowing organizations to set up regional, cloud-based firewalls that protect the SD-WAN fabric.
The Citrix SD-WAN solution already provided the ability to break out Internet traffic from the branch. This is critical to delivering a more reliable, low-latency user experience, while avoiding the introduction of an expensive security stack at each branch. Citrix SD-WAN and Palo Alto Networks now offer distributed enterprises a more reliable and secure way to connect users in branches to applications in the cloud.
Citrix SD-WAN appliances can connect to the Palo Alto cloud service (GlobalProtect Cloud Service) network through IPsec tunnels at the customer’s site.
The key benefits include:
-
Next-generation security delivered globally.
-
Add and manage locations - users and policy deployment centrally.
-
Forward IPsec tunnel traffic to the Palo Alto network.
-
Have SD-WAN appliance configured in high availability mode - If an appliance fails, the IPsec tunnel is established through another appliance.
-
Virtual routing and forwarding deployments.
-
One WAN link as part of internet services.
Configure the following in Citrix SD-WAN GUI:
- Configure IPsec Tunnel.
- Configure IPsec Protected network with local LAN networks as Source subnet and Destination subnet as 0.0.0.0/0 (to send all internet traffic through tunnel).
Configure the following in Palo Alto:
- Configure all necessary IP tunnel details.
- Configure IPsec Peer with SD-WAN IPsec Tunnel Public source IP address.
Verify end-to-end traffic connection:
- From LAN subnet of branch, access internet resources.
- Verify that traffic goes through Citrix SD-WAN IPsec tunnel to Palo Alto global protect cloud service.
- Verify that Palo Alto security policy is applied on traffic.
- Verify response from internet to host in a branch comes through.
Use case 1: Branch-to-Internet
-
Establish IPsec tunnel from each branch to the Palo Alto GlobalProtect Cloud Service GPCS.
-
For branch-to-internet communication, configure protected networks with networks belonging to both the branches.
-
For direct Internet breakout through the GPCS, configure IPsec protected networks on SD-WAN with destination subnet as 0.0.0.0/0.
Use case 2: Active-Standby-Tunnels from SDWAN to internet via Palo Alto
For active/standby, two IPsec tunnels are established with same parameters and the same protected networks to the GPCS and only one tunnel will be active all the time and another one will be on standby mode. This will act as a single conversed unit. To all the protected networks you want to provide IPsec protection, has to be configured on both active and standby tunnel. So that if one tunnel goes down another tunnel comes up with all active networks. This allows tunnels to be available all the time for redirecting Internet traffic by configuring IPsec protected networks.
- Ability to have multiple IPsec tunnels created with Palo Alto from SD-WAN
- Active
- Standby
- SD-WAN is created with multiple IPsec tunnels using Intranet services and matching IKE/IPSec settings (One for Active and one for standby).
- Add all protected networks redundantly for all IPsec tunnel configurations.
- Palo Alto hosts the active and standby tunnel.
- SD-WAN will form tunnels with both and process traffic for the protected networks via the active IPsec tunnel first (if the primary tunnel is eligible)
-
If the primary tunnel goes down either at the SD-WAN end or at Palo Alto end, the traffic goes through the secondary tunnel (The same case for old and new traffic).
The IPsec Security Associations (SAs) are formed as part of the primary and secondary tunnel formation. Hence transition of traffic takes some time (3–5 seconds) to detect new secondary and process all traffic through the newly active IPsec tunnel. The primary tunnel detection to process traffic depends on the route eligibility and is turned to NO if the tunnel goes down and is made YES if it is up.
-
If the primary tunnel comes back up, then the traffic is sent via the primary tunnel again.
To configure IKE and IPsec Tunnel with Palo Alto SWG on SD-WAN:
-
Navigate to Connection > Site > IPsec Tunnels.
-
Configure IKE and IPsec parameters.
For more information about configuring IPsec tunnels, see configure IPsec tunnels between SD-WAN and third party cloud services/devices.
You can specify which traffic to be protected by IPsec using Protected Networks.
Monitoring IPsec tunnel to Palo Alto SWG on SD-WAN:
In the Citrix SD-WAN appliance GUI, go to Monitoring > Statistics. Select IPsec Tunnel from the dropdown list to check the statistics against the tunnel processing the traffic. Traffic that is sent over tunnel can be monitored in the sent and received columns.
Monitoring Route hits for traffic towards Palo Alto IPsec tunnel (to Intranet service as the IPsec tunnel is bound to Intranet service):
Routes indicate traffic that hits against the Intranet service which is currently processing the traffic. To see the route statistics, go to Monitoring > Statistics > Routes and check the statistics against the route processing the traffic.
Use case 3: Branch-to-Branch traffic via Palo Alto SWG
Helps to communicate between the branches and apply security policies on an SWG for branch to branch connection without going via the SD-WAN intermediate node.
For branch-to-branch communication, specify the IPsec policies go through the Palo Alto GlobalProtect Cloud Service (GPCS) first through an IPsec tunnel. GPCS determines if it’s getting traffic from branch 1, and then sends it to branch 2 via an IPsec tunnel by creating policies.
- Create separate tunnel endpoints at Palo Alto one for each branch.
- Each branch uniquely creates an IPsec tunnel with Palo Alto using Intranet services and matching IKE/IPSec Settings.
- Configuration of protected networks in Branch 1 to Palo Alto tunnel 1:
- Source as Branch 1 subnet to destination as Branch 2 subnet
- Mirror the Protected Network on the Palo Alto tunnel Proxy ID side
Follow the similar protected network using Branch 2 to Palo Alto tunnel 2
-
Traffic from Branch 1 to Branch 2 is carried out using Branch 1 to Palo Alto Tunnel 1 IPsec tunnel and then forwarded by Palo Alto into the new tunnel between Palo Alto tunnel 2 to Branch 2 IPsec tunnel. Same is the case for the return traffic.
NOTE:
This traffic is unique in a way that the MCN need not be WAN to WAN forwarding enabled.
- If the branches are NAT’d of the IPs then they would need to be enabled with WAN link NAT address (if static) on the WAN link settings where the intranet service would be enabled to use for IPsec tunnel. If the IP is dynamic, then the branches have to be enabled with Auto Detect Public IP knob.
-
If there is exclusive port NATting then the MCN needs to be enabled with UDP hole punching.
Configuration for Branch 1 SD-WAN to Palo Alto IPsec tunnel 1:
Configuration of Branch 2 SD-WAN to Palo Alto IPsec tunnel 2:
Monitoring IKE/IPsec SA’s for tunnel 1 between Branch 1 to Palo Alto:
Monitoring IKE/IPsec SA’s for tunnel 2 between Branch 1 to Palo Alto:
Monitoring Flows and Firewall for Branch 1 to Palo Alto tunnel 1):
The following screenshot provides the combined monitoring information on flow data and firewall statistics for Branch1 to Palo Alto tunnel 1.
Monitoring Flows and Firewall for Branch 2 to Palo Alto tunnel 2:
The following screenshot provides the combined monitoring information on flow data and firewall statistics for Branch 2 to Palo Alto tunnel 2.
IPsec tunnel statistics monitoring for Branch 1 to Palo Alto 1 tunnel:
IPsec tunnel statistics monitoring for Branch 2 to Palo Alto 2 tunnel:
Use case 4: SD-WAN edge device in high availability mode
-
Configure SD-WAN appliance in high availability mode.
-
Establish IPsec tunnel from each branch to GPCS.
-
Traffic redirection from SD-WAN to GPCS always occurs through the active appliance.
-
Upon a high availability event, secondary SD-WAN appliance takes over and starts sending traffic towards GPCS.
To configure IPsec Tunnel:
- Navigate to Connection > Site > IPsec Tunnels.
-
Configure IKE and IPsec parameters.
For more information about configuring IPsec tunnels, see configure IPsec tunnels between SD-WAN and third party cloud services/devices.
You can specify which traffic to be protected by IPsec using Protected Networks. You can configure maximum of eight protected networks per tunnel.
Monitor IPsec Tunnels:
In the Citrix SD-WAN appliance GUI, go to Monitoring > Statistics. Select IPsec Tunnel from the Show dropdown list. Traffic that is sent over tunnel can be monitored in the sent and received columns.
- Monitoring > IKE/IPsec - You can monitor all IKE and corresponding IPsec SAs.
Configure IPsec in Palo Alto Global Protect Cloud Service (GPCS):
- Log in to Palo Alto Panorama.
- Navigate to Network Profile -> IKE Crypto and configure the IKE crypto suite.
Configure IKE gateway:
- Add IKE Gateway.
- Configure IKE Version.
- Choose the Peer IP Address Type as IP.
- Enter the IKE Peer IP address. This is the Citrix SD-WAN Public IP.
- Configure Authentication type, Pre-Shared Key, Certificate.
-
Configure Pre-shared Key that you are going to use.
-
Click Enable NAT Traversal in the Advanced Options tab page.
Create IPsec Tunnel:
Add an IPsec Tunnel with already created IKE Gateway and IPsec Crypto Profile. Provide the protected network to allow traffic from SD-WAN through the tunnel.
Block applications:
You can block certain applications by configuring firewall rule as follows. This rule is bound to the tunnel created.
Verify end-to-end traffic:
From the branch host access internet and check for internet traffic to appear under the IPsec tunnel statistics in the SD-WAN GUI monitoring page. Check for any blocked sites in Palo Alto GPCS and ensure that the blocked sites are inaccessible from the branch network.