IPsec site-to-site VPN tunnel between Palo Alto Firewall & FortiGate Firewall

Setting up an IPsec S2S VPN tunnel
Palo Alto & FortiGate Firewall

We are going to talk about the IPsec VPN tunnel between Palo Alto Firewall and Fortinet firewall where one site is protected by a FortiGate, while another is protected by a Palo Alto Firewall.

We are configuring the tunnel between each site, avoiding overlapping subnets, so that a secure tunnel may be formed with the required security profiles applied. 

IPsec site-to-site VPN tunnel
Fig 1.1- IPSec Site2Site Tunnel

IPsec Tunnel Palo Alto Firewall
For the VPN connections, we must build zones.

Step 1: To create Zones, Navigate to Network > Zones
Provide the details like Name, Log Setting, Type and save.

Fig 1.2- Panorama Zones

Step 2: For Palo Alto and Fortinet devices with two LAN layers, we will generate the Address Object. To create Object, Navigate Object> Addresses
Provide the details like Name, Type and save

Fig 1.3- Panorama Objects

Step 3: Now as you created the object, we need to create the interface tunnel. To create Navigate to Network> Interface> Tunnel.
Provide the details like interface Name, Virtual Router, Security Zone and save.

Fig 1.4- Panorama Tunnel Interface

Step 4: Now create virtual routers .To create Navigate to Network > Virtual Routers> click ADD

Fig 1.5- Panorama Virtual router

 Add Static Routes > IPv4

Fig 1.6- Panorama Static Route IPv4

Step 5: Create IKE Crypto Phrase 1 for the VPN connection.
Navigate to Network> IKE Crypto Profile

Fig 1.7- Panorama Crypto Profile

Step 6:  Similarly, create IPsec Crypto 
Navigate to Network > IPSec Crypto and click Add.

Step 7: Create IKE Gateways
Navigate to Network> IKE Gateways and click Add.

Fig 1.8- Panorama IKE Gateway

Step 8: Create IPsec Tunnels
Navigate to Network> IPSec Tunnels and press Add.
You can also add the proxy ID with the Local and Remote Network address

Fig 1.9- Panorama IPSec Tunnel

Step 9: Create Policy. Navigate to Policies > Security and click Add.
Configure the multiple tabs here like General, Source, Destination and Action

IPsec Tunnel FortiGate Firewall

Step 1: In the FortiOS GUI, navigate to VPN >IPsec > Auto Key (IKE) and select Create Phase 1.

Step 2: Name the tunnel, statically assign the IP Address of the remote gateway, and set the Local Interface to wan1.

Fig 2.0- Fortigate Firewall

Step 3: Select Preshared Key for Authentication method and enter the same Preshared key you chose when configuring the Palo Alto IPsec VPN Wizard. Configure this phase to match the encryption settings configured on the Cisco device and click OK.

Step 4: Select Create Phase 2.Identify Phase 1, which you just configured, and ensure that the encryption settings match the Phase 2 encryption settings configured on the Palo Alto device. Optionally, provide the Source address and Destination address at the tunnel's ends under Quick Mode Selector.

Fig 2.1- Fortigate Firewall

Configuring the FortiGate policies

Step 1: Navigate to Policy > Policy > Policy and create firewall policies that allow inbound and outbound traffic over the tunnel.

Step 2: In the first (outbound) policy, set the Incoming Interface to lan and set the source Address to all.

Step3: Set the Outgoing Interface to the tunnel interface and set the Destination Address to all. Configure the Schedule and Service as desired.

Step 4: Create the second (inbound) policy to allow traffic to flow in the opposite direction, and configure the Schedule and Service as desired.

Fig 2.2- Fortigate Firewall

Configuring the static route in the FortiGate

Step1: Navigate to Router > Static > Static Routes and select Create New

Step 2: Create a static route with the Destination IP/Mask matching the address of the Cisco local network (by default, Device, select the site-to-site tunnel, and click OK. On Fortigate side, now the tunnel configuration is finished.

Continue Reading..

IPsec site-to-site VPN tunnel between Cisco ASA & FortiGate Firewall - The Network DNA
Site-to-Site VPN: IPSEC Tunnel Between an ASA and a Cisco IOS Router - The Network DNA
Site-to-Site IPsec VPN Tunnel with two FortiGate Firewalls - The Network DNA
Security: FortiGate to SonicWall VPN Tunnel setup - The Network DNA
The Network DNA : Security