Palo Alto Networks : Policy based VPN vs Route based VPN
Palo Alto Networks : Policy based VPN vs Route based VPN
Policy-Based VPN (PBF) and Route-Based VPN (RBF) are two techniques of establishing Virtual Private Networks (VPNs) in network security and routing, respectively.
Fig 1.1- Policy based VPN vs Route based VPN |
Route-Based VPN
A route-based VPN is one in which the policy does not specify a specific VPN tunnel. A VPN tunnel is instead addressed indirectly through a route that links to a specific tunnel interface. The tunnel interface can be assigned to either a VPN tunnel or a tunnel zone.
Traffic is encrypted and decrypted as it travels across the tunnel interface. A tunnel interface must be attached to a VPN tunnel while it is in a security zone. This is required to set up a routing-based VPN setup.
Tunnel interfaces can be either numbered or unnumbered. If the tunnel interface is unnumbered, it normally borrows the IP address from the security zone interface.
Reasons for Using a Route-Based VPN:
- Source or Destination NAT (NAT-Src, NAT-Dst) needs to occur as it traverses the VPN
- Overlapping Subnets/IP Addresses between the two LANs
- Hub-and-spoke VPN topology
- Design requires Primary and Backup VPN
- A Dynamic Routing Protocol (i.e. OSPF, RIP, BGP) is running across the VPN
- Need to access multiple subnets or networks at the remote site, across the VPN
Policy-based VPN
A policy-based VPN specifies the tunnel using the action "IPSec" within the policy itself. Additionally, only one policy is needed for a policy-based VPN. Two policies are developed for a route-based VPN, one for inbound traffic and the other for outgoing traffic, both having the standard "Accept" action.
Reasons for Using a Policy-based VPN
- Remote VPN device is different than what you administer
- Need to access only one subnet or one network at the remote site, across the VPN
Fig 1.2- Palo Alto Networks : Policy based VPN vs Route based VPN |
To summarize, the decision between PBF and RBF is determined by your individual networking and security needs. PBF provides granular traffic routing control, making it excellent for selective VPN routing, but RBF simplifies VPN implementation by depending on routing decisions, which is advantageous in bigger and more complicated network settings.
Continue Reading...
- Revolutionize Your Network Security with NGFW: Palo Alto Firewall Vs Fortinet
- Don't Leave Your Network Vulnerable : Reasons to Switch to a NGFWs
- Securing Your Network: Cisco Umbrella IPSec Tunnels with Palo Alto Prisma SDWAN
- A Comprehensive Guide to Palo Alto Zone Based Firewall for Beginners
- NGFW: Introduction to Palo Alto PA-1400 Series
- Site to Site IPSec VPN Tunnel between Cisco ASA and Palo Alto Firewalls
- IPsec site-to-site VPN tunnel between Palo Alto Firewall & FortiGate Firewall
More on PaloAlto..
- Palo Alto Networks mode configurations
- The All-In-One Solution: Palo Alto PA-850 Next-Gen Firewall
- Palo Alto Firewalls: PA-440 Vs PA-820
- Palo Alto Firewalls PA-220 Vs PA-440
- Cisco Talos Vs PaloAlto Unit 42
- Cybersecurity Wing : Palo Alto Networks Unit 42
- Next Generation Firewalls : Top 4 Vendors in the industry
- Palo Alto Firewalls: Site to Site VPN with OSPF
- Configuring URL Filtering on Palo-Alto Firewalls