By Manny Fernandez
In this article, I am using "WAY OLD" PAN OS. Mostly because I no longer own an updated PAN box. I am going to be installing a VM in a couple of weeks and will be doing some compare and contrast articles and some PAN VM to Fortigate VMs performance comparison so stay tuned, this could get interesting.
In PAN, rather than creating a VPN in one section, as in the Fortigate, it is broken down into pieces similar to Cisco. Cisco creates separate phase I and phase II sections and then a crypto map and an access list, etc. In the case of PAN, you need to set up what I like to call "the ingredients" for the VPN and then create the VPN "dish" itself. If you understand IPSec it's not that bad.
The graphic above was part of a deliverable I created for a customer a while back when I was running service for a reseller and installing PAN, Fortigate and plenty of Cisco ASAs. It give you a good overview of what each "ingredient" does.
Most of these sections will be under Network and then on the left, you will see the options to configure the next few sections.
In this section, we will configure the Phase I proposals. As you can see below, we have the IKE Crypto Profile and within it, we can see that we are using AES256 as the encryption scheme, the hashing or Authentication is SHA256 with a Diffie-Hellman (DH) group of 5.
IKE Crypto Profile
In the IPSec Crypto Profile section, you will define your Phase II proposals. A you can see below, we are using:
IPSec Crypto Profile
Next we will create the gateway where we will define the remote peer IP, pre-shared key, and the IKE Crypto Profile.
Under the IKE Gateway configuration, we will define:
Again, you will need to go to Network then Zones then choose the add button.
If you want to allow ping as an example to the Palo Alto device, you will need to define it under the Interface Mgmt section which is under the Network tab.
Here you can choose what you want to allow in this profile.
We will need to create a Tunnel Interface
You will need to create a new Tunnel Interface
Click the Add button the bottom left of the screen.
You can add the Interface Mgmt profile we created before by clicking the Advanced button under the Tunnel Interface configuration.
Then choose OK
Finally we put the ingredients together to form the dish (VPN Tunnel).
In the screenshot above, you can see:
Next choose the Phase II selectors or the IP addresses you will be presenting in the VPN to the remote peers. This defines what is interesting traffic.
NOTE: For a true route-based VPN, you can leave this alone and it will default to 0.0.0.0/0/.
Now we will create a policy to permit traffic in and out of the tunnel.
You will need to go to Policies tab, then choose Security. Now click the Add button on the bottom left.
Choose a source zone and choose Source Address as needed.
Now choose the VPN zone we created earlier.
Choose the Application and Service / URL Category as needed. The Actions tab will tell you what to do with the matching traffic. In our case, we want to Allow . Additionally, you can send logs to an external syslog if desired.
Service / URL Category
Now that you have finished the configuration for the PAN side, you will need to commit the changes.
IMHO, the Fortigate is much easier to configure from a number of steps perspective. Lets get started.
Go to VPN and choose IPsec Tunnel then choose Create New
Give it a descriptive name as you will not be able to change after you create it, and choose Custom and Next
Unlike the PANOS where you need to create the Ingredients and then cook, the Fortigate is configured all from the same screen, save for Policies and Routes.
As you can see I have :
Again, Fortigate's Phase II is configured on the same screen as the previous screenshot.
In the ForiOS, the VPN process above will automatically create the tunnel interface for you
It will use the Interface you chose in the VPN first section to bind the tunnel interface to you.
Here we can define the "PAN Equivalent" of Interface Mgmt profile as well as the Tunnel interface with the tunnel IP.
We will need to define the policies to permit traffic in and out of the VPN Tunnel we just created.
Now you can create in reverse order simply by right-clicking the policy you just created and choose Clone in Reverse
Clone in Reverse
I have worked on PAN, Fortigate, Cisco, Checkpoint, Sidewinder, NetScreen, Watchguard and probably every single firewall that has ever been on the market….. yes including Border Manager from Novell (Don't laugh). IMHO, I think the PAN implementation can be simplified substantially. I am sure it gives a level of granularity although that is a matter of opinion either way.
Hope this helps