Palo Alto Site-to-Site VPN

🔐 What is a Palo Alto Site-to-Site VPN?

A Site-to-Site VPN securely connects two networks in different locations (for example: HQ ↔ Branch) over the internet using IPsec encryption.

With Palo Alto firewalls, this is one of the most common setups in production environments.

🧠 How it Works (Big Picture)

Office A (LAN) ── Palo Alto FW ── 🔐 Encrypted Tunnel 🔐 ── Palo Alto FW ── Office B (LAN)

• Data between sites is encrypted
• Users work as if both networks are one
• Internet is used, but traffic is protected

🔑 Core Components in Palo Alto

A Site-to-Site VPN needs 5 main parts:

1️⃣ IKE Gateway (Phase 1)

• Handles authentication & tunnel setup
• Uses:
• Pre-Shared Key (PSK) or Certificates
• IKEv1 or IKEv2
• Defines peer public IP

2️⃣ IPsec Crypto Profile (Phase 2)

• Defines how data is encrypted
• Examples:
• AES-256
• SHA-256
• DH Group
• Must match on both sides

3️⃣ IPsec Tunnel

• Binds:
• IKE Gateway
• IPsec Crypto Profile
• Creates the actual tunnel interface (e.g., tunnel.1)

4️⃣ Routing

• Tells Palo Alto which traffic goes into the VPN
• Can be:
• Static routes
• OSPF / BGP
• Example:
• 192.168.2.0/24 → tunnel.1

5️⃣ Security Policies

• Explicitly allow traffic
• Example:
• Source: LAN-A
• Destination: LAN-B
• Application: any
• Action: allow