Configure Secure Access with Palo Alto Firewall

Available Languages

Download Options

  • PDF     (2.7 MB)
    View with Adobe Reader on a variety of devices
  • ePub     (2.8 MB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (1.9 MB)
    View on Kindle device or Kindle app on multiple devices
Updated:January 31, 2024
Document ID:221589

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes how to configure Secure Access with Palo Alto Firewall.

    Prerequisites

    Requirements

    Cisco recommends that you have knowledge of these topics:

    • Palo Alto 11.x Version Firewall
    • Secure Access
    • Cisco Secure Client - VPN
    • Cisco Secure Client - ZTNA
    • Clientless ZTNA

    Components Used

    The information in this document is based on: 

    • Palo Alto 11.x Version Firewall
    • Secure Access
    • Cisco Secure Client - VPN
    • Cisco Secure Client - ZTNA

    The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

    Background Information

    Secure Access - Palo AltoSecure Access - Palo Alto

    Cisco has designed Secure Access to protect and provide access to private applications, both on-premise and cloud-based. It also safeguards the connection from the network to the internet. This is achieved through the implementation of multiple security methods and layers, all aimed at preserving the information as they access it via the cloud.

    Configure

    Configure the VPN on Secure Access

    Navigate to the admin panel of Secure Access.

    Secure Access - Main PageSecure Access - Main Page

    • Click on Connect > Network Connections

    Secure Access - Network ConnectionsSecure Access - Network Connections

    • Under Network Tunnel Groups click on + Add

    Secure Access - Network Tunnel GroupsSecure Access - Network Tunnel Groups

    • Configure Tunnel Group NameRegion and Device Type
    • Click Next

    Network Tunnel Group - General Settings

    note-icon

    Note: Choose the region nearest to the location of your firewall.

    • Configure the Tunnel ID Format and Passphrase
    • Click Next

    Network Tunnel Group - Tunnel ID Format

    • Configure the IP address ranges or hosts that you have configured on your network and want to pass the traffic through Secure Access
    • Click Save

    Secure Access - Tunnel Groups - Routing OptionsSecure Access - Tunnel Groups - Routing Options

    After you click on Save the information about the tunnel gets displayed, please save that information for the next step, Configure the tunnel on Palo Alto.

    Tunnel Data

    Secure Access - Data for Tunnel Setup

    Configure the tunnel on Palo Alto

    Configure the Tunnel Interface

    Navigate to the Palo Alto Dashboard.

    • Network > Interfaces > Tunnel
    • Click Add

    Palo Alto - Interface

    • Under Config menu, configure the Virtual Router, Security Zone, and assign aSuffix Number

    Palo Alto - Tunnel Interface

    • Under IPv4, configure a non-routable IP. For example, you can use 169.254.0.1/30
    • ClickOK

    Palo Alto - Tunnel Interface - IPV4

    After that, you can have something like this configured:

    Palo Alto - Tunnel Configured

    If you have it configured like this, you can click on Commit to save the configuration and continue with the next step, Configure IKE Crypto Profile.

    Configure IKE Crypto Profile

    To configure the crypto profile, navigate to: 

    • Network > Network Profile > IKE Crypto  
    • ClickAdd

    Palo Alto - IKE Crypto

    • Configure the next parameters:
      • Name:  Configure a name to identify the profile.
      • DH GROUP: group19
      • AUTHENTICATION: non-auth
      • ENCRYPTION: aes-256-gcm
      • Timers
        • Key Lifetime: 8 Hours
        • IKEv2 Authentication: 0
    • After you have everything configured, click OK

    Palo Alto - IKE Crypto Profile

    If you have it configured like this, you can click on Commit to save the configuration and continue with the next step, Configure IKE Gateways.

     Configure IKE Gateways

    To configure IKE Gateways

    • Network > Network Profile > IKE Gateways
    • ClickAdd

    Palo Alto - IKE Gateways

    • Configure the next parameters:
      • Name: Configure a name to identify the Ike Gateways.
      • Version : IKEv2 only mode
      • Address Type : IPv4
      • Interface : Select your Internet WAN interface.
      • Local IP Address: Select the IP of your Internet WAN Interface.
      • Peer IP Address Type : IP
      • Peer Address: Use the IP of Primary IP Datacenter IP Address,  given in the step Tunnel Data.
      • Authentication: Pre-Shared Key
      • Pre-shared Key : Use the passphrase given in the step Tunnel Data.
      • Confirm Pre-shared Key : Use the passphrase given in the step Tunnel Data.
      • Local Identification : Choose User FQDN (Email address) and use the Primary Tunnel ID given in the step, Tunnel Data.
      • Peer Identification : ChooseIP Addressand use the Primary IP Datacenter IP Address.

    Palo Alto - IKE Gateways - General

    • ClickAdvanced Options
      • Enable NAT Traversal
      • Select the IKE Crypto Profile created on the step, Configure IKE Crypto Profile
      • Mark the checkbox for Liveness Check
      • Click OK

    Palo Alto - IKE Gateways - Advanced Options

    If you have it configured like this, you can click on Commit to save the configuration and continue with the next step, Configure IPSEC Crypto.

    Configure IPSEC Crypto Profile

    To configure IKE Gateways, Navigate to Network > Network Profile > IPSEC Crypto

    • ClickAdd

    Palo Alto - IPsec Crypto

    • Configure the next parameters: 
      • Name: Use a name to identify the Secure Access IPsec Profile
      • IPSec Protocol: ESP
      • ENCRYPTION: aes-256-gcm
      • DH Group: no-pfs, 1 Hour
    • Click OK

    Palo Alto - IPsec Crypto Profile

    If you have it configured like this, you can click on Commit to save the configuration and continue with the next step, Configure IPSec Tunnels.

    Configure IPSec Tunnels

    To configure IPSec Tunnels, navigate to Network > IPSec Tunnels.

    • Click Add

    Palo Alto - IPsec Tunnels

    • Configure the next parameters:
      • Name: Use a name to identify the Secure Access tunnel
      • Tunnel Interface: Choose the tunnel interface configured on the step, Configure the tunnel interface.
      • Type: Auto Key
      • Address Type: IPv4
      • IKE Gateways: Choose the IKE Gateways configured on the step, Configure IKE Gateways.
      • IPsec Crypto Profile:  Choose the IKE Gateways configured on the step, Configure IPSEC Crypto Profile
      • Mark the checkbox for Advanced Options
        • IPSec Mode Tunnel: Choose Tunnel.
    • Click OK

    Palo Alto - IPsec Tunnels - Configuration

    Now your VPN is successfully created, you can proceed with the step, Configure Policy Based Forwarding.

    Configure Policy Based Forwarding

    To configure Policy Based Forwarding, navigate to Policies > Policy Based Forwarding.

    • Click Add

    Palo Alto - Policy Based Forwarding

    • Configure the next parameters:
      • General 
        • Name: Use a name to identify the Secure Access, Policy Base Forwarding (Routing by origin)
      • Source 
        • Zone: Select the Zones from where you have plans to route the traffic based on the origin
        • Source Address: Configure the host or networks that you want to use as a source.
        • Source Users: Configure the users that you want to route the traffic (Only if applicable)
      • Destination/Application/Service 
        • Destination Address: You can leave it as Any, or you can specify the ranges of addresses of Secure Access (100.64.0.0/10)
      • Forwarding 
    • ClickOK and Commit

    Palo Alto - Policy Based Forwarding - General

    Palo Alto - Policy Based Forwarding - Source

    Palo Alto - Policy Based Forwarding - Destination

    Palo Alto - Policy Based Forwarding - Routing

    Now you have everything configured on Palo Alto; after you configure the route, the tunnel can be established, and you need to continue configuring the RA-VPN, Browser-Based ZTA, or Client Base ZTA on Secure Access Dashboard.

    Revision History

    Revision Publish Date Comments
    1.0
    31-Jan-2024
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Jairo Moreno
      TAC

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products