GRE tunnel from Palo alto Firewall

Hi ,

is there any document available for creating GRE tunnel from Palo Alto firewall to zscaler?

1 Like

Hi @ramesh.yadav - @aperrego, one of Zscaler’s awesome SE’s made a GRE config guide for PAN. This will likely be turned into an official Zscaler help doc at some point, but for now it should serve as a good reference.


Zscaler Traffic Forwarding

Configuration GRE

PALO ALTO Networks

The purpose of this document is a reference to a working GRE Configuration from a Palo Alto Networks PA-220 running 9.0.0. This covers the basic configuration of GRE, ACLs and appropriate policy based routing parameters. Changes for this configuration should be the network(s) ip's, routing respectively. Additionally, acls can be defined as specific ports however, for the purpose of this document it represents all ports and all protocols.

image

Contents

Create the PAN Tunnels (Network —> Interfaces —> Tunnel)

Create the Tunnels. (Network —> GRE Tunnels)

Network Address Translations (Policies —> NAT)

Verify Connectivity


Create the PAN Tunnels (Network —> Interfaces —> Tunnel)

image

Enter the tunnel Interface Name followed by a period and a number in the range 1 to 9,999; for example, tunnel.200 and assign the tunnel interface to a Security Zone.

image

Assign an IP address to the tunnel interface.

image

Repeat the Process for the secondary tunnels (Example tunnel.201)

image
image

Create the Tunnels. (Network —> GRE Tunnels)

Select the Interface to use as the local GRE tunnel endpoint (source interface), which is an Ethernet interface or subinterface, AE, loopback, or VLAN interface.

Select the Local IP Address of that interface.

Enter the Peer Address , which is the IP address of the opposite endpoint of the GRE tunnel.

Select the Tunnel Interface that you created in the previous step.

image

Repeat the procedure for the secondary tunnel and COMMIT CHANGES

image

Network Address Translations (Policies —> NAT)

Now create the NAT Exclusion statements that will maintain the source IPs as the tunnel passes the traffic to Zscaler.

Repeat for secondary tunnel

image

image

Create a Policy Based Route to Zscaler (Policies —> Policy Based Forwarding)

image

image

image

image

Repeat for the secondary Tunnel

image

image

image

image
Commit Changes :wink:


Verify Connectivity

Go to ip.zscaler.com and verify you are traversing the Zscaler Cloud


Validate CLI

show interface tunnel.200

--------------------------------------------------------------------------------

Name: tunnel.200, ID: 257

Operation mode: layer3

Virtual router default

Interface MTU 1436

Interface IP address: 172.19.104.153/30 Interface management profile: N/A Service configured:

Zone: untrust, virtual system: vsys1

Adjust TCP MSS: no

Policing: no

--------------------------------------------------------------------------------

GRE tunnel name: GRE-TUNNEL-ATL

 ![](RackMultipart20200615-4-uoqm5o_html_95a4429bed4adf46.gif)

tunnel interface state: Up disabled: False copy-tos: False keep alive enabled: True local-ip: 174.108.198.69 peer-ip: 104.129.204.34 stats:

ka-id: 16 ka-send: 16 ka-recv: 16

ka-curr-retry: 0 ka-last-timestamp: 329669

ka-recv-map: 0 ka-owner: 0

--------------------------------------------------------------------------------

Logical interface counters read from CPU:

-------------------------------------------------------------------------------- bytes received 931744 bytes transmitted 339864 packets received 1801 packets transmitted 2425

receive errors 0

packets dropped 0 packets dropped by flow state check 0

forwarding errors 0 no route 0 arp not found 0 neighbor not found 0 neighbor info pending 0

mac not found 0 packets routed to different zone 0

land attacks 0 ping-of-death attacks 0 teardrop attacks 0 ip spoof attacks 0 mac spoof attacks 0 ICMP fragment 0 layer2 encapsulated packets 0 layer2 decapsulated packets 0

tcp cps 0 udp cps 0 sctp cps 0 other cps 0
show interface tunnel.201

--------------------------------------------------------------------------------

Name: tunnel.201, ID: 258

Operation mode: layer3

Virtual router default

Interface MTU 1436

Interface IP address: 172.19.104.157/30 Interface management profile: N/A Service configured:

Zone: untrust, virtual system: vsys1

Adjust TCP MSS: no

Policing: no

--------------------------------------------------------------------------------


GRE tunnel name: GRE-TUNNEL-WASDC tunnel interface state: Up disabled: False copy-tos: False keep alive enabled: True local-ip: 174.108.198.69 peer-ip: 104.129.194.34 stats:

ka-id: 29 ka-send: 29 ka-recv: 29 ka-curr-retry: 0 ka-last-timestamp: 329812 ka-recv-map: 0 ka-owner: 0

--------------------------------------------------------------------------------

Logical interface counters read from CPU:

-------------------------------------------------------------------------------- bytes received 8918 bytes transmitted 14300 packets received 91 packets transmitted 208 receive errors 0 packets dropped 0

packets dropped by flow state check 0 forwarding errors 0 no route 0 arp not found 0 neighbor not found 0 neighbor info pending 0

mac not found 0

packets routed to different zone 0 land attacks 0 ping-of-death attacks 0 teardrop attacks 0 ip spoof attacks 0 mac spoof attacks 0 ICMP fragment 0 layer2 encapsulated packets 0 layer2 decapsulated packets 0 tcp cps 0 udp cps 0 sctp cps 0 other cps 0

--------------------------------------------------------------------------------
1 Like

Thank you so much Scott.