Step 1. Creating a Zone for Tunnel Interface.

Define a Network Zone for GRE Tunnel. Click on Network >> Zones and click on Add. Next, Enter a name and select Type as Layer3.

Step 2. Creating a Tunnel Interface.

Configure the Tunnel interface. Click on Network >> Interfaces >> Tunnel and click Add. Configure an IP address for the tunnel interface.

Step 3. Creating a GRE Tunnel.

Configure the GRE Tunnel on Palo Alto Firewall. Click on Network >> GRE Tunnel and click Add. Define a name for this GRE Tunnel, select the interface on which you have your Public IP. Configure the Local Address and Peer Address.

Step 4. Creating the default route for the destination network.

To configure a default route, click on Network >> Virtual Routers >> Default >> Static Route and click on Add. define the destination network for the peer end.

Step 5. Configuring Security Policy for GRE Tunnel.

Configure the security policy on Palo Alto Firewall LAN TO GRE and GRE TO LAN. Click on Policies >> Security and click on Add.

Step 6. Commit the Configuration.

Step 7. Verify the configuration of GRE Tunnel.

Example –

Test-LAB>show interface tunnel. (VPN Name)

> configure

# set network interface tunnel units tunnel (number) ipv6 enabled no

# set network interface tunnel units tunnel (number) ipv6 interface-id EUI-64

# set network interface tunnel units tunnel (number) comment “(name) VPN”

# set zone vpn network layer3 tunnel(number)

# set network virtual-router (virtual router nnumber) interface (name)

# set network ike gateway (VPN Name) VPN protocol ikev1 dpd enable no

# set network ike gateway (VPN Name) VPN protocol ikev1 dpd interval 5

# set network ike gateway (VPN Name) VPN protocol ikev1 dpd retry

# set network ike gateway (VPN Name) VPN protocol ikev1 ike-crypto-profile IKE_Profile

# set network ike gateway (VPN Name) VPN protocol ikev1 exchange-mode auto

# set network ike gateway (VPN Name) VPN authentication pre-shared-key key paloalto

# set network ike gateway (VPN Name) VPN protocol-common nat-traversal enable no

# set network ike gateway (VPN Name) VPN protocol-common passive-mode no

# set network ike gateway (VPN Name) VPN peer-address ip X.X.X.X

# set network ike gateway (VPN Name) VPN local-address interface Ethernet (number)

# set network tunnel ipsec (VPN Name) VPN auto-key ike-gateway (VPN Name) VPN

# set network tunnel ipsec (VPN Name) VPN auto-key ipsec-crypto-profile IPsec_Profile

# set network tunnel ipsec (VPN Name) VPN tunnel-monitor enable no

# set network tunnel ipsec (VPN Name) VPN anti-replay yes

# set network tunnel ipsec (VPN Name) VPN copy-tos no

# set network tunnel ipsec (VPN Name) VPN tunnel-interface tunnel (number)

# set network virtual-router “Virtual Router (any number)” routing-table ip static-route Route_to_(VPN Name) interface tunnel (number)

# set network virtual-router “Virtual Router (any number)” routing-table ip static-route Route_to_(VPN Name) metric 10

# set network virtual-router “Virtual Router (any number)” routing-table ip static-route Route_ to_(VPN Name) destination (Subnet)

# show network ike

# show network tunnel ipsec

Step 1. Generating a Self-Sign Certificate for GlobalProtect.

Click on Device >> Certificate Management >> Certificates >> Device Certificates >> Generate. Now, just fill the Certificate filed as per the instruction appears on screen.

Step 2. Creating an SSL/TLS Service Profile.

Click on Device >> Certificate Management >> SSL/TLS Service Profile >> Add. Select the certificate of TLS.

Step 3. Creating Local Users for GlobalProtect VPN Authentication.

Click on Device >> Local User Database >> Users and click on Add.

Step 4. Creating Authentication Profile for GlobalProtect VPN.

Click on Device >> Authentication Profile and click on Add. Open the Advanced tab and add users to Allow List.

Step 5. Creating a zone for GlobalProtect VPN Traffic.

To create Security Zone, click on Network >> Zones >> Add.

Step 6. Creating a tunnel interface for GlobalProtect.

Click on Network >> Interfaces >> Tunnel >> Add, to create a tunnel interface.

Step 7. Portal Configuration for GlobalProtect.

Click on the GlobalProtect >> Portals >> Add. Open the General tab and Provide the name for GloablProtect Portal Configuration. Open the Authentication Tab, open the SSL/TLS service profile which you are created in Step 2. In Client Authentication, click on ADD. Now, Open the Agent tab, and select the Trusted Root CA (created in Step 1) and check the option “Install in Local Root Certificate Store” Open the User/User Group tab and choose OS and User/User Group you have on your environment. Open the External tab and Add an External Gateway. Enter the Name to External Gateway and provide IP, Source Region and Priority details and click OK.

Step 8. Gateway Configuration for GlobalProtect.

Open the Network >> GlobalProtect >> Gateways and click on Add. Give the name to GlobalProtect Gateway. Select the Authentication tab, open the SSL/TLS service profile, and click on Add to add a client authentication profile. Select Name of OS and Authentication profile. Select the Agent tab, and Enable the tunnel mode, and open the tunnel interface which was created in the earlier step. Select the Client Settings tab, and click on Add. Give a user-friendly name to this. Now, access the IP Pools and assign an IP subnet’s or IP range which is used to assign the IP address once the client successfully authenticates the GP authentication.

Step 9. Security policy for GlobalProtect.

To configure a security policy, open the Policy >> Security and click on Add.

Step 10. NAT Policy for GloabalProtect clients.

To configure a NAT rule access Policies >> NAT and click on Add.