Step-by-step: Configure a Palo Alto (v5.x) to connect to the Cloud.


Article ID: 166943


Updated On:


CDP Integration Server


How do I configure a Palo Alto firewall (v5.x) to send IPsec traffic to the Cloud?




Prerequisites for this guide is that you have an up and working Palo Alto firewall running PAN-OS 5.x

This guide is using PAN-OS v5.x.




GOTO: Network – Interfaces – Tunnel tab


Click “add” and create a new Tunnel Interface using your default virtual router. If you have multiple virtual routers, place the tunnel interface in the virtual router where your internet traffic is egressing.



You will need to set an IP address on the tunnel interface. This address will NOT be used, though, and is a limitation in PAN-OS (where we cannot forward traffic with PBR to an object without an IP address).


In this example, the IP address used belongs in the Trust zone, but it doesn’t seem to matter which IP address you use (as long as it’s a /32 masked address).




GOTO: Network – Zones


Create a new Zone called Cloud (this zone is used to create the “no NAT” rule later on).


Add the Tunnel Interface you created to this zone.




GOTO: Network – Network Profiles – IKE Crypto


Click on “add” and create a new IKE Crypto Profile like this:




GOTO: Network – Network Profiles – IPSec Crypto


Click on “add” and create a new IPSec Crypto Profile like this: 




GOTO: Network – Network Profiles – IKE Gateway


Click on “add” and create a new IKE Gateway like this: 


  • Interface is the internet facing interface


  • Peer IP Address is the ip address to the Cloud data-center you want to send traffic to, from: 000014776  


  • Pre-shared Key (PSK): this value should match the PSK value you've configured in your "Location" in your Customer Portal


  • Exchange Mode: set to "main" (Cloud does NOT support "aggressive" mode)


  • IKE Crypto Profile: select the IKE Crypto Profile created in the previous step


  • Enable NAT Traversal: make sure that NAT-T is DISABLED




GOTO: Network – IPSec Tunnels


Click “add” and set up a new IPSec Tunnel like this: 


Use the Tunnel Interface, the IKE Gateway, and the IPSec Crypto Profile created previously.




GOTO: The "Proxy IDs" tab in the IPsec Tunnel object


Click “add” to add the Local network that will access the Cloud: 


*** In a normal site-to-site (non-Cloud) VPN, you would create one ProxyID for *each* subnet or service that would like to access the VPN.  To work with the Cloud service, however, only create one (1) ProxyID.  So make sure that the one (1) ProxyID you are creating covers all subnets you want to send to the Cloud, or create multiple VPN tunnels.


At this stage, the VPN tunnel should go up when you commit the changes.


Now we need to create the rules.




GOTO: Policies – Security


Create a rule that will allow traffic from the zone where your clients reside, to the Cloud zone, that contains BOTH http and https services: 




GOTO: Policies – NAT


Create a rule that will disable NAT for traffic sent to the Cloud zone (IPsec traffic to Cloud should NOT be NAT'd): 




GOTO: Policies – Policy Based Forwarding


Create a rule that will forward BOTH http and https to your tunnel interface: 





When all of this is committed, you should see under Network – IPSec Tunnels that the tunnel is established: 





You can also issue the cli command show vpn flow to see that the tunnel is up and active: