search cancel

Web Security Service Legacy IPSEC Connectivity Instructions - Palo Alto

book

Article ID: 174445

calendar_today

Updated On:

Products

Web Security Service - WSS

Issue/Introduction

Symantec tested and validated that Palo Alto® firewall devices are able to forward web traffic to the Web Security Service for policy checks and malware scanning. The following procedure demonstrates the pre-shared secret method, which requires a unique gateway IP address (no NAT-T).

Version Demonstrated:

  • Palo Alto 200
  • Version 5.0.6 is the required minimum.

This procedure provides a guideline configuration that you can apply to the above model or other Palo Alto models. It is likely that you have an existing Palo Alto device configured in your network; therefore, slight alterations to the existing deployment may be required.

Environment

Deployment Notes

  • The most basic concept for this method is configure the router with a site-to-site VPN connection and configure the device policy rules to send web-based traffic to the Web Security Service and ignore everything else. Depending on your geographical location, you must create at least two VPN gateways.
  • The device must have an external routable IP address.
  • Do not send Auth Connector traffic to the Web Security Service. 
  • You can create a designated host or subnet that tests the IPsec connectivity to the Web Security Service without interrupting the production traffic. After successful testing, you then add production subnets.
  • The best practice is to set the rekey at the specified lifetime interval instead of for lifebytes.

Note: Symantec has seen outages occur if the Phase 2 Timeout value is set to longer than four (4) hours. If the current setting is less than four hours, you can leave that value. Otherwise, adjust the time. The screenshots in the following procedure might not reflect this advisory.

Resolution

 

Prerequisite—Verify that the Device is Ready for configuration.

This procedure assumes that the Palo Alto device is already configured with the inside interface or group object with multiple inside interfaces and an outside interface that will communicate with the Web Security Service.

STEP 1—Create a Tunnel Interface

  1. Select Network > Interfaces > Tunnel.
  2. Create a tunnel interface on the default virtual router that egresses Internet traffic.
    Click Add. The device displays the Tunnel Interface dialog.
    1. Name the interface. Enter an Interface Name and a subsequent number. For example, if you enter tunnel
      and 1, the Interface name becomes tunnel.1.
    2. Select IPv4.
    3. Click Add; enter an internal IP address that the Palo Alto device uses to monitor policy-based routing rules that send network traffic over tunnels.
    4. Click OK.
  3. (Optional) For failover, repeat sub-steps 1 and 2 to add a second address.

​STEP 2—Create a Zone for Tunneled Traffic

  1. Select Network > Zones.
  2. Click New.
    The device displays the Zone dialog.
    1. Name the Zone. For example, WSS_Zone.
    2. Select Layer 3 as the Type.
    3. Add the tunnel(s) that you created in Step 1.
    4. Click OK.

STEP 3—Create an IKE Crypto Profile

The Web Security Service supports many combination. See Reference: IKE Encryption and Authentication Algorithms.

  1. Select Network > Network Profiles > IKE Crypto.
  2. Click New.
    The device displays the Zone dialog.
    1. Name the Profile. For example, WSS_IKE_Crypto.
    2. Add the DH Group.
      Symantec recommends group 5.
    3. Add the Encryption algorithm.
      Symantec recommends aes128.
    4. Add the Authentication algorithm.
      Symantec recommends md5.
    5. Add the Lifetime value.
      Symantec recommends 86400 seconds (24 hours).
    6. Click OK.

STEP 4—Create an IPSec Crypto Profile

  1. Select Network > Network Profiles > IPSec Crypto.
  2. Click New.
    The device displays the Zone dialog.
    1. Name the Profile.
      For example, WSS_IPSec_Crypto.
    2. From the IPSec Protocol drop-down, select ESP.
      This option ensures privacy (encryption), content integrity (authentication), and source authentication.
    3. Add the DH Group.
      Symantec recommends group 5.
    4. Add the Encryption algorithm.
      Symantec recommends 3des-cbc.
    5. Add the Auhentication algorithm.
      Symantec recommends sha1.
    6. Add the Lifetime value.
      Symantec recommends 14400 seconds (four hours).
    7. Add the Lifesize value. Symantec recommends 1000 MB.
    8. Click OK.

STEP 5—Create an IKE Gateway

  1. Select Network > Network Profiles > IKE Gateway.
  2. Click Add.
    The device displays the IKE Gateway dialog.
    1. Name the Gateway.
      For example, WSS_IKE_Gateway_1.
    2. Select the gateway-facing Interface.
    3. Enter the outgoing Local IP Address (or you can leave this field blank if only one exists).
    4. Enter the first Web Security ServiceIP Address.
      Refer to this KB Article for WSS Data Center IP addresses.
    5. Enter the Pre-shared Key, which is the string used to secure the encrypted tunnel between the router and
      the Web Security Service (eight-character minimum).
      Tip: The PSK must be at least eight characters and cannot use special characters.
    6. From the Peer Identification drop-down, select IP Address and enter the gateway IP address.
    7. From the Local Identification drop-down, select IP Address and enter the same Peer IP Address that you
      entered in step d.
    8. Remain in this dialog and proceed to the sub-step 3.
  3. Select Show Advanced Phase 1 Options.
    1. From the Exchange Mode drop-down, select main.
    2. Select the IKE Crypto Profile that you defined in Step 3.
    3. Verify that Enable Passive Mode option is clear.
    4. Verify that the Enable NAT Traversal option is clear.
    5. Select Dead Peer Detection.
    6. Click OK.
  4. (Optional but recommended) For failover, repeat sub-steps 2 and 3 and configure a second IKE Gateway set to another Symantec
    datacenter.

STEP 6—Create an IPSec Tunnel

  1. Select Network > IPSec Tunnels.
  2. Click Add. The device displays the IPSec Tunnel dialog.
    1. Name the Tunnel.
      For example, WSS_Tunnel_1.
    2. Select the Tunnel Interface that you created in Step 1.
    3. Select the IKE Gateway that you created in Step 5.
    4. Select the IPSec Crypto Profile that you created in Step 4.
    5. For failover, select Show Advanced Options.
    6. Select a failover profile.
      1. Select Tunnel Monitor.
      2. Enter the Destination IP, which is the Symantec datacenter IP.
      3. Select the monitor Profile that contains the failover option: Wait Recover or Fail Over to the secondary location.
        Note: If the device does not yet have such a profile, go to Network > Network Profiles > Monitor.
  3. Create a Proxy ID for the tunnel.
    In a normal site-to-site (non-cloud) VPN, you likely create one ProxyID for each subnet or service that requires access the VPN. However, you can only create only one ProxyID for the Web Security Service configuration. Therefore, ensure that this ProxyID includes all subnets to be routed to the Web Security Service. Alternatively, you can create multiple VPN tunnels.
    1. Click the Proxy IDs tab.
    2. Click Add.
      The device displays the Proxy ID dialog.
    3. Name the Proxy ID.
      For example, WSS_Tunnel_1_proxy.
    4. Enter the Local subnet that will send traffic in the tunnel to the Web Security Service.
    5. Click OK.
  4. Click OK.

STEP 7—Define a Security Rule to Send Traffic to the Web Security Service

  1. Select Policies > Security.
  2. Click Add.
    The device displays the Security Policy Rule dialog.
  3. On the General tab, Name the rule.
  4. Add the source zone.
    1. Click the Source tab.
    2. Click Add and select the trust zone.
  5. Add the destination zone.
    1. Click the Destination tab.
    2. Click Add and select the zone that you created in Step 2.
  6. Add the allowed services.
    1. Click the Service/URL Category tab.
    2. Add services.
      • For stand-alone IPSec deployments, click Add and select service-http and service-https; if you plan to configure the Web Security Service to perform SAML authentication over IPSec tunnels, select service-saml.
        Note: If the service-saml object is not present, you must create the object. Add a new service that sends TCP traffic destined to port 8443 over the tunnel.
  7. Click OK.

STEP 8—Create a Rule to Disable NAT for Traffic Routing to the Web Security Service

  1. Select Policies > NAT.
  2. Click Add.
    The device displays the Security Policy Rule dialog
  3. On the General tab, Name the rule.
    For example, no_nat.
  4. Add the source zone.
    1. Click the Original Packet tab.
    2. Add the Source Zone (the trust zone).
    3. For the Destination Zone, select the zone you created in Step 2.
  5. Disable NAT-T.
    1. Click the Translated Packet tab.
    2. From the Translation Type drop-down, select None.
  6. Click OK.

STEP 9—Create Policy-Based Forwarding Rules to Route Traffic Over the IPSec Tunnel

  1. Select Policies > Policy Based Forwarding.
  2. Click Add.
    The device displays the Security Policy Rule dialog
  3. On the General tab, Name the rule.
    For example, WSS_OverIPsec_1.
  4. Add the source zone.
    1. Click the Source tab.
    2. Add the Source Zone (the trust zone).
  5. Add the destination services.
    1. Click the Destination/Application/Service tab.
    2. Add services.
      • For stand-alone IPSec deployments, click Add and select service-http and service-https; if you plan to configure the Web Security Service to perform SAML authentication over IPSec tunnels, also select service-saml.
  6. Configure the forwarding rule that sends traffic over the designated tunnel interface.
    1. Click the Forwarding tab.
    2. From the Action drop-down, select Forward.
    3. From the Egress Interface drop-down, select the tunnel created in Step 1.
    4. Assign the Monitor.
      1. Select Monitor.
      2. Select the monitor profile created in Step 6.2.h.
      3. Select Disable this rule if nexthop/monitor IP is unreachable. For more information about this option, see https://live.paloaltonetworks.com/docs/DOC-5952. 
      4. Enter the IKE Gateway IP Address (the Symantec datacenter IP).
  7. Click OK.
  8. For failover, clone this rule and configure it to forward traffic to the backup tunnel (if you created one in Step 1). Ensure that you change the monitor IP to the appropriate IKE Gateway IP address. 

STEP 10—Create a Failover Rule to Discard Traffic when Both Tunnels are Down

For the final failover component, create a rule that discards traffic bound for the Web Security Service should both of the IKE Gateway IP tunnels go down. Add this rule after that the rules that forward traffic to the service. 

The final rules should look similar to the following.

 

Attachments