Symantec tested and validated that Palo Alto® firewall devices are able to forward web traffic to the Web Security Service for policy checks and malware scanning. The following procedure demonstrates the pre-shared secret method, which requires a unique gateway IP address (no NAT-T).
This procedure provides a guideline configuration that you can apply to the above model or other Palo Alto models. It is likely that you have an existing Palo Alto device configured in your network; therefore, slight alterations to the existing deployment may be required.
Note: Symantec has seen outages occur if the Phase 2 Timeout value is set to longer than four (4) hours. If the current setting is less than four hours, you can leave that value. Otherwise, adjust the time. The screenshots in the following procedure might not reflect this advisory.
This procedure assumes that the Palo Alto device is already configured with the inside interface or group object with multiple inside interfaces and an outside interface that will communicate with the Web Security Service.
The Web Security Service supports many combination. See Reference: IKE Encryption and Authentication Algorithms.
For the final failover component, create a rule that discards traffic bound for the Web Security Service should both of the IKE Gateway IP tunnels go down. Add this rule after that the rules that forward traffic to the service.
The final rules should look similar to the following.