CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


I'd like to thank everyone involved for making "The CPUG Challenge" a great success.
We helped a lot of people see and learn a bit more about R80.10, while having some fun.
We will be using this success to try and bring more events to more locations soon. -E

 

Results 1 to 7 of 7

Thread: IPsec VPN with Palo Alto Firewall

  1. #1
    Join Date
    2007-07-18
    Posts
    14
    Rep Power
    0

    Default IPsec VPN with Palo Alto Firewall

    Has anyone created a site-to-site VPN tunnel with a Palo Alto Firewall (PAN)? I have the tunnel up and able to ping from the PAN to network behind Checkpoint, but not vice versa. Key Install messages show Main Mode completion

    Keep getting drops on Checkpoint site when sending traffic over the tunnel - Packet is dropped because there is no valid SA - please refer to solution sk19423 in SecureKnowledge Database for more information.

  2. #2
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    86
    Rep Power
    11

    Default Re: IPsec VPN with Palo Alto Firewall

    Quote Originally Posted by Raj909 View Post
    Has anyone created a site-to-site VPN tunnel with a Palo Alto Firewall (PAN)? I have the tunnel up and able to ping from the PAN to network behind Checkpoint, but not vice versa. Key Install messages show Main Mode completion

    Keep getting drops on Checkpoint site when sending traffic over the tunnel - Packet is dropped because there is no valid SA - please refer to solution sk19423 in SecureKnowledge Database for more information.
    Are you doing IKEv1 or IKEv2?

    Have you ever run an IKE debug on Check Point? Check out sk30994 for a download link for IKEView, a tool to interpret the IKE debug files.
    Zimmie

  3. #3
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,082
    Rep Power
    12

    Default Re: IPsec VPN with Palo Alto Firewall

    What are the Proxy-IDs configured under "IPSec Tunnel" on the Palo Alto end? If there aren't any I think it will try to do a universal tunnel (0.0.0.0/0).

    Pretty sure the Palo Alto handles Phase 2 subnet/Proxy-IDs the same as Juniper (not exactly a shock given their history) and will silently discard Phase 2 proposals that do not exactly match what it has. Therefore you need to make the user.def modifications specified in Scenario 1 in sk108600 to ensure that the Phase 2 proposals sent by the Check Point exactly match those Proxy-ID settings on the Palo Alto side.
    --
    My book "Max Power: Check Point Firewall Performance Optimization"
    now available via http://maxpowerfirewalls.com.

  4. #4
    Join Date
    2007-07-18
    Posts
    14
    Rep Power
    0

    Default Re: IPsec VPN with Palo Alto Firewall

    Bob, I am using IKEv1 and ran an IKE debug. It appears that P2 is failing.

    Shadowpeak, I currently have 0.0.0.0/0 for the local and remote side on the PAN firewall. I have tried with also the actual networks on both sides and I can still only connect from PAN side to CP side, not vice versa. I will look into the user.def modifications.

    Thanks

  5. #5
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    86
    Rep Power
    11

    Default Re: IPsec VPN with Palo Alto Firewall

    Quote Originally Posted by Raj909 View Post
    Bob, I am using IKEv1 and ran an IKE debug. It appears that P2 is failing.

    Shadowpeak, I currently have 0.0.0.0/0 for the local and remote side on the PAN firewall. I have tried with also the actual networks on both sides and I can still only connect from PAN side to CP side, not vice versa. I will look into the user.def modifications.

    Thanks
    If you're okay with a universal tunnel, switching the Check Point side to match that is loads easier than setting up all the user.def stuff. Just go into your VPN community and set "One VPN tunnel per Gateway pair", then push policy.

    The tradeoff here is related to key segmentation. With a separate phase 2 per network pair or per pair of hosts, an attacker breaking one key only gets access to the traffic between that pair of networks or hosts. With a universal tunnel, they get access to all traffic within the tunnel until the key is renegotiated.

    I don't personally think the threat is serious in most situations. There are better-than-brute-force attacks against AES-128 (brute-force would literally require more energy than the sun will ever emit), but they are still wildly infeasible and are likely to remain so for longer than a median human lifespan. If you're using PFS, cracking a key would only get the attacker access to the traffic sent during that key's lifetime (one hour by default). It would take an earth-shattering level of effort and yield an hour of traffic. It is unlikely to ever be worthwhile for an attacker.
    Zimmie

  6. #6
    Join Date
    2007-07-18
    Posts
    14
    Rep Power
    0

    Default Re: IPsec VPN with Palo Alto Firewall

    Hey Zimmie,

    I switched to "One VPN tunnel per Gateway pair" and everything is good. No need to mess with the user.def file. This is for a lab environment and evaluation of VPN tunnels so the main objective was a working solution. Really appreciate it!

    Thanks

  7. #7
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    86
    Rep Power
    11

    Default Re: IPsec VPN with Palo Alto Firewall

    Quote Originally Posted by Raj909 View Post
    Hey Zimmie,

    I switched to "One VPN tunnel per Gateway pair" and everything is good. No need to mess with the user.def file. This is for a lab environment and evaluation of VPN tunnels so the main objective was a working solution. Really appreciate it!

    Thanks
    Oh, excellent. If you have time, you should definitely experiment with getting the firewalls to talk with network-to-network tunnels. It's not typically difficult, but it can be a little weird sometimes.

    Rather than the user.def modifications, I prefer to change ike_use_largest_possible_subnets to false and to control my side of the negotiations with the encryption domain. It can be a little fiddly at times, but I find the user.def changes to be brittle. It's yet one more file to remember you modified. The user.def changes certainly allow you to be more precise, though.
    Zimmie

Similar Threads

  1. NAT and Palo Alto
    By alienbaby in forum Check Point Competitors
    Replies: 9
    Last Post: 2016-10-08, 18:07
  2. Forward Networks (Palo Alto, CA) - looking for a Checkpoint Expert (consultant)
    By spacebird in forum Employment/Consulting Opportunities For Check Point Administrators
    Replies: 1
    Last Post: 2015-07-07, 01:30
  3. Palo Alto (Technical and Support point of view)?
    By r_balest in forum Check Point Competitors
    Replies: 1
    Last Post: 2014-07-02, 13:05
  4. Any feedback on Palo Alto's security solution ?
    By TommyBoay in forum Check Point Competitors
    Replies: 2
    Last Post: 2010-02-23, 10:01
  5. Checkpoint going the Palo Alto way ?
    By joeri in forum Other
    Replies: 15
    Last Post: 2009-11-27, 17:57

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •