Hi PA Geniuses,
I am trying to learn IPSEC S2S and I am kinda confused about a thing for the security policy.
For now I am allowing everything to establish the tunnel
Source: trust, untrust, VPN
Destination: trust, untrust, VPN
Source and Destination Address: Any
There should be a more granular criteria for this VPN setup. Should I put untrust-to-vpn and vpn-to-untrust instead?
Thank you guys in advanced!
Your traffic will be between trust and vpn. Keepalive will keep the tunnel up
you can always look at the logs and analyze the traffic going over the tunnel and start weeding out traffic that you know you don’t want or look for traffic that you do want. Pretty vague, but it’s a start.
Would also recommend doing an allow untrust to untrust that lists the specific apps you want to allow like ike and ipsec, etc that also filters that traffic through your threat prevention rules and then a rule below that which drops all other untrust to untrust traffic. It is the threat prevention rules that will save you from zero day vulnerabilities which are fairly common and serve as the first line of defense before Palo Alto releases a patch. This has saved us several times from serious vulnerabilities.
The VPN traffic itself (IPSEC & ISAKMP udp/500) should be permitted on your untrusted zone. All other traffic should be going through a tunnel interface in some other zone that isn’t “untrusted” nor “trusted” (unless you are 100% sure you trust the remote site’s security posture).
Here is what I do -
Deny everything to your peer and implement geoblock rules
Write 2 rules - one for inbound ipsec and one for outbound ipsec
Create a group for the remote peer addresses, add this group to the 2 rules you created in #2
Each tunnel gets their own tunnel interface
Each tunnel gets their own zone (no common vpn zones)
Separate ike/ipsec/gateway/tunnel configs. This makes configuration/troubleshooting easier down the road
If this is for a 3rd party vendor, your security policy should be app-default. Exceptions go below in a Layer 4 (service based) rule.
For me, our VPN Palo’s are just that. I permit everything from the tunnels. Traffic is then routed to our 7050s (DMZ if you will) where there is a much more granular policy to only permit traffic to specific hosts, services, apps.
Thanks! Means I should create security policy below
Trust-to-VPN ; Allow
VPN-to-trust ; Allow
I am thinkin on adding one more allow policy
Outside to Outside (intrazone) for my Peer IP address communication. Then add ike and ipsec-esp on the application.
A very good tip on optimizing my setup! Thank you very much!! 
I will take note of this one. Thank you for sharing your personal experience!
Thank you! Definitely will try this
This step-by-step methodology will definitely be one of my guides. Thank you big time!
Yes if the goal is to allow all traffic. Also be aware of application default vs any. App default will allow https on 443 but not 8443, so if you have any nonstandard applications it may break things.
Intrazone allow is a default policy unless you’ve changed it.
My very sincere big thank you for this one!