Palo Alto GRE Tunnel

Since PAN-OS version 9.0 you can configure GRE tunnels on a Palo Alto Networks firewall. Greetings from the clouds. As always, this is done solely through the GUI while you can use some CLI commands to test the tunnel. This time Palo put a little stumbling block in there as you have to allow a GRE connection with a certain zone/IP reference. I will show how to set up such a GRE tunnel between a Palo and a Cisco router. Here we go:

I am using a PA-220 with PAN-OS 9.1.3. This is my addressing scheme:

GRE on the Palo

Configuring a GRE tunnel involves the following steps (refer to the official PAN documentation: GRE Tunnel Overview):

  1. tunnel interface with IP address
  2. GRE tunnel itself
  3. static route (or routing protocol) to the remote network
  4. security policies allowing the internal-to-remote traffic and vice versa
  5. AND: a security policy allowing the incoming GRE tunnel! <- this one is really special as it is from source zone “untrust” with the public IP address of the remote GRE tunnel endpoint to destination zone from the tunnel interface (in my case its called “s2s-gre”) but with the public IP address of the Palo (which resides on the “untrust” zone). RTFM: “Likewise, if the zone of the tunnel interface associated with the GRE tunnel (for example, tunnel.1) is a different zone from that of the ingress interface, you must configure a Security policy rule to allow the GRE traffic.”

Here are some screenshots of my setup:

GRE at Cisco Router

On a Cisco router, the appropriate configuration looks as follows. No security policies here – everything is allowed because it’s a router. The keepalive settings are the defaults. Using only the configuration command keepalive defaults to keepalive 10 3, which are the same values as on the Palo. (It’s rather likely that PAN took the defaults from Cisco. ;))

 

Stats ‘n Troubleshooting

Keep in mind that GRE is *not* a TCP/UDP protocol, but an own IP protocol with number 47. If you have some intermediary firewalls you have to allow this IP protocol. Likewise, the GRE session on the Palo is listed with proto = 47.

Palo Alto

This screenshot shows the traffic log BEFORE I allowed the GRE policy. Of course, they are allowed now. The application is “gre” and the IP protocol is “gre” as well:

GRE sessions are normally quite long-living in the session browser:

The system log, filtered for “subtype eq gre”, shows the tunnel status. For whatever reason I have some more downs than ups:

From the CLI you can ping the other end of the tunnel, sourcing from the own tunnel interface:

And verify the tunnel interface status which shows the GRE stats of the keepalives as well as sent/received bytes/packets:

Cisco Router

Pinging the other tunnel interface:

Tunnel interface status:

 

(Sorry for being legacy-IP-only this time…)

Photo by Sharosh Rajasekher on Unsplash.

Leave a Reply

Your email address will not be published. Required fields are marked *