Palo Alto GRE Tunnel

Since PAN-OS version 9.0 you can configure GRE tunnels on a Palo Alto Networks firewall. Greetings from the clouds. As always, this is done solely through the GUI while you can use some CLI commands to test the tunnel. This time Palo put a little stumbling block in there as you have to allow a GRE connection with a certain zone/IP reference. I will show how to set up such a GRE tunnel between a Palo and a Cisco router. Here we go:

I am using a PA-220 with PAN-OS 9.1.3. This is my addressing scheme:

GRE on the Palo

Configuring a GRE tunnel involves the following steps (refer to the official PAN documentation: GRE Tunnel Overview):

  1. tunnel interface with IP address
  2. GRE tunnel itself
  3. static route (or routing protocol) to the remote network
  4. security policies allowing the internal-to-remote traffic and vice versa
  5. AND: a security policy allowing the incoming GRE tunnel! <- this one is really special as it is from source zone “untrust” with the public IP address of the remote GRE tunnel endpoint to destination zone from the tunnel interface (in my case its called “s2s-gre”) but with the public IP address of the Palo (which resides on the “untrust” zone). RTFM: “Likewise, if the zone of the tunnel interface associated with the GRE tunnel (for example, tunnel.1) is a different zone from that of the ingress interface, you must configure a Security policy rule to allow the GRE traffic.”

Here are some screenshots of my setup:

GRE at Cisco Router

On a Cisco router, the appropriate configuration looks as follows. No security policies here – everything is allowed because it’s a router. The keepalive settings are the defaults. Using only the configuration command keepalive defaults to keepalive 10 3, which are the same values as on the Palo. (It’s rather likely that PAN took the defaults from Cisco. ;))

Stats ‘n Troubleshooting

Keep in mind that GRE is *not* a TCP/UDP protocol, but an own IP protocol with number 47. If you have some intermediary firewalls you have to allow this IP protocol. Likewise, the GRE session on the Palo is listed with proto = 47.

Palo Alto

This screenshot shows the traffic log BEFORE I allowed the GRE policy. Of course, they are allowed now. The application is “gre” and the IP protocol is “gre” as well:

GRE sessions are normally quite long-living in the session browser:

The system log, filtered for “subtype eq gre”, shows the tunnel status. For whatever reason I have some more downs than ups:

From the CLI you can ping the other end of the tunnel, sourcing from the own tunnel interface:

And verify the tunnel interface status which shows the GRE stats of the keepalives as well as sent/received bytes/packets:

Cisco Router

Pinging the other tunnel interface:

Tunnel interface status:

(Sorry for being legacy-IP-only this time…)

Photo by Sharosh Rajasekher on Unsplash.

5 thoughts on “Palo Alto GRE Tunnel

  1. Thanks bro, you helped me to build a Tunnel from Vyos to PA. The tricky was the Sec policy for incoming GRE traffic and the intrazone ping. :)

  2. I’m doing this over an LTE router. Other end is usually a Cisco. From Cisco to Cisco it works. Using ospf and a higher metric we failover if we kill the metro Ethernet. Now I’m trying to converge a Cisco 2901 to a PAN firewall. Can get the tunnels ip, can ping and traceroute over them. Ospf appears to fail over property and traceroute looks as I expect if I kill the wan. But I can’t connect to anything at the remote site. RDP for instance days internal error. HTTPS to ESXi server at the other end, page cannot be displayed. So weird that all pings and traces look good but yet I can’t access anything at the other end. I put the Cisco router back in the network and we’re fine now. I was just looking to save an outlet and 1U of rack space of our 3220’s could handle it.

    1. Hey Kjstech. Were you able to solve this issue in the meantime? Are you sure that you have proper security policies in place? NAT issues? MTU issues? Have you used tcpdump/Wireshark on both sides to compare incoming/outgoing packets?

      1. I can get it to work from pfSense running an the FRR OSPF plugin and doing a ipsec vpn.

        Just have not had time to mess with a working Cisco setup right now to diagnose. But I believe it could be MTU-related.

        On our cisco tunnel interfaces, I do see we have these two statements
        ip mtu 1400
        ip tcp adjust-mss 1360

        That’s obviously specified and not the norm, so I just have to translate that to Palo Alto when I get a chance and off hours disable a primary connection at HQ core switch to initiate a failover and see if the traffic re-routes that path.

  3. Fantastic tuto !!
    i was tryind during half day to mount GRE tunnels between my Paloalto and Zscaler cloud Proxy until i found your now yet so obvious policy for GRE in same zone :)

    Thanks you very much !

Leave a Reply to Johannes Weber Cancel reply

Your email address will not be published. Required fields are marked *