Create IPSec Site to Site VPN Between Palo Alto and Fortigate Firewalls - NETSEC


Learning, Sharing, Creating

Cybersecurity Memo

Tuesday, May 24, 2022

Create IPSec Site to Site VPN Between Palo Alto and Fortigate Firewalls

This post is to record all steps to configure a ipsec site to site IPSec VPN tunnel between Palo Alto Firewall and Fortigate Firewall,


 Online Updated Diagram:

PNG image for the diagram:

Configure Basic settings of Palo Alto Firewall 

More details can be found from following posts: 

1 Download Palo Alto Image

2 Import Image and Configure VM

3 Connect to Mgmt Interface

4 Configure Internal/Internet interfaces.

5  Configure Security Zone and Virtual Router

6  Configure Security policy and NAT

7  Test

Configure Basic settings of Fortigate Firewall 

More details can be found from this post:

1 Download VM image

2 Import into VMWare Workstation lab environment

3 Configure static ip and http access for mgmt interface and using HTTP to connect to mgmt interface

4 Config LAN/WAN/DMZ interfaces

5 Config basic security policy and nat

6 Test

Configure VPN tunnel in Palo Alto Firewall 


1 Create IKE Crypto Profile

2 Create IPSec Crypto Profile

3 Create IKE Gateway

Assign your IKE Crypto profile to your IKE Gateway

4 Create tunnel interface

You do not have to assign an ip address for your tunnel interface. But if assigned, it can be used to monitor tunnel. 

5 Create IPSec Tunnel

6 Virtual Router Static Route configuration

Depends on how you routing your traffic, after you add your tunnel interface into your virtual router, you might need to create a couple static routes.

7 Create security policy rule to allow VPN networks to access each other.

Configure VPN tunnel in Fortigate Firewall 


1 Go to VPN section, choose IPsec Tunnels and click Create New IPsec Tunnel

2 Start VPN setup. Put name, choose template type, if need NAT, and select remote device type

3 Configure Authentication method and remote gateway information

4 Choose local ip segment and configure remote ip segment. This traffic will be your interest traffic which will be sent to VPN tunnel.

5 Review and create tunnel configuration

VPN Template Details for phase 1 and phase 2

You can edit VPN tunnel details to change phase 1 and phase 2 encryption and authentication information.
Note: Trial license only has DES for encryption, not 3DES and AES. 

6 Fortigate VPN Wizard will auto-generate tunnel interface, static route to tunnel, and policy rule to allow traffic between vpn networks.



On Fortigate, 

check IPsec Tunnel status:

Check Log & Report - Events - VPN Events

On Palo Alto:


Part 1 - Basic Settings:

IPSec VPN Tunnel Setup:

No comments:

Post a Comment