How to configure Pal Alto Firewall site to site VPN connecting to Azure

1. Login PA firewall WebGUI.
2. Go to Network > Interfaces > Tunnel, click Add

2. In Tunnel Interface, choose Interface Name, Virtual Router, default in our example, Security Zone (you can have preset zone or an IP on the same subnet as the Azure Gateway for dymanic routing)

3. To configure IKE Gateway, go to Network > Network Profiles >IKE Gateway. Click Add. The following values are to be configured: Version: Set to ‘IKEv2 Only mode’ OR ‘IKEv2 preferred mode’

1) Choose the following values. Version: Set to ‘IKEv2 Only mode’ OR ‘IKEv2 preferred mode’. Interface: Set to the public(internet) facing interface of the firewall used to connect to Azure, ethenet1/1 in our example.  Local IP Address: IP address of the external interface of the firewall. If not behind a NAT device, this will be the VPN Gateway Address as configured in Azure. Peer IP Address: IP address of the Azure VPN Gateway. This can be obtained from the Azure Virtual Network dashboard. Note: Make sure you use the NAT-ed IP on Azure to define the peer IP. Pre-shared Key: Azure uses a Pre-shared key(PSK or Pre-Shared Secret) for authentication. The Key should be configured as the same value on Azure VPN settings and Palo Alto Networks’ firewall.

2) On the Advanced Options tab, leave the Enable Passive Mode (Set as responder) unchecked, and in the IKEv2 section leave Liveness Check enabled. Note: Enable NAT traversal if the firewall is behind a NAT device.

4. To configure IKE Crypto Profile, go to Network > Network Profiles >IKE Crypto. this is PA default settings:  DH Group: group2 Encryption: aes-256-cbc, 3des Authentication: sha1, sha256 Note: Set lifespans longer than Azure settings to ensure that Azure renews the keys during re-keying. Set phase 1 lifetime to 28800 seconds.

You are better to configure new crypto profile, which matches the IKE crypto settings of Azure VPN. This is our working configuration.

5. Configure a new IPSec Tunnel by going to Network->IPSec Tunnels. The following values are to be configured: Tunnel Interface: Select the configured Tunnel Interface in Step 2. above.