Skip to content
Cloudflare Docs

Palo Alto Networks NGFW

This tutorial includes the steps required to configure IPsec tunnels to connect a Palo Alto Networks Next-Generation Firewall (NGFW) to Cloudflare Magic WAN through a Layer 3 deployment.

Software version tested

  • PAN-OS 9.1.14-h4

Use Cases

  • Magic WAN: Connecting two or more locations with RFC-1918 private non-routable address space.
  • Magic WAN with Cloudflare Zero Trust (Gateway egress): Same as Magic WAN, with the addition of outbound Internet access from Magic WAN protected sites egressing the Cloudflare edge network.

Prerequisites

This tutorial assumes you have a standalone NGFW with two network interfaces:

  • One in a trust security zone (Trust_L3_Zone) with an RFC-1918 non-Internet routable IP address (internal network);
  • And the other in an untrust security zone (Untrust_L3_Zone) with a legally routable IP address (Internet facing).

Additionally, there must be a default gateway set on the Virtual Router (default) pointing to the router of your Internet service provider(s).

Environment

The following IP addresses are used throughout this tutorial. Any legally routable IP addresses have been replaced with IPv4 Address Blocks Reserved for Documentation (RFC5737) addresses within the 203.0.113.0/24 subnet.

DescriptionAddressAddress
NGFW external interface203.0.113.254/24
NGFW internal interface10.1.100.254/24
Local trust subnet (LAN)10.1.100.0/24
NGFW tunnel interface 0110.252.2.26/31 (Cloudflare side)10.252.2.27/31 (NGFW side)
NGFW tunnel interface 0210.252.2.28/31 (Cloudflare side)10.252.2.29/31 (NGFW side)
Magic WAN anycast IP162.159.66.164172.64.242.164
Magic WAN health check anycast IP172.64.240.253172.64.240.254
VLAN0010 - remote Magic WAN site10.1.10.0/24
VLAN0020 - remote Magic WAN site10.1.20.0/24

Cloudflare Magic WAN

Magic IPsec Tunnels

Use the Cloudflare dashboard or API to configure two IPsec Tunnels. The settings mentioned in Add IPsec tunnels below are used for the IPsec tunnels referenced throughout the remainder of this guide.

These are the target IP addresses for bidirectional tunnel health checks:

  • 172.64.240.253: Use with the primary IPsec tunnel.
  • 172.64.240.254: Use with the secondary IPsec tunnel.

Add IPsec tunnels

  1. Follow the Add tunnels instructions to create the required IPsec tunnels with the following options:

    • Tunnel name: SFO_IPSEC_TUN01
    • Interface address: 10.252.2.96/31
    • Customer endpoint: 203.0.113.254
    • Cloudflare endpoint: 162.159.66.164
    • Health check rate: Low (default value is Medium)
    • Health check type: Reply
    • Health check target: Custom (default is Default)
    • Target address: 172.64.240.253

  2. Select Add pre-shared key later > Add tunnels.

  3. Repeat the process to create a second IPsec tunnel with the following options:

    • Tunnel name: SFO_IPSEC_TUN02
    • Interface address: 10.252.2.98/31
    • Customer endpoint: 203.0.113.254
    • Cloudflare endpoint: 172.64.242.164
    • Health check rate: Low (default value is Medium)
    • Health check type: Reply
    • Health check target: Custom (default is Default)
    • Target address: 172.64.240.254

Generate Pre-shared keys

When you create IPsec tunnels with the option Add pre-shared key later, the Cloudflare dashboard will show you a warning indicator:

Magic IPsec Tunnels - No PSK
  1. Select Edit to edit the properties of each tunnel.
  2. Select Generate a new pre-shared key > Update and generate pre-shared key. Generatre a new pre-shared key for each of your IPsec tunnels
  3. Copy the pre-shared key value for each of your IPsec tunnels, and save these values somewhere safe. Then, select Done. Take note of your pre-shared key, and keep it in a safe place

IPsec identifier - FQDN (Fully Qualified Domain Name)

After creating your IPsec tunnels, the Cloudflare dashboard will list them under the Tunnels tab. Select the arrow (>) on each of your IPsec tunnel to collect the FQDN ID value from each of them. The FQDN ID value will be required when configuring IKE Phase 1 on the Palo Alto Networks Next-Generation Firewall.

Take note of the FQDN ID value for each of your IPsec tunnels

Magic Static Routes

If you refer to the Environment section, you will notice there is one subnet within Trust_L3_Zone: 10.1.100.0/24.

Create a static route for each of the two IPsec tunnels configured in the previous section, with the following settings (settings not mentioned here can be left with their default settings):

Tunnel 01

  • Description: SFO_VLAN100_01
  • Prefix: 10.1.100.0/24
  • Tunnel/Next hop: SFO_IPSEC_TUN01

Tunnel 02

  • Description: SFO_VLAN100_02
  • Prefix: 10.1.100.0/24
  • Tunnel/Next hop: SFO_IPSEC_TUN02
Add static routes for each of the IPsec tunnels you created in the previous step

Palo Alto Networks Next-Generation Firewall

Tags

While Tags are optional, they can greatly improve object and policy visibility. The following color scheme was implemented in this configuration:

TagColor
Trust_L3_ZoneGreen
Untrust_L3_ZoneRed
Cloudflare_L3_ZoneOrange

Use the Palo Alto Networks Next-Generation Firewall command-Line to set the tags:

Terminal window
set tag Trust_L3_Zone color color2
set tag Untrust_L3_Zone color color1
set tag Cloudflare_L3_Zone color color6

Objects

The use of Address and Address Group objects wherever possible is strongly encouraged. These objects ensure that configuration elements that reference them are defined accurately and consistently.

Any configuration changes should be applied to the objects and will automatically be applied throughout the remainder of the configuration.

Address Objects

NameTypeAddressTags
CF_Health_Check_Anycast_01IP Netmask172.64.240.253Cloudflare_L3_Zone
CF_Health_Check_Anycast_02IP Netmask172.64.240.254Cloudflare_L3_Zone
CF_Magic_WAN_Anycast_01IP Netmask162.159.66.164Cloudflare_L3_Zone
CF_Magic_WAN_Anycast_02IP Netmask172.64.242.164Cloudflare_L3_Zone
CF_MWAN_IPsec_VTI_01_LocalIP Netmask10.252.2.27/31Cloudflare_L3_Zone
CF_MWAN_IPsec_VTI_01_RemoteIP Netmask10.252.2.26Cloudflare_L3_Zone
CF_MWAN_IPsec_VTI_02_LocalIP Netmask10.252.2.29/31Cloudflare_L3_Zone
CF_MWAN_IPsec_VTI_02_RemoteIP Netmask10.252.2.28Cloudflare_L3_Zone
CF_WARP_Client_PrefixIP Netmask100.96.0.0/12Cloudflare_L3_Zone
Cloudflare_IPv4_01IP Netmask173.245.48.0/20Cloudflare_L3_Zone
Cloudflare_IPv4_02IP Netmask103.21.244.0/22Cloudflare_L3_Zone
Cloudflare_IPv4_03IP Netmask103.22.200.0/22Cloudflare_L3_Zone
Cloudflare_IPv4_04IP Netmask103.31.4.0/22Cloudflare_L3_Zone
Cloudflare_IPv4_05IP Netmask141.101.64.0/18Cloudflare_L3_Zone
Cloudflare_IPv4_06IP Netmask108.162.192.0/18Cloudflare_L3_Zone
Cloudflare_IPv4_07IP Netmask190.93.240.0/20Cloudflare_L3_Zone
Cloudflare_IPv4_08IP Netmask188.114.96.0/20Cloudflare_L3_Zone
Cloudflare_IPv4_09IP Netmask197.234.240.0/22Cloudflare_L3_Zone
Cloudflare_IPv4_10IP Netmask198.41.128.0/17Cloudflare_L3_Zone
Cloudflare_IPv4_11IP Netmask162.158.0.0/15Cloudflare_L3_Zone
Cloudflare_IPv4_12IP Netmask104.16.0.0/13Cloudflare_L3_Zone
Cloudflare_IPv4_13IP Netmask104.24.0.0/14Cloudflare_L3_Zone
Cloudflare_IPv4_14IP Netmask172.64.0.0/13Cloudflare_L3_Zone
Cloudflare_IPv4_15IP Netmask131.0.72.0/22Cloudflare_L3_Zone
Internet_L3_203-0-113-254--24IP Netmask203.0.113.254/24Untrust_L3_Zone
VLAN0010_10-1-10-0--24IP Netmask10.1.10.0/24Cloudflare_L3_Zone
VLAN0020_10-1-20-0--24IP Netmask10.1.20.0/24Cloudflare_L3_Zone
VLAN0100_10-1-100-0--24IP Netmask10.1.100.0/24Trust_L3_Zone
VLAN0100_L3_10-1-100-254--24IP Netmask10.1.10.254/24Trust_L3_Zone

Use the Palo Alto Networks Next-Generation Firewall command-Line to set the objects:

Terminal window
set address CF_Health_Check_Anycast_01 ip-netmask 172.64.240.253
set address CF_Health_Check_Anycast_01 tag Cloudflare_L3_Zone
set address CF_Health_Check_Anycast_02 ip-netmask 172.64.240.254
set address CF_Health_Check_Anycast_02 tag Cloudflare_L3_Zone
set address CF_Magic_WAN_Anycast_01 ip-netmask 162.159.66.164
set address CF_Magic_WAN_Anycast_01 tag Cloudflare_L3_Zone
set address CF_Magic_WAN_Anycast_02 ip-netmask 172.64.242.164
set address CF_Magic_WAN_Anycast_02 tag Cloudflare_L3_Zone
set address CF_MWAN_IPsec_VTI_01_Local ip-netmask 10.252.2.27/31
set address CF_MWAN_IPsec_VTI_01_Local tag Cloudflare_L3_Zone
set address CF_MWAN_IPsec_VTI_02_Local ip-netmask 10.252.2.29/31
set address CF_MWAN_IPsec_VTI_02_Local tag Cloudflare_L3_Zone
set address CF_MWAN_IPsec_VTI_01_Remote ip-netmask 10.252.2.26
set address CF_MWAN_IPsec_VTI_01_Remote tag Cloudflare_L3_Zone
set address CF_MWAN_IPsec_VTI_02_Remote ip-netmask 10.252.2.28
set address CF_MWAN_IPsec_VTI_02_Remote tag Cloudflare_L3_Zone
set address CF_WARP_Client_Prefix ip-netmask 100.96.0.0/12
set address CF_WARP_Client_Prefix tag Cloudflare_L3_Zone
set address Cloudflare_IPv4_01 ip-netmask 173.245.48.0/20
set address Cloudflare_IPv4_01 tag Cloudflare_L3_Zone
set address Cloudflare_IPv4_02 ip-netmask 103.21.244.0/22
set address Cloudflare_IPv4_02 tag Cloudflare_L3_Zone
set address Cloudflare_IPv4_03 ip-netmask 103.22.200.0/22
set address Cloudflare_IPv4_03 tag Cloudflare_L3_Zone
set address Cloudflare_IPv4_04 ip-netmask 103.31.4.0/22
set address Cloudflare_IPv4_04 tag Cloudflare_L3_Zone
set address Cloudflare_IPv4_05 ip-netmask 141.101.64.0/18
set address Cloudflare_IPv4_05 tag Cloudflare_L3_Zone
set address Cloudflare_IPv4_06 ip-netmask 108.162.192.0/18
set address Cloudflare_IPv4_06 tag Cloudflare_L3_Zone
set address Cloudflare_IPv4_07 ip-netmask 190.93.240.0/20
set address Cloudflare_IPv4_07 tag Cloudflare_L3_Zone
set address Cloudflare_IPv4_08 ip-netmask 188.114.96.0/20
set address Cloudflare_IPv4_08 tag Cloudflare_L3_Zone
set address Cloudflare_IPv4_09 ip-netmask 197.234.240.0/22
set address Cloudflare_IPv4_09 tag Cloudflare_L3_Zone
set address Cloudflare_IPv4_10 ip-netmask 198.41.128.0/17
set address Cloudflare_IPv4_10 tag Cloudflare_L3_Zone
set address Cloudflare_IPv4_11 ip-netmask 162.158.0.0/15
set address Cloudflare_IPv4_11 tag Cloudflare_L3_Zone
set address Cloudflare_IPv4_12 ip-netmask 104.16.0.0/13
set address Cloudflare_IPv4_12 tag Cloudflare_L3_Zone
set address Cloudflare_IPv4_13 ip-netmask 104.24.0.0/14
set address Cloudflare_IPv4_13 tag Cloudflare_L3_Zone
set address Cloudflare_IPv4_14 ip-netmask 172.64.0.0/13
set address Cloudflare_IPv4_14 tag Cloudflare_L3_Zone
set address Cloudflare_IPv4_15 ip-netmask 131.0.72.0/22
set address Cloudflare_IPv4_15 tag Cloudflare_L3_Zone
set address Internet_L3_203-0-113-254--24 ip-netmask 203.0.113.254/24
set address Internet_L3_203-0-113-254--24 tag Untrust_L3_Zone
set address VLAN0010_10-1-10-0--24 ip-netmask 10.1.10.0/24
set address VLAN0010_10-1-10-0--24 tag Trust_L3_Zone
set address VLAN0020_10-1-20-0--24 ip-netmask 10.1.20.0/24
set address VLAN0020_10-1-20-0--24 tag Trust_L3_Zone
set address VLAN0100_10-1-100-0--24 ip-netmask 10.1.100.0/24
set address VLAN0100_10-1-100-0--24 tag Trust_L3_Zone
set address VLAN0100_L3_10-1-100-254--24 ip-netmask 10.1.100.254/24
set address VLAN0100_L3_10-1-100-254--24 tag Trust_L3_Zone

Address Group object

The Address Group object used in this configuration provides a single object representation of the entire Cloudflare IPv4 public address space.

NameTypeAddressesTags
Cloudflare_IPv4_Static_GrpStaticCloudflare_IPv4_01Cloudflare_L3_Zone
Cloudflare_IPv4_Static_GrpStaticCloudflare_IPv4_02Cloudflare_L3_Zone
Cloudflare_IPv4_Static_GrpStaticCloudflare_IPv4_03Cloudflare_L3_Zone
Cloudflare_IPv4_Static_GrpStaticCloudflare_IPv4_04Cloudflare_L3_Zone
Cloudflare_IPv4_Static_GrpStaticCloudflare_IPv4_05Cloudflare_L3_Zone
Cloudflare_IPv4_Static_GrpStaticCloudflare_IPv4_06Cloudflare_L3_Zone
Cloudflare_IPv4_Static_GrpStaticCloudflare_IPv4_07Cloudflare_L3_Zone
Cloudflare_IPv4_Static_GrpStaticCloudflare_IPv4_08Cloudflare_L3_Zone
Cloudflare_IPv4_Static_GrpStaticCloudflare_IPv4_09Cloudflare_L3_Zone
Cloudflare_IPv4_Static_GrpStaticCloudflare_IPv4_10Cloudflare_L3_Zone
Cloudflare_IPv4_Static_GrpStaticCloudflare_IPv4_11Cloudflare_L3_Zone
Cloudflare_IPv4_Static_GrpStaticCloudflare_IPv4_12Cloudflare_L3_Zone
Cloudflare_IPv4_Static_GrpStaticCloudflare_IPv4_13Cloudflare_L3_Zone
Cloudflare_IPv4_Static_GrpStaticCloudflare_IPv4_14Cloudflare_L3_Zone
Cloudflare_IPv4_Static_GrpStaticCloudflare_IPv4_15Cloudflare_L3_Zone

Use the Palo Alto Networks Next-Generation Firewall command-Line to set the address group object:

Terminal window
set address-group Cloudflare_IPv4_Static_Grp static [ Cloudflare_IPv4_01 Cloudflare_IPv4_02 Cloudflare_IPv4_03 Cloudflare_IPv4_04 Cloudflare_IPv4_05 Cloudflare_IPv4_06 Cloudflare_IPv4_07 Cloudflare_IPv4_08 Cloudflare_IPv4_09 Cloudflare_IPv4_10 Cloudflare_IPv4_11 Cloudflare_IPv4_12 Cloudflare_IPv4_13 Cloudflare_IPv4_14 Cloudflare_IPv4_15 ]
set address-group Cloudflare_IPv4_Static_Grp tag Cloudflare_L3_Zone

Interface Mgmt - Network Profiles

Interface Mgmt profiles control what traffic is allowed to the firewall, as opposed to through the firewall.

Adding an Interface Mgmt profile to the tunnel interfaces will provide the ability to ping the Virtual Tunnel Interface on your firewall(s).

Set up via dashboard

You can define an Interface Management Profile to allow ping from the dashboard:

  1. Go to Network Profiles > Interface Mgmt.
  2. In the Network tab select Add.
  3. Create profiles to allow Ping, and in the Network Services group select Ping.
Interface Mgmt Profile Interface Mgmt Profile

Set up via command line

You can also use the command line to allow ping:

Terminal window
set network profiles interface-management-profile Allow_Ping userid-service no
set network profiles interface-management-profile Allow_Ping ping yes

Network Interfaces

Palo Alto Networks Next-Generation Firewall (NGFW) is configured with two Ethernet interfaces:

InterfaceInterface TypeIP AddressVirtual Router
ethernet1/1Layer310.1.100.254/24default
ethernet1/2Layer3203.0.113.254/24default

Set up via dashboard

Follow the guidance on the images below to set up the Ethernet interfaces through the dashboard.

ethernet1/1: Trust_L3_Zone
NameOptionValue
ethernet1/1Interface TypeLayer3
Netflow ProfileNone
Config tabVirtual Routerdefault
Security ZoneTrust_L3_Zone
IPv4 tabTypeStatic
IPVLAN0100_L3_10-1-100-254--24
address object
Advanced tabManagement ProfileMgmt_Services
Set up ethernet1/1 on the dashboardSet up ethernet1/1 on the dashboardSet up ethernet1/1 on the dashboard
ethernet1/2: Untrust_L3_Zone
NameOptionValue
ethernet1/2Interface TypeLayer3
Netflow ProfileNone
Config tabVirtual Routerdefault
Security ZoneUntrust_L3_Zone
IPv4 tabTypeStatic
IPInternet_L3_203-0-113-254--24
address object
Advanced tabManagement ProfileAllow_Ping
MTU576 - 1500
Adjust TCP MSSEnable
IPv4 MSS Adjustment64
Set up ethernet1/2 on the dashboardSet up ethernet1/2 on the dashboardSet up ethernet1/2 on the dashboard

After setting up your Ethernet interfaces, they should show up on the overview page:

Ethernet Interfaces - Overview

Set up via command line

You can also use the command line to set up the Ethernet interfaces.

Terminal window
set network interface ethernet ethernet1/1 layer3 ndp-proxy enabled no
set network interface ethernet ethernet1/1 layer3 lldp enable no
set network interface ethernet ethernet1/1 layer3 ip VLAN0100_L3_10-1-100-254--24
set network interface ethernet ethernet1/1 layer3 interface-management-profile Mgmt_Services
set network interface ethernet ethernet1/2 layer3 ndp-proxy enabled no
set network interface ethernet ethernet1/2 layer3 lldp enable no
set network interface ethernet ethernet1/2 layer3 ip Internet_L3_203-0-113-254--24
set network interface ethernet ethernet1/2 layer3 interface-management-profile Allow_Ping
set network interface ethernet ethernet1/2 layer3 adjust-tcp-mss enable yes
set network interface ethernet ethernet1/2 layer3 adjust-tcp-mss ipv4-mss-adjustment 64

Tunnel interfaces

Establishing IPsec Tunnels to Cloudflare Magic WAN requires two tunnel interfaces - one to each of the two Cloudflare anycast IP addresses. You also have to ensure that Allow_Ping is bound to both tunnel adapters in Advanced > Managementt Profile.

Review the images below for more information.

Set up via dashboard

tunnel.1 - Cloudflare_L3_Zone
NameOptionValue
tunnel.1Netflow ProfileNone
Config tabVirtual Routerdefault
Security ZoneCloudflare_L3_Zone
IPv4 tabIPCF_MWAN_IPsec_VTI_01_Local
address object
Advanced tabManagement ProfileAllow_Ping
MTU1450
Set up tunnel 1Set up tunnel 1Set up tunnel 1
tunnel.2 - Cloudflare_L3_Zone
NameOptionValue
tunnel.2Netflow ProfileNone
Config tabVirtual Routerdefault
Security ZoneCloudflare_L3_Zone
IPv4 tabIPCF_MWAN_IPsec_VTI_02_Local
address object
Advanced tabManagement ProfileAllow_Ping
MTU1450
Set up tunnel 2Set up tunnel 2Set up tunnel 2

After setting up your Tunnel interfaces, they should show up on the overview page:

Tunnel Interfaces - Overview

Set up via command line

You can also set up your tunnels in the command line:

Terminal window
set network interface tunnel units tunnel.1 ip CF_MWAN_IPsec_VTI_01_Local
set network interface tunnel units tunnel.1 mtu 1450
set network interface tunnel units tunnel.1 interface-management-profile Allow_Ping
set network interface tunnel units tunnel.2 ip CF_MWAN_IPsec_VTI_02_Local
set network interface tunnel units tunnel.2 mtu 1450
set network interface tunnel units tunnel.2 interface-management-profile Allow_Ping

Zones

The Palo Alto Networks Next-Generation Firewall (NGFW) used to create this tutorial includes the following zones and corresponding network interfaces:

ZoneInterfaceInterface
Trust_L3_Zoneethernet1/1
Untrust_L3_Zoneethernet1/2
Cloudflare_L3_Zonetunnel.1tunnel.2

The tunnel interfaces are placed in a separate zone to facilitate the configuration of more granular security policies. The use of any other zone for the tunnel interfaces will require adapting the configuration accordingly.

Set up via dashboard

Trust_L3_zone
NameOptionValue
Trust_L3_zoneLog settingNone
TypeLayer3
Interfacesethernet1/1
Zone Protection ProfileNone
The Palo Alto interface showing the Trust_L3_Zone
Untrust_L3_zone
NameOptionValue
Untrust_L3_zoneLog settingNone
TypeLayer3
Interfacesethernet1/2
Zone Protection ProfileUntrust_Zone_Prof
The Palo Alto interface showing the Untrust_L3_Zone
Cloudflare_L3_zone
NameOptionValue
Cloudflare_L3_zoneLog settingNone
TypeLayer3
Interfacestunnel.1
tunnel.2
Zone Protection ProfileNone
The Palo Alto interface showing the Cloudflare_L3_ZoneThe Palo Alto interface showing the Tunnel Interfaces overview section

Set up via command line

You can also use the command line to associate zones and interfaces:

Terminal window
set zone Trust_L3_Zone network layer3 ethernet1/1
set zone Untrust_L3_Zone network layer3 ethernet1/2
set zone Cloudflare_L3_Zone network layer3 [ tunnel.1 tunnel.2 ]

Apply Changes

This would be a good time to save and commit the configuration changes made so far. Once complete, make sure you test basic connectivity to and from the firewall.

IKE crypto profile Phase 1

Add a new IKE crypto profile to support the required parameters for Phase 1.

Multiple DH groups and authentication settings are defined in the desired order. Palo Alto Networks Next-Generation Firewall (NGFW) will automatically negotiate the optimal settings based on specified values.

Set up via dashboard

NameOptionValue
CF_IKE_Crypto_CBCDH Groupgroup20
Authenticationsha512
sha384
sha256
Encryptionaes-256-cbc
Key Lifetime24 hours
IKEv2 Authentication Multiple0

Set up via command line