--- title: "Palo Alto Single Tunnel" slug: "configuring-a-site-to-site-ipsec-tunnel-to-palo-alto-firewall" updated: 2026-04-07T08:59:07Z published: 2026-04-07T08:59:07Z canonical: "support.perimeter81.com/configuring-a-site-to-site-ipsec-tunnel-to-palo-alto-firewall" stale: true --- > ## Documentation Index > Fetch the complete documentation index at: https://support.perimeter81.com/llms.txt > Use this file to discover all available pages before exploring further. # Palo Alto Single Tunnel ## Introduction This guide will provide you with a step-by-step walkthrough for establishing a Site-to-Site VPN tunnel between your Check Point SASE network and the Palo Alto Firewall environment. **Breakdown of topics** 1. Pre-requisites 2. Configuration Steps 3. Verifying the Setup 4. Troubleshooting 5. Support Contacts ## Pre-requisites To successfully follow this guide, ensure that: 1. Hold an active Check Point SASE account and a functioning network. 2. Have the Check Point SASE application installed across your devices. 3. Own an active Palo Alto Firewall account, equipped with the necessary administrative permissions. ## Configuration Steps 1. Open the Palo Alto WebGUI, and select the **Network** tab. 2. Select Interfaces and open the **Tunnel** tab. ![3600072804191.png](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/3600072804191.png) 3. Click **Add**. ![3600072553002.png](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/3600072553002.png) 4. Assign the parameters with the following information: - **Virtual Router:** Select the virtual router you would like your tunnel interface to reside in. - **Security Zone:** Configure a new zone for the tunnel interface for more granular control of traffic ingress/egressing the tunnel. If the tunnel interface is in a zone different from the zone where the traffic will originate or depart, then a policy is required to allow the traffic to flow from the source zone to the zone containing the tunnel interface. ![3600072807993.png](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/3600072807993.png) 1. Open the **Network** tab. 2. Select **Network Profiles** and go to **IKE Crypto**. ![360007260460ScreenShot2019-12-17at105626.jpg](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/360007260460ScreenShot2019-12-17at105626.jpg) 3. Click **Add** (at the bottom of the page) and define the IKE Crypto profile (IKEv1 Phase-1) parameters. ![36000726054001.png](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/36000726054001.png) - **Name:** Choose the name of your own choice. - **DH Group:** 14 - **Encryption:** aes-256-cbc - **Authentication:** sha256 - **Key Lifetime:** 8 Hours - **IKEv2 Authentication Multiple:** 0 4. Open the **Network** tab. Select **Network Profiles** and go to **IKE Gateway**. 5. Select **Add** and fill in the following information:![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/palo.PNG) - **Name:** Choose the name of your own choice - **Version:** IKEv2 if Firewall version supports it, IKEv1 otherwise. - **Address Type:** IPv4 - **Interface:** The external interface connected to the internet - **Local IP Address:** Choose the external IP address - **Peer IP Address Type:** IP - **Peer Address:** Enter your Check Point SASE gateway IP - **Authentication:** Pre-Shared Key - **Pre-Shared Key:** Enter a string of your own choice containing lower-case characters, upper-case characters, and a number. Please write down this value as you will use it to configure the tunnel and the Check Point SASE management console as well. - **Local Identification:** None (the gateway will use the local IP as the local identification value) - **Peer Identification:** None (the gateway will use the peer IP as the peer identification value) 6. Open the **Network** tab. Select **Network Profiles** and go to **IPSec Crypto**. 7. Select **Add** and fill in the following information:![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-1623927001490.png) - **Name:** P81-Phase2 - **IPSec Protocol:** ESP - **DH Group:** 14 - **Encryption:** aes-256-cbc - **Lifetime:** 1 hour - **Authentication:** sha256 8. Open the **Network** tab. Select **IPSec Tunnels,** then **Add** and fill in the following information: ![360009477759ScreenShot2020-03-01at115445.png](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/360009477759ScreenShot2020-03-01at115445.png) - **Name:** Choose the name of your own choice - **Tunnel Interface:** Choose the appropriate interface - **Type:** Auto Key - **Address Type:** IPv4 - **IKE Gateway:** Choose the gateway that was defined earlier - **IPSec Crypto Profile**: Choose the profile that was defined earlier 9. Open the **Network** tab. 10. Select **Virtual Routers,** then select **Static Routes** and click **Add**. Fill in the following information: ![360007295599002.png](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/360007295599002.png) - **Name:** Choose the name of your own choice - **Destination:** Your Check Point SASE Subnet (if such an object does not exist yet make sure to define it) - **Interface:** Choose the appropriate interface - **Next Hop:** None - **Metric:** 10 - **Route Table:** Unicast - **BFD Profile:** Disable BFD 11. Open the **Policies** tab and select **Security**. ![360007374739ScreenShot2019-12-19at155833.png](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/360007374739ScreenShot2019-12-19at155833.png)By default, IKE negotiation and IPSec/ESP packets are allowed. ![360007374899ScreenShot2019-12-19at155709.png](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/360007374899ScreenShot2019-12-19at155709.png) 12. If you see somewhat differently or if you wish to have more granular traffic control, select **ADD,** and create an appropriate rule. ## Configuring the tunnel in the Management Platform 1. Go to the Gateway in your network from which you want to create the tunnel to the Palo Alto Firewall. 2. Select the three-dotted menu (...) and select **Add Tunnel.**![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/Screen_Shot_2022-06-02_at_5_53_13_PM.png) 3. Select **IPSec Site-2-Site Tunnel** and select **Continue.**![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/Screen%20Shot%202022-06-02%20at%205.56.11%20PM.png) 4. Select **Single Tunnel,**and****Click**Continue.** ![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/Screen%20Shot%202022-06-02%20at%205.57.33%20PM.png) 5. In the **General Settings** section, specify these: - **Name** - Set the name for the Tunnel. - **Shared Secret** - Enter the same *Pre-Shared Key* that you entered in Palo Alto WebGUI. - **Public IP:**Enter the FW's external Interface IP. This can be found in Palo Alto WebGUI under **Network** /**Interfaces** /**Ethernet**. ![360007354800ScreenShot2019-12-19at161307.png](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/360007354800ScreenShot2019-12-19at161307.png) - **Public ID:**Enter the same value as you did**Public IP.** If behind NAT, enter the internal LAN IP of the Palo Alto Device (example 192.168.1.1). - **Check Point SASE Gateway Proposal Subnets:** Leave **Any (0.0.0.0/0****)** selected here. - **Remote Gateway Proposal Subnets**: Leave **Any (0.0.0.0/0****)** selected here. ![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/GeneralSet_KeyExchange_Any_Any(2).PNG) 6. In the **Advanced Settings** section, specify these:**** - **IKE Version:**V2**** (if the Firewall version supports it, V1 otherwise.) - **IKE Lifetime:**8h - **Tunnel Lifetime:**1h - **Dead Peer Detection Delay:**10s - **Dead Peer Detection Timeout:** 30s - **Phase 1**: - **Encryption (Phase 1):** aes256 - **Integrity (Phase 1):** sha256 - **Key Exchange Method**: modp2048 - **Phase 2**: - **Encryption (Phase 2):** aes256 - **Integrity (Phase 2):**sha256 - **Key Exchange Method****:**modp2048 ![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/Zyxel_V2_256_2048(2).PNG) 7. Click **Add Tunnel**. 8. On your network select your three dots and click on **Routes Table**:![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/Pasted_Image_6_6_22__4_18_PM.png) 9. Click the **Add Route** button on the top right, then on this popup fill out accordingly (**Tunnel** will match the name above, and **Subnets** will be the subnets you want to reach on the AWS side of the tunnel) and click the **Add Route** button:![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-1655905978348.png) 10. Be sure to click **Apply Configuration** when done. ![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/Screen_Shot_2022-06-06_at_4_20_58_PM.png) ## Verifying the Setup After following the above steps, your tunnel should be active. To verify, go to your Check Point SASE dashboard, locate the tunnel you just created, and check the tunnel status. It should indicate that the tunnel is "Up", signifying a successful connection. Next, connect to your network using the Check Point SASE agent and attempt to access one of the resources in your environment. ## Troubleshooting If you encounter issues during or after the setup, try reviewing your settings to ensure everything matches the instructions. In particular, check the IP addresses and other details you entered during setup. If issues persist, please consult our dedicated support. ## Support Contacts If you have any difficulties or questions, don't hesitate to contact Check Point SASE's support team. We offer 24/7 chat support on our website at [sase.checkpoint.com](https://www.sase.checkpoint.com/), or you can email us at sase-support@checkpoint.com. We're here to assist you and ensure your VPN tunnel setup is a success