--- title: "Palo Alto Redundant Tunnel" slug: "palo-alto-redundant-tunnel" updated: 2026-04-07T09:05:19Z published: 2026-04-07T09:05:19Z canonical: "support.perimeter81.com/palo-alto-redundant-tunnel" stale: true --- > ## Documentation Index > Fetch the complete documentation index at: https://support.perimeter81.com/llms.txt > Use this file to discover all available pages before exploring further. # Palo Alto Redundant Tunnel This guide explains how to configure a Site-to-Site High Availability (HA) redundant VPN tunnel between your Check Point SASE network and a Palo Alto Firewall, including both Firewall and Check Point SASE console configuration. ## Pre-requisites Before you begin, ensure that you have: - An active Check Point SASE account and a functioning network. - The Check Point SASE application installed on your devices. - An active Palo Alto Firewall account with administrative permissions. ## Configuration in Palo Alto WebGUI ### Step 1: Configure Tunnel Interfaces 1. Open the **Palo Alto WebGUI** and go to **Network**. 2. Select **Interfaces** and go to **Tunnel**. ![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-XNN9UNOF.png) 3. Click **Add**. 4. Configure these parameters: - **Virtual Router**: Select the virtual router for the tunnel interface. - **Security Zone**: Create a dedicated zone for tunnel traffic. If the tunnel interface is in a different zone than the source or destination, create a security policy to allow the traffic. ![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-SU71LPNF.png) 5. Click the **IPv4** tab and click **Add**. Enter the internal address for the first tunnel (use the 169.254.x.x range). ![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-X2V4TABB.png) 6. Click **OK**. 7. Repeat the steps to create the second tunnel interface. ### Step 2: Configure IKE Crypto Profile 1. Go to **Network Profiles** > **IKE Crypto**. ![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-IBN7DMIX.png) 2. Click **Add** and define the IKE Crypto profile (IKEv1 Phase 1) parameters: ![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-2HQDKIXL.png) - **Name**: Enter a descriptive name. - **DH Group**: 14 - **Encryption**: aes-256-cbc - **Authentication**: sha256 - **Key Lifetime**: 8 hours - **IKEv2 Authentication Multiple**: 0 ### Step 3: Configure IKE Gateway 1. Go to **Network Profiles** > **IKE Gateway**. 2. Click **Add** and fill these details: ![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-HIPOO4B8.png) - **Name**: Enter a descriptive name. - **Version**: Select IKEv2 (or IKEv1 if unsupported). - **Address Type**: IPv4 - **Interface**: External interface connected to the internet - **Local IP Address**: External IP address - **Peer IP Address Type**: IP - **Peer Address**: Check Point SASE gateway IP - **Authentication**: Pre-Shared Key - **Pre-Shared Key**: Enter a strong key (mix of uppercase, lowercase, and numbers). > **Note:** Record this value for configuring the tunnel in the Check Point SASE management console. - **Local Identification**: None (Gateway uses the local IP as the local identification value) - **Peer Identification**: None (Gateway uses the peer IP as the peer identification value) 3. Repeat the steps for the second Check Point SASE gateway. ### Step 4: Configure IPSec Crypto Profile 1. Go to **Network Profiles** > **IPSec Crypto**. 2. Click **Add** and enter these details: ![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-E3R5E9GK.png) - **Name**: P81-Phase2 - **IPSec** **Protocol**: ESP - **DH** **Group**: 14 - **Encryption**: aes-256-cbc - **Lifetime**: 1 hour - **Authentication**: sha256 ### Step 5: Configure IPSec Tunnels 1. Go to **Network Profiles** > **IPSec Tunnels**. 2. Click **Add** and enter these details: ![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-6HJZP7KS.png) - **Name**: Enter a descriptive name. - **Tunnel** **Interface**: Select the appropriate interface. - **Type**: Auto Key - **Address** **Type**: IPv4 - **IKE** **Gateway**: Select the previously defined gateway. - **IPSec** **Crypto** **Profile**: Select the previously defined profile. 3. Repeat the steps for the second IPSec tunnel. ### Step 6: Configure BGP 1. Go to **Network** **Profile** > **Virtual** **Routers.** 2. Click **BGP** and enter these details: ![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-AX76052M.png) - **Router** **ID**: Internal address for the first tunnel (from [Step 1](/v1/docs/palo-alto-redundant-tunnel#step-1-configure-tunnel-interfaces)). - **AS** **Number**: AS number for the Palo Alto Firewall. #### Add BGP Peer Group and Peers (for redundancy) 1. Under **Peer Group**, click **Add** and enter a name for the Peer Group. ![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-ZB3VUTR7.png) 2. Under **Peer**, click **Add**. ![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-ZWIBGXYV.png) In the Peer window, configure these details: ![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-UG6FN1NI.png) - **Name**: Enter a descriptive name. - **Peer** **AS**: Check Point SASE AS number (default: 65000). - **Local** **Address**: - **Interface**: Select the first tunnel interface created in [Step 1](/v1/docs/palo-alto-redundant-tunnel#step-1-configure-tunnel-interfaces). - **IP**: Select the internal address assigned to the first tunnel. - **Peer** **Address**: Internal (BGP) address for the first Check Point SASE gateway. 3. Go to **Connection Options**, set **Multi Hop** to **3**. 4. Repeat for the second tunnel interface. The Peer Group configuration should resemble the example shown below. ![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-YZBOCWEO.png) ### Step 7: Configure Redistribution Profile and BGP Import Rules #### Redistribution Profile 1. Go to **Virtual Router**>**Redistribution Profile** > **Add**. ![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-AC152CEF.png) 2. Configure: - **Name** and **Priority** - Enable **Redist** - Under **General Filter**, check **Static** 3. Click **OK**. #### BGP Import Rules 1. Go to **BGP** → **Import** → **Add**. ![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-6P1SAJ3L.png) 2. Enter a **Name** for the rule. ![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-GOXM9I44.png) 3. Click **Add** and select the created peer group. 4. Under **Match**, configure: - **AS Path Regular Expression**: _$ (replace with the actual SASE AS) - **FROM PEER**: Select the two tunnel interfaces created previously. ![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-J686DJ3J.png) 5. Under **Action**, choose **Allow**. 6. Under **Redist Rules**, click **Add** and select the redistribution profile created earlier. ![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-JZOBZTQO.png)![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-4OJRBN26.png) 7. Click **OK**. ### Step 8: Configure Security Policies 1. Open the **Policies** tab and select **Security**. ![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-2IMMPZ8Q.png) By default, IKE negotiation and IPSec/ESP packets are permitted. 2. If behavior differs or if you require more granular traffic control, click **Add**and create an appropriate Security policy rule. 3. Click **Commit**to apply the configuration changes. ## Configuring the tunnel in the Management Platform ### **Step 1 : Configuring Tunnel and Routes Table** 1. Access the Check Point SASE Administrator Portal and click **Networks**. ![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/Screen%20Shot%202021-02-17%20at%2019.31.14(2).png) 2. Select the network. 3. Click ![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-1719207416268.png). 4. Select **Add Tunnel**for the gateway from which you want to add the IPSec Site-to-Site VPN tunnel. 1. Click **IPSec Site-2-Site Tunnel** and click **Continue**. ![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/Screen%20Shot%202022-06-02%20at%205.56.11%20PM.png) 2. Click **Redundant Tunnels**and****click**Continue.** ![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/Screen%20Shot%202022-06-02%20at%205.57.33%20PM.png) 3. In the **Tunnel name** field, enter a logical name. ![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/RedundantIPSecTunnels.png) 4. Expand **Tunnel 1**and specify these: - **Shared Secret** – The value previously set on the first IKE Gateway. - **Check Point SASE Gateway Internal IP** - The SASE internal IP address as you configured in the first **PEER Group**. - **Remote Public IP** - Enter the FW's external Interface IP. This can be found in Palo Alto WebGUI under Network /Interfaces /Ethernet. ![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-UENY6FAT.png) - **Remote Gateway Internal IP** - The FW internal IP address as you configured in the first **PEER Group**. - **Remote Gateways ASN** - The ASN of the Palo Alto Firewall. - **Remote ID** - Enter the same value as per **Public IP**. If behind NAT, enter the internal LAN IP of the Palo Alto Device (example 192.168.1.1). ![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/CPHQ01.png) 5. Expand **Tunnel 2**and specify these: - **Gateway** - Select the second Check Point SASE Gateway for the tunnel. - **Shared Secret** - The value previously set on the second IKE Gateway. - **Check Point SASE Gateway Internal IP** - The SASE internal IP address as you configured in the second **PEER Group**. - **Remote Public IP** - Enter the FW's external Interface IP. - **Remote Gateway Internal IP** - The FW internal IP address as you configured in the second **PEER Group**. - **Remote Gateways ASN** - The ASN of the Palo Alto Firewall. - **Remote ID** - Enter the same value as you did **Public IP**. If behind NAT, enter the internal LAN IP of the Palo Alto Device (example 192.168.1.1). ![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/CPHQ02.png) 6. Expand **Shared Settings**and specify these: - **Check Point SASE Gateway Proposal Subnets**- Leave **Any (0.0.0.0/0)**selected. - **Remote Gateway Proposal Subnets** - Leave **Any (0.0.0.0/0)**selected. - **Autonomous System Number (ASN) -**Default value is **64512**, if not set, enter the AS Number for the Check Point SASE network. ![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/SharedSetting_Any_Any.PNG) 7. In the **Advanced Settings** section, specify these: ![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/Zyxel_V2_256_2048.PNG) - **IKE Version:** V2 - **IKE Lifetime:** 8h - **Tunnel Lifetime:** 1h - **Dead Peer Detection Delay:** 10s - **Dead Peer Detection Timeout:** 30s - **Phase 1**: - **Encryption(Phase 1):** aes256 - **Integrity (Phase 1):** sha256 - **Key Exchange Method:** modp2048 - **Phase 2**: - **Encryption(Phase 2):** aes256 - **Integrity (Phase 2):** sha256 - **Key Exchange Method:**modp2048 8. Click **Add Tunnel**. 5. Select **Routes Table**: ![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/Pasted_Image_6_6_22__4_18_PM.png) 1. Click **Add Route.** ![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/image-1719207709320.png) The **Add Route** window appears. 2. Enter all the subnets on the remote side of the tunnel and then click **Add Route**. > Note: Make sure that in the Tunnel list, you have selected the previously entered Tunnel name. 6. Click **Apply Configuration**. ![](https://cdn.document360.io/44667c0c-50d7-412a-acbd-20d4a41c952e/Images/Documentation/Screen_Shot_2022-06-06_at_4_20_58_PM.png) ### **Step 2: Verifying the Setup** Once you complete the above steps, the tunnel becomes active. 1. Verify the setup in the Check Point SASE Administrator Portal: 1. Click **Networks**. 2. Locate the tunnel you created, and check the tunnel status. It should indicate that the tunnel is **Up**, signifying a successful connection. 2. Verify the setup in the Check Point SASE Agent: 1. Connect to your network using the Check Point SASE Agent. 2. Access one of the resources in your environment. ## **Troubleshooting** If you encounter issues during or after the setup, review your settings to ensure everything matches the instructions. Check the IP addresses and other details you entered during setup. If issues persist, please consult our dedicated support. ## **Support Contacts** If you have any difficulties or questions, contact Check Point SASE's support team. We offer 24/7 chat support on our website at [sase.checkpoint.com](https://www.sase.checkpoint.com/), or you can email us at sase-support@checkpoint.com.