When to Use Proxy IDs in Palo Alto IPSec VPNs

1. Understanding Proxy IDs

In Palo Alto Networks firewalls, a Proxy ID defines the local and remote subnets that are allowed to communicate over an IPSec VPN tunnel. They are crucial during the IKE Phase 2 negotiation to establish Security Associations (SAs) for specific traffic flows.

2. Scenarios Requiring Proxy IDs

Interoperability with Policy-Based VPN Peers: When connecting to devices that use policy-based VPNs (e.g., Cisco ASA), Proxy IDs must be configured to match the peer's defined policies.
Multiple Tunnels Between the Same Peers: If multiple IPSec tunnels exist between the same pair of devices, Proxy IDs help distinguish the traffic for each tunnel.
Granular Traffic Control: Defining specific Proxy IDs allows for precise control over which subnets or hosts can communicate over the VPN.

3. When Proxy IDs Are Not Required

Palo Alto to Palo Alto VPNs: When both peers are Palo Alto firewalls using route-based VPNs, Proxy IDs are optional. The firewalls default to using 0.0.0.0/0 for both local and remote subnets, allowing all traffic.

4. Configuring Proxy IDs

To configure Proxy IDs on a Palo Alto firewall:

Navigate to Network > IPSec Tunnels and select the desired tunnel.
Click on the Proxy IDs tab.
Click Add and enter:
- Name: A unique identifier for the Proxy ID.
- Local: The local subnet (e.g., 192.168.1.0/24).
- Remote: The remote subnet (e.g., 10.0.0.0/24).
- Protocol: Specify if needed; otherwise, leave as any .
Click OK to save the configuration.

Ensure that the Proxy IDs match exactly on both VPN peers to establish a successful tunnel.

5. Considerations