ZIA VPN from Azure with Palo Alto?

Has anyone built a VPN from a Palo Alto firewall, in Azure, to a Zscaler edge?

This is a common configuration we have with our physical Palo Alto firewalls in our datacenters and it works well. We use PBF to redirect traffic through a VPN tunnel Zscaler (and back). No issues.

I’m attempting an identical configuration in our new Azure environment and it’s not working correctly. The VPN works for phase I and II, partially, but continues to bounce up and down. The primary difference between this firewall and our physical ones is the external interface is a private IP, which gets NAT’ed upstream by Azure. It’s a public IP prefix so it’s static to us, but that is a difference.

Anyone ever get this to work before?

Edit: I got it working. Turns out zone protection was stopping it from working and dropping the packets.

No help, sorry… In Azure w/o Palo we just tunnel to ZIA natively from Azure…

But a question out of curiosity; what factored into the overall decision of tunneling to ZIA rather than just inspecting on the Palos which the traffic is already passing through?

Have you tried lowering the MTU on the VPN? default 1500 may not be cutting it through AZure networking and the virtual firewall

I’d take a pcap on the Palo and see why the tunnel is flapping. Customers have done this with Palos, Checkpoints, Cisco, et cetera, so it’s possible.

There isn’t much config on the ZIA side, other than the GRE/IPSEC you self-provision, so the Palo may have more insight.

I had this with a Fortigate - f’er wouldn’t connect no matter what I threw at it and none of it made sense since it was just calling out to ZIA behind an Azure nat gw. Turned out to need the nat gw IP as the local id (in Fortigate speak). Let me find the context and post

Infosec department. It wasn’t my choice.

Yeah it’s at 1400. I’ve done all that I could, since it works literally everywhere else except my Azure Palo firewalls, so I was hoping somebody had some special insight.

Essentially the below. I’m not sure what the Palo equivalent is but should be in phase 1 somewhere.

Maybe take a look at your licensing and see if a cloud connector might be better for what you are trying to achieve.

​

https://help.zscaler.com/cloud-branch-connector/what-zscaler-cloud-connector

I might be using the wrong “public” IP. I’ll try this first thing in the morning. Thanks!

It looks like I already had that set. VPN does come up on phase I and II, but then immediately goes down. I’m working with support.

Did this ever work out? VPN coming up and then going down sounds like no traffic getting to it (but I wouldn’t think it’d go down immediately though)

Yes, I fixed it today. Zone protection “IP spoof detection” was the culprit.