<?xml version="1.0" encoding="UTF-8"?><rss version="2.0"
	xmlns:content="http://purl.org/rss/1.0/modules/content/"
	xmlns:wfw="http://wellformedweb.org/CommentAPI/"
	xmlns:dc="http://purl.org/dc/elements/1.1/"
	xmlns:atom="http://www.w3.org/2005/Atom"
	xmlns:sy="http://purl.org/rss/1.0/modules/syndication/"
	xmlns:slash="http://purl.org/rss/1.0/modules/slash/"
	>

<channel>
	<title>Hướng dẫn cấu hình IPSec VPN Site to Site giữa 2 thiết bị Palo Alto với IP WAN là IP tĩnh &#8211; Thegioifirewall</title>
	<atom:link href="https://thegioifirewall.com/tag/huong-dan-cau-hinh-ipsec-vpn-site-to-site-giua-2-thiet-bi-palo-alto-voi-ip-wan-la-ip-tinh/feed/" rel="self" type="application/rss+xml" />
	<link>https://thegioifirewall.com</link>
	<description>Tường lửa bảo vệ doanh nghiệp, trung tâm thông tin và giá cả</description>
	<lastBuildDate>Wed, 15 Sep 2021 03:32:57 +0000</lastBuildDate>
	<language>vi</language>
	<sy:updatePeriod>
	hourly	</sy:updatePeriod>
	<sy:updateFrequency>
	1	</sy:updateFrequency>
	<generator>https://wordpress.org/?v=7.0</generator>

<image>
	<url>https://thegioifirewall.com/wp-content/uploads/vacif_icon-150x150.png</url>
	<title>Hướng dẫn cấu hình IPSec VPN Site to Site giữa 2 thiết bị Palo Alto với IP WAN là IP tĩnh &#8211; Thegioifirewall</title>
	<link>https://thegioifirewall.com</link>
	<width>32</width>
	<height>32</height>
</image> 
	<item>
		<title>Hướng dẫn cấu hình IPSec VPN Site to Site giữa 2 thiết bị Palo Alto với IP WAN là IP tĩnh</title>
		<link>https://thegioifirewall.com/huong-dan-cau-hinh-ipsec-vpn-site-to-site-giua-2-thiet-bi-palo-alto-voi-ip-wan-la-ip-tinh/</link>
					<comments>https://thegioifirewall.com/huong-dan-cau-hinh-ipsec-vpn-site-to-site-giua-2-thiet-bi-palo-alto-voi-ip-wan-la-ip-tinh/#respond</comments>
		
		<dc:creator><![CDATA[TrungNghia]]></dc:creator>
		<pubDate>Tue, 14 Sep 2021 03:08:00 +0000</pubDate>
				<category><![CDATA[Hướng dẫn cấu hình Firewall Palo Alto]]></category>
		<category><![CDATA[Hướng dẫn cấu hình IPSec VPN Site to Site giữa 2 thiết bị Palo Alto với IP WAN là IP tĩnh]]></category>
		<guid isPermaLink="false">https://www.thegioifirewall.com/?p=12117</guid>

					<description><![CDATA[1.Mục đích bài viết Trong bài viết này thegioifirewall sẽ hướng dẫn cách cấu hình IPSec VPN Site to Site giữa hai thiết bị Palo Alto với IP WAN trên cả hai thiết bị là IP tĩnh. 2.Diagram Chi tiết sơ đồ mạng: Head Office: Kết nối internet được cấu hình tại cổng ethernet1/1 với [&#8230;]]]></description>
										<content:encoded><![CDATA[
<h2 class="wp-block-heading"><strong>1.Mục đích bài viết</strong></h2>



<p class="wp-block-paragraph">Trong bài viết này thegioifirewall sẽ hướng dẫn cách cấu hình IPSec VPN Site to Site giữa hai thiết bị Palo Alto với IP WAN trên cả hai thiết bị là IP tĩnh.</p>



<h2 class="wp-block-heading"><strong>2.Diagram</strong></h2>



<figure class="wp-block-image size-large"><img fetchpriority="high" decoding="async" width="1024" height="472" src="https://thegioifirewall.com/wp-content/uploads/Diagram-6-1024x472.png" alt="" class="wp-image-12118" srcset="https://thegioifirewall.com/wp-content/uploads/Diagram-6-1024x472.png 1024w, https://thegioifirewall.com/wp-content/uploads/Diagram-6-300x138.png 300w, https://thegioifirewall.com/wp-content/uploads/Diagram-6-768x354.png 768w, https://thegioifirewall.com/wp-content/uploads/Diagram-6-1536x708.png 1536w, https://thegioifirewall.com/wp-content/uploads/Diagram-6-2048x944.png 2048w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure>



<p class="wp-block-paragraph"><strong>Chi tiết sơ đồ mạng:</strong></p>



<p class="wp-block-paragraph"><strong>Head Office:</strong></p>



<ul class="wp-block-list"><li>Kết nối internet được cấu hình tại cổng ethernet1/1 với IP tĩnh là 172.16.31.254.</li><li>Mạng LAN được cấu hình tại cổng ethernet1/2 với IP 10.145.41.1/24 và đã được cấu hình DHCP để cấp phát IP cho các thiết bị kết nối vào.</li></ul>



<p class="wp-block-paragraph"><strong>Branch Office:</strong></p>



<ul class="wp-block-list"><li>Kết nối internet được cấu hình tại cổng ethernet1/1 với IP tĩnh là 172.16.31.253.</li><li>Mạng LAN được cấu hình tai cổng ethernet1/2 với IP 192.168.10.1/24 và đã được cấu hình DHCP để cấp phát IP cho các thiết bị kết nối vào.</li></ul>



<h2 class="wp-block-heading"><strong>3.Tình huống cấu hình</strong></h2>



<p class="wp-block-paragraph">Chúng ta sẽ thực cấu hình IPSec VPN Site-to-Site giữa hai thiết bị Palo Alto Firewall 1 và Palo Alto Firewall 2 để lớp mạng LAN của cả hai site là 10.145.41.0/24 và 192.168.10.0/24 có thể kết nối được với nhau.</p>



<h2 class="wp-block-heading"><strong>4.Các bước cấu hình</strong></h2>



<p class="wp-block-paragraph"><strong>Palo Alto Firewall 1:</strong></p>



<ul class="wp-block-list"><li>Tạo VPN zone.</li><li>Tạo Address Object.</li><li>Tạo tunnel interface.</li><li>Tạo Virtual Routers.</li><li>Tạo IKE Crypto.</li><li>Tạo IPSec Crypto.</li><li>Tạo IKE Gateways.</li><li>Tạo IPSec Tunnels.</li><li>Tạo policy.</li></ul>



<p class="wp-block-paragraph"><strong>Palo Alto Firewall 2:</strong></p>



<ul class="wp-block-list"><li>Tạo VPN zone.</li><li>Tạo Address Object.</li><li>Tạo tunnel interface.</li><li>Tạo Virtual Routers.</li><li>Tạo IKE Crypto.</li><li>Tạo IPSec Crypto.</li><li>Tạo IKE Gateways.</li><li>Tạo IPSec Tunnels.</li><li>Tạo policy.</li></ul>



<p class="wp-block-paragraph"><strong>Kiểm tra kết quả</strong></p>



<h2 class="wp-block-heading"><strong>5.Hướng dẫn cấu hình</strong></h2>



<h3 class="wp-block-heading"><strong>5.1. Palo Alto Firewall 1</strong></h3>



<h4 class="wp-block-heading"><strong>5.1.1.Tạo Zone</strong></h4>



<p class="wp-block-paragraph">Chúng ta cần tạo zone cho các kết nối VPN.</p>



<p class="wp-block-paragraph">Để tạo vào Network &gt; Zones.</p>



<p class="wp-block-paragraph">Nhấn Add và tạo theo các thông tin sau:</p>



<ul class="wp-block-list"><li>Name: VPN</li><li>Type: Layer3</li><li>Nhấn OK để lưu.</li></ul>



<figure class="wp-block-image size-large"><img decoding="async" width="1024" height="762" src="https://thegioifirewall.com/wp-content/uploads/1-42-1024x762.png" alt="" class="wp-image-12119" srcset="https://thegioifirewall.com/wp-content/uploads/1-42-1024x762.png 1024w, https://thegioifirewall.com/wp-content/uploads/1-42-300x223.png 300w, https://thegioifirewall.com/wp-content/uploads/1-42-768x572.png 768w, https://thegioifirewall.com/wp-content/uploads/1-42-1536x1144.png 1536w, https://thegioifirewall.com/wp-content/uploads/1-42.png 1750w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure>



<p class="wp-block-paragraph">Nhấn Commit và OK để lưu các thay đổi cấu hình.</p>



<h4 class="wp-block-heading"><strong>5.1.2.Tạo Address Object</strong></h4>



<p class="wp-block-paragraph">Chúng ta sẽ tạo Address Object cho 2 lớp mạng LAN của thiết bị Palo Alto và Sophos.</p>



<p class="wp-block-paragraph">Để tạo vào Object &gt; Addresses.</p>



<p class="wp-block-paragraph">Nhấn Add và tạo theo các thông số như sau.</p>



<p class="wp-block-paragraph">Palo Alto Firewall 1 LAN:</p>



<ul class="wp-block-list"><li>Name: PA1_LAN</li><li>Type: IP Netmask – 10.145.41.0/24</li><li>Nhấn OK để lưu.</li></ul>



<figure class="wp-block-image size-large"><img decoding="async" width="1024" height="305" src="https://thegioifirewall.com/wp-content/uploads/2-38-1024x305.png" alt="" class="wp-image-12120" srcset="https://thegioifirewall.com/wp-content/uploads/2-38-1024x305.png 1024w, https://thegioifirewall.com/wp-content/uploads/2-38-300x89.png 300w, https://thegioifirewall.com/wp-content/uploads/2-38-768x229.png 768w, https://thegioifirewall.com/wp-content/uploads/2-38-1536x457.png 1536w, https://thegioifirewall.com/wp-content/uploads/2-38.png 1999w" sizes="(max-width: 1024px) 100vw, 1024px" /></figure>



<p class="wp-block-paragraph">Palo Alto Firewall 2 LAN:</p>



<ul class="wp-block-list"><li>Name: PA2_LAN</li><li>Type: IP Netmask – 192.168.10.0/24</li><li>Nhấn OK để lưu</li></ul>



<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="308" src="https://thegioifirewall.com/wp-content/uploads/3-42-1024x308.png" alt="" class="wp-image-12121" srcset="https://thegioifirewall.com/wp-content/uploads/3-42-1024x308.png 1024w, https://thegioifirewall.com/wp-content/uploads/3-42-300x90.png 300w, https://thegioifirewall.com/wp-content/uploads/3-42-768x231.png 768w, https://thegioifirewall.com/wp-content/uploads/3-42-1536x462.png 1536w, https://thegioifirewall.com/wp-content/uploads/3-42.png 1991w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /></figure>



<p class="wp-block-paragraph">Nhấn Commit và OK để lưu các thay đổi cấu hình.</p>



<h4 class="wp-block-heading"><strong>5.1.3.Tạo Interface Tunnel</strong></h4>



<p class="wp-block-paragraph">Để tạo vào Network &gt; Interface &gt; Tunnel.</p>



<p class="wp-block-paragraph">Nhấn Add và tạo theo các thông tin như sau:</p>



<ul class="wp-block-list"><li>Interface Name: tunnel.1</li><li>Virtual Router: None</li><li>Security Zone: VPN</li><li>Nhấn OK để lưu.</li></ul>



<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="437" src="https://thegioifirewall.com/wp-content/uploads/4-43-1024x437.png" alt="" class="wp-image-12122" srcset="https://thegioifirewall.com/wp-content/uploads/4-43-1024x437.png 1024w, https://thegioifirewall.com/wp-content/uploads/4-43-300x128.png 300w, https://thegioifirewall.com/wp-content/uploads/4-43-768x328.png 768w, https://thegioifirewall.com/wp-content/uploads/4-43-1536x656.png 1536w, https://thegioifirewall.com/wp-content/uploads/4-43.png 1737w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /></figure>



<p class="wp-block-paragraph">Nhấn Commit để lưu các thay đổi cấu hình.</p>



<h4 class="wp-block-heading"><strong>5.1.4.Tạo Virtual Routers</strong></h4>



<p class="wp-block-paragraph">Để tạo Virtual Routers vào Network &gt; Virtual Routers &gt; nhấn Add và cấu hình theo các thông tin sau.</p>



<p class="wp-block-paragraph">Tab Router Settings:</p>



<ul class="wp-block-list"><li>Name: VR1</li><li>Tab General: nhấn Add và chọn các cổng ethernet1/2 (cổng LAN), ethernet1/1(cổng internet) và tunnel.1(là tunnel dùng để kết nối VPN).</li></ul>



<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="640" src="https://thegioifirewall.com/wp-content/uploads/5-40-1024x640.png" alt="" class="wp-image-12123" srcset="https://thegioifirewall.com/wp-content/uploads/5-40-1024x640.png 1024w, https://thegioifirewall.com/wp-content/uploads/5-40-300x188.png 300w, https://thegioifirewall.com/wp-content/uploads/5-40-768x480.png 768w, https://thegioifirewall.com/wp-content/uploads/5-40-1536x960.png 1536w, https://thegioifirewall.com/wp-content/uploads/5-40.png 1999w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /></figure>



<p class="wp-block-paragraph">Tab Static Routes &gt; IPv4:</p>



<p class="wp-block-paragraph">Nhấn Add để thêm static routes và điền vào các thông tin sau:</p>



<ul class="wp-block-list"><li>Name: Route-2</li><li>Destination: chọn address objects PA2_LAN</li><li>Interface: tunnel.1</li><li>Next Hop: None</li><li>Nhấn OK 2 lần để lưu.</li></ul>



<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="861" src="https://thegioifirewall.com/wp-content/uploads/6-40-1024x861.png" alt="" class="wp-image-12124" srcset="https://thegioifirewall.com/wp-content/uploads/6-40-1024x861.png 1024w, https://thegioifirewall.com/wp-content/uploads/6-40-300x252.png 300w, https://thegioifirewall.com/wp-content/uploads/6-40-768x646.png 768w, https://thegioifirewall.com/wp-content/uploads/6-40.png 1498w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /></figure>



<p class="wp-block-paragraph">Nhấn Commit và OK để lưu các thay đổi cấu hình.</p>



<h4 class="wp-block-heading"><strong>5.1.5.Tạo IKE Crypto</strong></h4>



<p class="wp-block-paragraph">Chúng ta sẽ tạo IKE Crypto tức Phrase 1 cho kết nối VPN.</p>



<p class="wp-block-paragraph">Để tạo vào Network &gt; IKE Crypto nhấn Add và tạo theo các thông tin sau:</p>



<ul class="wp-block-list"><li>Name: Phrase1</li><li>DH Group: group2</li><li>Encryption: aes-256-cbc</li><li>Authentication: sha256</li><li>Key Lifetime: Seconds – 5400</li><li>Nhấn OK Để lưu</li></ul>



<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="511" src="https://thegioifirewall.com/wp-content/uploads/7-34-1024x511.png" alt="" class="wp-image-12125" srcset="https://thegioifirewall.com/wp-content/uploads/7-34-1024x511.png 1024w, https://thegioifirewall.com/wp-content/uploads/7-34-300x150.png 300w, https://thegioifirewall.com/wp-content/uploads/7-34-768x383.png 768w, https://thegioifirewall.com/wp-content/uploads/7-34-1536x767.png 1536w, https://thegioifirewall.com/wp-content/uploads/7-34.png 1997w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /></figure>



<p class="wp-block-paragraph">Nhấn Commit và OK để lưu các thay đổi cấu hình.</p>



<h4 class="wp-block-heading"><strong>5.1.6.Tạo IPSec Crypto</strong></h4>



<p class="wp-block-paragraph">Để tạo IPSec Crypto vào Network &gt; IPSec Crypto và nhấn Add.</p>



<p class="wp-block-paragraph">Cấu hình theo các thông số sau:</p>



<ul class="wp-block-list"><li>Name: Phrase2</li><li>IPSec Protocol: ESP</li><li>Encryption: aes-128-cbc</li><li>Authentication: sha256</li><li>DH Group: no-pfs</li><li>Lifetime: Seconds – 3600</li><li>Nhấn OK để lưu.</li></ul>



<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="544" src="https://thegioifirewall.com/wp-content/uploads/8-34-1024x544.png" alt="" class="wp-image-12126" srcset="https://thegioifirewall.com/wp-content/uploads/8-34-1024x544.png 1024w, https://thegioifirewall.com/wp-content/uploads/8-34-300x159.png 300w, https://thegioifirewall.com/wp-content/uploads/8-34-768x408.png 768w, https://thegioifirewall.com/wp-content/uploads/8-34-1536x816.png 1536w, https://thegioifirewall.com/wp-content/uploads/8-34.png 1996w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /></figure>



<p class="wp-block-paragraph">Nhấn Commit và OK để lưu các thay đổi cấu hình.</p>



<h4 class="wp-block-heading"><strong>5.1.7.Tạo IKE Gateways</strong></h4>



<p class="wp-block-paragraph">Để tao vào Network &gt; IKE Gateways và nhấn Add.</p>



<p class="wp-block-paragraph">Cấu hình theo các thông số sau</p>



<p class="wp-block-paragraph">Bảng General:</p>



<ul class="wp-block-list"><li>Name: IKE</li><li>Version: IKEv1 only mode</li><li>Address Type: IPv4</li><li>Interface: ethernet1/1 (cổng WAN của Palo Alto Firewall 1)</li><li>Local IP Address: 172.16.31.254/24</li><li>Peer Address: Nhập IP WAN của Palo Alto Firewall 2 là 172.16.31.253</li><li>Authentication: Pre-shared Key</li><li>Pre-shared key: nhập mật khẩu kết nối (mật khẩu này phải giống với mật khẩu đã đặt trên Palo Alto Firewall 2)</li><li>Confirm Pre-shared key: nhập lại mật khẩu kết nối.</li></ul>



<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="782" src="https://thegioifirewall.com/wp-content/uploads/9-36-1024x782.png" alt="" class="wp-image-12127" srcset="https://thegioifirewall.com/wp-content/uploads/9-36-1024x782.png 1024w, https://thegioifirewall.com/wp-content/uploads/9-36-300x229.png 300w, https://thegioifirewall.com/wp-content/uploads/9-36-768x587.png 768w, https://thegioifirewall.com/wp-content/uploads/9-36.png 1496w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /></figure>



<p class="wp-block-paragraph">Bảng Advanced Options:</p>



<ul class="wp-block-list"><li>Exchange mode: chọn main.</li><li>IKE Crypto Profile: chọn Phrase1.</li><li>Nhấn OK để lưu.</li></ul>



<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="730" src="https://thegioifirewall.com/wp-content/uploads/10-31-1024x730.png" alt="" class="wp-image-12128" srcset="https://thegioifirewall.com/wp-content/uploads/10-31-1024x730.png 1024w, https://thegioifirewall.com/wp-content/uploads/10-31-300x214.png 300w, https://thegioifirewall.com/wp-content/uploads/10-31-768x547.png 768w, https://thegioifirewall.com/wp-content/uploads/10-31.png 1497w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /></figure>



<p class="wp-block-paragraph">Nhấn Commit và OK để lưu các thay đổi cấu hình.</p>



<h4 class="wp-block-heading"><strong>5.1.8.Tạo IPSec Tunnels</strong></h4>



<p class="wp-block-paragraph">Giờ chúng ta sẽ bắt đầu tạo kết nối VPN với thiết bị Sophos Firewall.</p>



<p class="wp-block-paragraph">Để tạo vào Network &gt; IPSec Tunnels và nhấn Add.</p>



<p class="wp-block-paragraph">Tạo với các thông tin như sau.</p>



<p class="wp-block-paragraph">Tab General:</p>



<ul class="wp-block-list"><li>Name: VPN_PA1_TO_PA2</li><li>Tunnel Interface: tunnel.1</li><li>Type: Auto Key</li><li>Address Type: IPv4</li><li>IKE Gateways: IKE</li><li>IPSec Crypto Profile: Phrase2</li></ul>



<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="411" src="https://thegioifirewall.com/wp-content/uploads/11-32-1024x411.png" alt="" class="wp-image-12129" srcset="https://thegioifirewall.com/wp-content/uploads/11-32-1024x411.png 1024w, https://thegioifirewall.com/wp-content/uploads/11-32-300x121.png 300w, https://thegioifirewall.com/wp-content/uploads/11-32-768x309.png 768w, https://thegioifirewall.com/wp-content/uploads/11-32-1536x617.png 1536w, https://thegioifirewall.com/wp-content/uploads/11-32.png 1994w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /></figure>



<p class="wp-block-paragraph">Tab Proxy IDs:</p>



<p class="wp-block-paragraph">Nhấn Add và cấu hình các thông tin sau:</p>



<ul class="wp-block-list"><li>Proxy ID: Peer-1</li><li>Local: 10.145.41.0/24</li><li>Remote: 192.168.10.0/24</li><li>Protocol: Any</li><li>Nhấn OK 2 lần để lưu.</li></ul>



<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="454" src="https://thegioifirewall.com/wp-content/uploads/12-30-1024x454.png" alt="" class="wp-image-12130" srcset="https://thegioifirewall.com/wp-content/uploads/12-30-1024x454.png 1024w, https://thegioifirewall.com/wp-content/uploads/12-30-300x133.png 300w, https://thegioifirewall.com/wp-content/uploads/12-30-768x340.png 768w, https://thegioifirewall.com/wp-content/uploads/12-30.png 1198w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /></figure>



<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="593" src="https://thegioifirewall.com/wp-content/uploads/13-26-1024x593.png" alt="" class="wp-image-12131" srcset="https://thegioifirewall.com/wp-content/uploads/13-26-1024x593.png 1024w, https://thegioifirewall.com/wp-content/uploads/13-26-300x174.png 300w, https://thegioifirewall.com/wp-content/uploads/13-26-768x445.png 768w, https://thegioifirewall.com/wp-content/uploads/13-26-1536x890.png 1536w, https://thegioifirewall.com/wp-content/uploads/13-26.png 1997w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /></figure>



<p class="wp-block-paragraph">Nhấn Commit và OK để lưu các thay đổi cấu hình.</p>



<h4 class="wp-block-heading"><strong>5.1.9.Tạo Policy</strong></h4>



<p class="wp-block-paragraph">Chúng ta cần tạo policy cho phép các traffic từ lớp mạng LAN của Palo Alto Firewall 1 đi qua lớp mạng LAN của Palo Alto Firewall 2 và ngược lại.</p>



<p class="wp-block-paragraph">Để tạo policy vào Policies &gt; Security và nhấn Add.</p>



<p class="wp-block-paragraph">Tạo policy cho phép traffic từ lớp mạng LAN của Palo Alto Firewall 1 đi qua lớp mạng LAN của Palo Alto Firewall 2 với các thông tin như sau:</p>



<p class="wp-block-paragraph">Tab General:</p>



<ul class="wp-block-list"><li>Name: LAN_TO_VPN</li><li>Rule Type: universal (default)</li></ul>



<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="564" src="https://thegioifirewall.com/wp-content/uploads/14-25-1024x564.png" alt="" class="wp-image-12132" srcset="https://thegioifirewall.com/wp-content/uploads/14-25-1024x564.png 1024w, https://thegioifirewall.com/wp-content/uploads/14-25-300x165.png 300w, https://thegioifirewall.com/wp-content/uploads/14-25-768x423.png 768w, https://thegioifirewall.com/wp-content/uploads/14-25-1536x846.png 1536w, https://thegioifirewall.com/wp-content/uploads/14-25.png 1746w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /></figure>



<p class="wp-block-paragraph">Tab Source:</p>



<ul class="wp-block-list"><li>Source Zone: nhấn Add và chọn LAN zone</li><li>Source Address: nhấn Add và chọn PA1_LAN (PA1_LAN là Address Object mà chúng ta đã tạo trước đó)</li></ul>



<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="600" src="https://thegioifirewall.com/wp-content/uploads/15-24-1024x600.png" alt="" class="wp-image-12133" srcset="https://thegioifirewall.com/wp-content/uploads/15-24-1024x600.png 1024w, https://thegioifirewall.com/wp-content/uploads/15-24-300x176.png 300w, https://thegioifirewall.com/wp-content/uploads/15-24-768x450.png 768w, https://thegioifirewall.com/wp-content/uploads/15-24-1536x901.png 1536w, https://thegioifirewall.com/wp-content/uploads/15-24.png 1748w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /></figure>



<p class="wp-block-paragraph">Tab Destination:</p>



<ul class="wp-block-list"><li>Destination Zone: VPN</li><li>Destination Address: PA2_LAN (đây là Address Object đã tạo lúc đầu)</li></ul>



<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="599" src="https://thegioifirewall.com/wp-content/uploads/16-24-1024x599.png" alt="" class="wp-image-12134" srcset="https://thegioifirewall.com/wp-content/uploads/16-24-1024x599.png 1024w, https://thegioifirewall.com/wp-content/uploads/16-24-300x175.png 300w, https://thegioifirewall.com/wp-content/uploads/16-24-768x449.png 768w, https://thegioifirewall.com/wp-content/uploads/16-24-1536x898.png 1536w, https://thegioifirewall.com/wp-content/uploads/16-24.png 1748w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /></figure>



<p class="wp-block-paragraph">Tab Action:</p>



<ul class="wp-block-list"><li>Action: chọn Allow để cho phép.</li><li>Nhấn OK để lưu.</li></ul>



<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="529" src="https://thegioifirewall.com/wp-content/uploads/17-22-1024x529.png" alt="" class="wp-image-12135" srcset="https://thegioifirewall.com/wp-content/uploads/17-22-1024x529.png 1024w, https://thegioifirewall.com/wp-content/uploads/17-22-300x155.png 300w, https://thegioifirewall.com/wp-content/uploads/17-22-768x397.png 768w, https://thegioifirewall.com/wp-content/uploads/17-22-1536x793.png 1536w, https://thegioifirewall.com/wp-content/uploads/17-22.png 1747w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /></figure>



<p class="wp-block-paragraph">Tiếp theo chúng ta sẽ nhấn Add và tạo policy cho phép các traffic đi từ lớp mạng LAN của Palo Alto Firewall 2 sang lớp mạng LAN của Palo Alto Firewall 1 với các thông tin sau:</p>



<p class="wp-block-paragraph">Tab General:</p>



<ul class="wp-block-list"><li>Name: VPN_TO_LAN</li><li>Rule Type: universal (default)</li></ul>



<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="563" src="https://thegioifirewall.com/wp-content/uploads/18-21-1024x563.png" alt="" class="wp-image-12136" srcset="https://thegioifirewall.com/wp-content/uploads/18-21-1024x563.png 1024w, https://thegioifirewall.com/wp-content/uploads/18-21-300x165.png 300w, https://thegioifirewall.com/wp-content/uploads/18-21-768x422.png 768w, https://thegioifirewall.com/wp-content/uploads/18-21-1536x844.png 1536w, https://thegioifirewall.com/wp-content/uploads/18-21.png 1747w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /></figure>



<p class="wp-block-paragraph">Tab Source:</p>



<ul class="wp-block-list"><li>Source Zone: nhấn Add và chọn VPN</li><li>Source Address: nhấn Add và chọn PA2_LAN (PA2_LAN là Address Object mà chúng ta đã tạo trước đó)</li></ul>



<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="598" src="https://thegioifirewall.com/wp-content/uploads/19-20-1024x598.png" alt="" class="wp-image-12137" srcset="https://thegioifirewall.com/wp-content/uploads/19-20-1024x598.png 1024w, https://thegioifirewall.com/wp-content/uploads/19-20-300x175.png 300w, https://thegioifirewall.com/wp-content/uploads/19-20-768x448.png 768w, https://thegioifirewall.com/wp-content/uploads/19-20-1536x897.png 1536w, https://thegioifirewall.com/wp-content/uploads/19-20.png 1733w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /></figure>



<p class="wp-block-paragraph">Tab Destination:</p>



<ul class="wp-block-list"><li>Destination Zone: LAN</li><li>Destination Address: PA1-LAN (đây là Address Object đã tạo lúc đầu)</li></ul>



<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="603" src="https://thegioifirewall.com/wp-content/uploads/20-16-1024x603.png" alt="" class="wp-image-12138" srcset="https://thegioifirewall.com/wp-content/uploads/20-16-1024x603.png 1024w, https://thegioifirewall.com/wp-content/uploads/20-16-300x177.png 300w, https://thegioifirewall.com/wp-content/uploads/20-16-768x452.png 768w, https://thegioifirewall.com/wp-content/uploads/20-16-1536x904.png 1536w, https://thegioifirewall.com/wp-content/uploads/20-16.png 1741w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /></figure>



<p class="wp-block-paragraph">Tab Action:</p>



<ul class="wp-block-list"><li>Action: chọn Allow để cho phép.</li><li>Nhấn OK để lưu.</li></ul>



<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="529" src="https://thegioifirewall.com/wp-content/uploads/21-15-1024x529.png" alt="" class="wp-image-12139" srcset="https://thegioifirewall.com/wp-content/uploads/21-15-1024x529.png 1024w, https://thegioifirewall.com/wp-content/uploads/21-15-300x155.png 300w, https://thegioifirewall.com/wp-content/uploads/21-15-768x397.png 768w, https://thegioifirewall.com/wp-content/uploads/21-15-1536x793.png 1536w, https://thegioifirewall.com/wp-content/uploads/21-15.png 1743w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /></figure>



<h3 class="wp-block-heading"><strong>5.2. Palo Alto Firewall 2</strong></h3>



<h4 class="wp-block-heading"><strong>5.2.1.Tạo Zone</strong></h4>



<p class="wp-block-paragraph">Chúng ta cần tạo zone cho các kết nối VPN.</p>



<p class="wp-block-paragraph">Để tạo vào Network &gt; Zones.</p>



<p class="wp-block-paragraph">Nhấn Add và tạo theo các thông tin sau:</p>



<ul class="wp-block-list"><li>Name: VPN</li><li>Type: Layer3</li><li>Nhấn OK để lưu.</li></ul>



<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="763" src="https://thegioifirewall.com/wp-content/uploads/22-12-1024x763.png" alt="" class="wp-image-12140" srcset="https://thegioifirewall.com/wp-content/uploads/22-12-1024x763.png 1024w, https://thegioifirewall.com/wp-content/uploads/22-12-300x225.png 300w, https://thegioifirewall.com/wp-content/uploads/22-12-768x572.png 768w, https://thegioifirewall.com/wp-content/uploads/22-12-1536x1145.png 1536w, https://thegioifirewall.com/wp-content/uploads/22-12.png 1750w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /></figure>



<p class="wp-block-paragraph">Nhấn Commit và OK để lưu các thay đổi cấu hình.</p>



<h4 class="wp-block-heading"><strong>5.2.2.Tạo Address Object</strong></h4>



<p class="wp-block-paragraph">Chúng ta sẽ tạo Address Object cho 2 lớp mạng LAN của thiết bị Palo Alto và Sophos.</p>



<p class="wp-block-paragraph">Để tạo vào Object &gt; Addresses.</p>



<p class="wp-block-paragraph">Nhấn Add và tạo theo các thông số như sau.</p>



<p class="wp-block-paragraph">Palo Alto Firewall 1 LAN:</p>



<ul class="wp-block-list"><li>Name: PA1_LAN</li><li>Type: IP Netmask – 10.145.41.0/24</li><li>Nhấn OK để lưu.</li></ul>



<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="302" src="https://thegioifirewall.com/wp-content/uploads/23-12-1024x302.png" alt="" class="wp-image-12141" srcset="https://thegioifirewall.com/wp-content/uploads/23-12-1024x302.png 1024w, https://thegioifirewall.com/wp-content/uploads/23-12-300x88.png 300w, https://thegioifirewall.com/wp-content/uploads/23-12-768x227.png 768w, https://thegioifirewall.com/wp-content/uploads/23-12-1536x453.png 1536w, https://thegioifirewall.com/wp-content/uploads/23-12.png 1997w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /></figure>



<p class="wp-block-paragraph">Palo Alto Firewall 2 LAN:</p>



<ul class="wp-block-list"><li>Name: PA2_LAN</li><li>Type: IP Netmask – 192.168.10.0/24</li><li>Nhấn OK để lưu</li></ul>



<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="305" src="https://thegioifirewall.com/wp-content/uploads/24-15-1024x305.png" alt="" class="wp-image-12142" srcset="https://thegioifirewall.com/wp-content/uploads/24-15-1024x305.png 1024w, https://thegioifirewall.com/wp-content/uploads/24-15-300x89.png 300w, https://thegioifirewall.com/wp-content/uploads/24-15-768x229.png 768w, https://thegioifirewall.com/wp-content/uploads/24-15-1536x458.png 1536w, https://thegioifirewall.com/wp-content/uploads/24-15.png 1998w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /></figure>



<p class="wp-block-paragraph">Nhấn Commit và OK để lưu các thay đổi cấu hình.</p>



<h4 class="wp-block-heading"><strong>5.2.3.Tạo Interface Tunnel</strong></h4>



<p class="wp-block-paragraph">Để tạo vào Network &gt; Interface &gt; Tunnel.</p>



<p class="wp-block-paragraph">Nhấn Add và tạo theo các thông tin như sau:</p>



<ul class="wp-block-list"><li>Interface Name: tunnel.1</li><li>Virtual Router: None</li><li>Security Zone: VPN</li><li>Nhấn OK để lưu.</li></ul>



<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="437" src="https://thegioifirewall.com/wp-content/uploads/25-14-1024x437.png" alt="" class="wp-image-12143" srcset="https://thegioifirewall.com/wp-content/uploads/25-14-1024x437.png 1024w, https://thegioifirewall.com/wp-content/uploads/25-14-300x128.png 300w, https://thegioifirewall.com/wp-content/uploads/25-14-768x328.png 768w, https://thegioifirewall.com/wp-content/uploads/25-14-1536x656.png 1536w, https://thegioifirewall.com/wp-content/uploads/25-14.png 1749w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /></figure>



<p class="wp-block-paragraph">Nhấn Commit để lưu các thay đổi cấu hình.</p>



<h4 class="wp-block-heading"><strong>5.2.4.Tạo Virtual Routers</strong></h4>



<p class="wp-block-paragraph">Để tạo Virtual Routers vào Network &gt; Virtual Routers &gt; nhấn Add và cấu hình theo các thông tin sau.</p>



<p class="wp-block-paragraph">Tab Router Settings:</p>



<ul class="wp-block-list"><li>Name: VR1</li><li>Tab General: nhấn Add và chọn các cổng ethernet1/2 (cổng LAN), ethernet1/1(cổng internet) và tunnel.1(là tunnel dùng để kết nối VPN).</li></ul>



<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="641" src="https://thegioifirewall.com/wp-content/uploads/26-13-1024x641.png" alt="" class="wp-image-12144" srcset="https://thegioifirewall.com/wp-content/uploads/26-13-1024x641.png 1024w, https://thegioifirewall.com/wp-content/uploads/26-13-300x188.png 300w, https://thegioifirewall.com/wp-content/uploads/26-13-768x481.png 768w, https://thegioifirewall.com/wp-content/uploads/26-13-1536x962.png 1536w, https://thegioifirewall.com/wp-content/uploads/26-13.png 1994w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /></figure>



<p class="wp-block-paragraph">Tab Static Routes &gt; IPv4:</p>



<p class="wp-block-paragraph">Nhấn Add để thêm static routes và điền vào các thông tin sau:</p>



<ul class="wp-block-list"><li>Name: Route-2</li><li>Destination: chọn address objects PA1_LAN</li><li>Interface: tunnel.1</li><li>Next Hop: None</li><li>Nhấn OK 2 lần để lưu.</li></ul>



<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="864" src="https://thegioifirewall.com/wp-content/uploads/27-13-1024x864.png" alt="" class="wp-image-12145" srcset="https://thegioifirewall.com/wp-content/uploads/27-13-1024x864.png 1024w, https://thegioifirewall.com/wp-content/uploads/27-13-300x253.png 300w, https://thegioifirewall.com/wp-content/uploads/27-13-768x648.png 768w, https://thegioifirewall.com/wp-content/uploads/27-13.png 1496w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /></figure>



<p class="wp-block-paragraph">Nhấn Commit và OK để lưu các thay đổi cấu hình.</p>



<h4 class="wp-block-heading"><strong>5.2.5.Tạo IKE Crypto</strong></h4>



<p class="wp-block-paragraph">Chúng ta sẽ tạo IKE Crypto tức Phrase 1 cho kết nối VPN.</p>



<p class="wp-block-paragraph">Để tạo vào Network &gt; IKE Crypto nhấn Add và tạo theo các thông tin sau:</p>



<ul class="wp-block-list"><li>Name: Phrase1</li><li>DH Group: group2</li><li>Encryption: aes-256-cbc</li><li>Authentication: sha256</li><li>Key Lifetime: Seconds – 5400</li><li>Nhấn OK Để lưu</li></ul>



<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="512" src="https://thegioifirewall.com/wp-content/uploads/28-14-1024x512.png" alt="" class="wp-image-12146" srcset="https://thegioifirewall.com/wp-content/uploads/28-14-1024x512.png 1024w, https://thegioifirewall.com/wp-content/uploads/28-14-300x150.png 300w, https://thegioifirewall.com/wp-content/uploads/28-14-768x384.png 768w, https://thegioifirewall.com/wp-content/uploads/28-14-1536x768.png 1536w, https://thegioifirewall.com/wp-content/uploads/28-14.png 1997w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /></figure>



<p class="wp-block-paragraph">Nhấn Commit và OK để lưu các thay đổi cấu hình.</p>



<h4 class="wp-block-heading"><strong>5.2.6.Tạo IPSec Crypto</strong></h4>



<p class="wp-block-paragraph">Để tạo IPSec Crypto vào Network &gt; IPSec Crypto và nhấn Add.</p>



<p class="wp-block-paragraph">Cấu hình theo các thông số sau:</p>



<ul class="wp-block-list"><li>Name: Phrase2</li><li>IPSec Protocol: ESP</li><li>Encryption: aes-128-cbc</li><li>Authentication: sha256</li><li>DH Group: no-pfs</li><li>Lifetime: Seconds – 3600</li><li>Nhấn OK để lưu.</li></ul>



<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="544" src="https://thegioifirewall.com/wp-content/uploads/29-11-1024x544.png" alt="" class="wp-image-12147" srcset="https://thegioifirewall.com/wp-content/uploads/29-11-1024x544.png 1024w, https://thegioifirewall.com/wp-content/uploads/29-11-300x159.png 300w, https://thegioifirewall.com/wp-content/uploads/29-11-768x408.png 768w, https://thegioifirewall.com/wp-content/uploads/29-11-1536x816.png 1536w, https://thegioifirewall.com/wp-content/uploads/29-11.png 1997w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /></figure>



<p class="wp-block-paragraph">Nhấn Commit và OK để lưu các thay đổi cấu hình.</p>



<h4 class="wp-block-heading"><strong>5.2.7.Tạo IKE Gateways</strong></h4>



<p class="wp-block-paragraph">Để tao vào Network &gt; IKE Gateways và nhấn Add.</p>



<p class="wp-block-paragraph">Cấu hình theo các thông số sau</p>



<p class="wp-block-paragraph">Bảng General:</p>



<ul class="wp-block-list"><li>Name: IKE</li><li>Version: IKEv1 only mode</li><li>Address Type: IPv4</li><li>Interface: ethernet1/1 (cổng WAN của Palo Alto Firewall 2)</li><li>Local IP Address: 172.16.31.253/24</li><li>Peer Address: Nhập IP WAN của Palo Alto Firewall 1 là 172.16.31.254</li><li>Authentication: Pre-shared Key</li><li>Pre-shared key: nhập mật khẩu kết nối (mật khẩu này phải giống với mật khẩu đã đặt trên Palo Alto Firewall 1)</li><li>Confirm Pre-shared key: nhập lại mật khẩu kết nối.</li></ul>



<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="780" src="https://thegioifirewall.com/wp-content/uploads/30-11-1024x780.png" alt="" class="wp-image-12148" srcset="https://thegioifirewall.com/wp-content/uploads/30-11-1024x780.png 1024w, https://thegioifirewall.com/wp-content/uploads/30-11-300x229.png 300w, https://thegioifirewall.com/wp-content/uploads/30-11-768x585.png 768w, https://thegioifirewall.com/wp-content/uploads/30-11.png 1499w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /></figure>



<p class="wp-block-paragraph">Bảng Advanced Options:</p>



<ul class="wp-block-list"><li>Exchange mode: chọn main.</li><li>IKE Crypto Profile: chọn Phrase1.</li><li>Nhấn OK để lưu.</li></ul>



<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="731" src="https://thegioifirewall.com/wp-content/uploads/31-12-1024x731.png" alt="" class="wp-image-12149" srcset="https://thegioifirewall.com/wp-content/uploads/31-12-1024x731.png 1024w, https://thegioifirewall.com/wp-content/uploads/31-12-300x214.png 300w, https://thegioifirewall.com/wp-content/uploads/31-12-768x548.png 768w, https://thegioifirewall.com/wp-content/uploads/31-12.png 1497w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /></figure>



<p class="wp-block-paragraph">Nhấn Commit và OK để lưu các thay đổi cấu hình.</p>



<h4 class="wp-block-heading"><strong>5.2.8.Tạo IPSec Tunnels</strong></h4>



<p class="wp-block-paragraph">Giờ chúng ta sẽ bắt đầu tạo kết nối VPN với thiết bị Sophos Firewall.</p>



<p class="wp-block-paragraph">Để tạo vào Network &gt; IPSec Tunnels và nhấn Add.</p>



<p class="wp-block-paragraph">Tạo với các thông tin như sau.</p>



<p class="wp-block-paragraph">Tab General:</p>



<ul class="wp-block-list"><li>Name: VPN_PA2_TO_PA1</li><li>Tunnel Interface: tunnel.1</li><li>Type: Auto Key</li><li>Address Type: IPv4</li><li>IKE Gateways: IKE</li><li>IPSec Crypto Profile: Phrase2</li></ul>



<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="410" src="https://thegioifirewall.com/wp-content/uploads/32-8-1024x410.png" alt="" class="wp-image-12150" srcset="https://thegioifirewall.com/wp-content/uploads/32-8-1024x410.png 1024w, https://thegioifirewall.com/wp-content/uploads/32-8-300x120.png 300w, https://thegioifirewall.com/wp-content/uploads/32-8-768x308.png 768w, https://thegioifirewall.com/wp-content/uploads/32-8-1536x615.png 1536w, https://thegioifirewall.com/wp-content/uploads/32-8.png 1982w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /></figure>



<p class="wp-block-paragraph">Tab Proxy IDs:</p>



<p class="wp-block-paragraph">Nhấn Add và cấu hình các thông tin sau:</p>



<ul class="wp-block-list"><li>Proxy ID: Peer-1</li><li>Local: 192.168.10.0/24</li><li>Remote: 10.145.41.0/24</li><li>Protocol: Any</li><li>Nhấn OK 2 lần để lưu.</li></ul>



<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="458" src="https://thegioifirewall.com/wp-content/uploads/33-8-1024x458.png" alt="" class="wp-image-12151" srcset="https://thegioifirewall.com/wp-content/uploads/33-8-1024x458.png 1024w, https://thegioifirewall.com/wp-content/uploads/33-8-300x134.png 300w, https://thegioifirewall.com/wp-content/uploads/33-8-768x343.png 768w, https://thegioifirewall.com/wp-content/uploads/33-8.png 1188w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /></figure>



<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="596" src="https://thegioifirewall.com/wp-content/uploads/34-6-1024x596.png" alt="" class="wp-image-12152" srcset="https://thegioifirewall.com/wp-content/uploads/34-6-1024x596.png 1024w, https://thegioifirewall.com/wp-content/uploads/34-6-300x175.png 300w, https://thegioifirewall.com/wp-content/uploads/34-6-768x447.png 768w, https://thegioifirewall.com/wp-content/uploads/34-6-1536x894.png 1536w, https://thegioifirewall.com/wp-content/uploads/34-6.png 1992w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /></figure>



<p class="wp-block-paragraph">Nhấn Commit và OK để lưu các thay đổi cấu hình.</p>



<h4 class="wp-block-heading"><strong>5.2.9.Tạo Policy</strong></h4>



<p class="wp-block-paragraph">Chúng ta cần tạo policy cho phép các traffic từ lớp mạng LAN của Palo Alto Firewall 1 đi qua lớp mạng LAN của Palo Alto Firewall 2 và ngược lại.</p>



<p class="wp-block-paragraph">Để tạo policy vào Policies &gt; Security và nhấn Add.</p>



<p class="wp-block-paragraph">Tạo policy cho phép traffic từ lớp mạng LAN của Palo Alto Firewall 1 đi qua lớp mạng LAN của Palo Alto Firewall 2 với các thông tin như sau:</p>



<p class="wp-block-paragraph">Tab General:</p>



<ul class="wp-block-list"><li>Name: LAN_TO_VPN</li><li>Rule Type: universal (default)</li></ul>



<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="564" src="https://thegioifirewall.com/wp-content/uploads/35-6-1024x564.png" alt="" class="wp-image-12153" srcset="https://thegioifirewall.com/wp-content/uploads/35-6-1024x564.png 1024w, https://thegioifirewall.com/wp-content/uploads/35-6-300x165.png 300w, https://thegioifirewall.com/wp-content/uploads/35-6-768x423.png 768w, https://thegioifirewall.com/wp-content/uploads/35-6-1536x846.png 1536w, https://thegioifirewall.com/wp-content/uploads/35-6.png 1744w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /></figure>



<p class="wp-block-paragraph">Tab Source:</p>



<ul class="wp-block-list"><li>Source Zone: nhấn Add và chọn LAN zone</li><li>Source Address: nhấn Add và chọn PA2_LAN (PA2_LAN là Address Object mà chúng ta đã tạo trước đó)</li></ul>



<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="602" src="https://thegioifirewall.com/wp-content/uploads/36-4-1024x602.png" alt="" class="wp-image-12154" srcset="https://thegioifirewall.com/wp-content/uploads/36-4-1024x602.png 1024w, https://thegioifirewall.com/wp-content/uploads/36-4-300x176.png 300w, https://thegioifirewall.com/wp-content/uploads/36-4-768x452.png 768w, https://thegioifirewall.com/wp-content/uploads/36-4-1536x903.png 1536w, https://thegioifirewall.com/wp-content/uploads/36-4.png 1745w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /></figure>



<p class="wp-block-paragraph">Tab Destination:</p>



<ul class="wp-block-list"><li>Destination Zone: VPN</li><li>Destination Address: PA1-LAN (đây là Address Object đã tạo lúc đầu)</li></ul>



<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="607" src="https://thegioifirewall.com/wp-content/uploads/37-4-1024x607.png" alt="" class="wp-image-12155" srcset="https://thegioifirewall.com/wp-content/uploads/37-4-1024x607.png 1024w, https://thegioifirewall.com/wp-content/uploads/37-4-300x178.png 300w, https://thegioifirewall.com/wp-content/uploads/37-4-768x456.png 768w, https://thegioifirewall.com/wp-content/uploads/37-4-1536x911.png 1536w, https://thegioifirewall.com/wp-content/uploads/37-4.png 1740w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /></figure>



<p class="wp-block-paragraph">Tab Action:</p>



<ul class="wp-block-list"><li>Action: chọn Allow để cho phép.</li><li>Nhấn OK để lưu.</li></ul>



<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="529" src="https://thegioifirewall.com/wp-content/uploads/38-4-1024x529.png" alt="" class="wp-image-12156" srcset="https://thegioifirewall.com/wp-content/uploads/38-4-1024x529.png 1024w, https://thegioifirewall.com/wp-content/uploads/38-4-300x155.png 300w, https://thegioifirewall.com/wp-content/uploads/38-4-768x397.png 768w, https://thegioifirewall.com/wp-content/uploads/38-4-1536x794.png 1536w, https://thegioifirewall.com/wp-content/uploads/38-4.png 1747w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /></figure>



<p class="wp-block-paragraph">Tiếp theo chúng ta sẽ nhấn Add và tạo policy cho phép các traffic đi từ lớp mạng LAN của Palo Alto Firewall 1 sang lớp mạng LAN của Palo Alto Firewall 2 với các thông tin sau:</p>



<p class="wp-block-paragraph">Tab General:</p>



<ul class="wp-block-list"><li>Name: VPN_TO_LAN</li><li>Rule Type: universal (default)</li></ul>



<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="567" src="https://thegioifirewall.com/wp-content/uploads/39-4-1024x567.png" alt="" class="wp-image-12157" srcset="https://thegioifirewall.com/wp-content/uploads/39-4-1024x567.png 1024w, https://thegioifirewall.com/wp-content/uploads/39-4-300x166.png 300w, https://thegioifirewall.com/wp-content/uploads/39-4-768x425.png 768w, https://thegioifirewall.com/wp-content/uploads/39-4-1536x851.png 1536w, https://thegioifirewall.com/wp-content/uploads/39-4.png 1744w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /></figure>



<p class="wp-block-paragraph">Tab Source:</p>



<ul class="wp-block-list"><li>Source Zone: nhấn Add và chọn VPN zone</li><li>Source Address: nhấn Add và chọn PA1_LAN (PA1_LAN là Address Object mà chúng ta đã tạo trước đó)</li></ul>



<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="599" src="https://thegioifirewall.com/wp-content/uploads/40-5-1024x599.png" alt="" class="wp-image-12158" srcset="https://thegioifirewall.com/wp-content/uploads/40-5-1024x599.png 1024w, https://thegioifirewall.com/wp-content/uploads/40-5-300x175.png 300w, https://thegioifirewall.com/wp-content/uploads/40-5-768x449.png 768w, https://thegioifirewall.com/wp-content/uploads/40-5-1536x898.png 1536w, https://thegioifirewall.com/wp-content/uploads/40-5.png 1749w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /></figure>



<p class="wp-block-paragraph">Tab Destination:</p>



<ul class="wp-block-list"><li>Destination Zone: LAN</li><li>Destination Address: PA2-LAN (đây là Address Object đã tạo lúc đầu)</li></ul>



<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="601" src="https://thegioifirewall.com/wp-content/uploads/41-5-1024x601.png" alt="" class="wp-image-12159" srcset="https://thegioifirewall.com/wp-content/uploads/41-5-1024x601.png 1024w, https://thegioifirewall.com/wp-content/uploads/41-5-300x176.png 300w, https://thegioifirewall.com/wp-content/uploads/41-5-768x451.png 768w, https://thegioifirewall.com/wp-content/uploads/41-5-1536x901.png 1536w, https://thegioifirewall.com/wp-content/uploads/41-5.png 1735w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /></figure>



<p class="wp-block-paragraph">Tab Action:</p>



<ul class="wp-block-list"><li>Action: chọn Allow để cho phép.</li><li>Nhấn OK để lưu.</li></ul>



<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="539" src="https://thegioifirewall.com/wp-content/uploads/42-4-1024x539.png" alt="" class="wp-image-12160" srcset="https://thegioifirewall.com/wp-content/uploads/42-4-1024x539.png 1024w, https://thegioifirewall.com/wp-content/uploads/42-4-300x158.png 300w, https://thegioifirewall.com/wp-content/uploads/42-4-768x405.png 768w, https://thegioifirewall.com/wp-content/uploads/42-4-1536x809.png 1536w, https://thegioifirewall.com/wp-content/uploads/42-4.png 1739w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /></figure>



<h3 class="wp-block-heading"><strong>5.3.Kiểm tra kết quả</strong></h3>



<p class="wp-block-paragraph">Sau khi cấu hình IPSec VPN Site to Site trên cả hai thiết bị, các kết nối VPN sẽ hiển thị như sau.</p>



<p class="wp-block-paragraph">Trên Palo Alto Firewall 1, các bạn có thể thấy là biểu tượng hình cổng mạng tại cột Status đang là màu xanh tức trang thái của IPSec tunnel này đã được bật.</p>



<p class="wp-block-paragraph">Tuy nhiên kết nối này chưa được thiết lập đến Palo Alto Firewall 2 và nó được thể hiện qua 2 biểu tượng hình tròn tại Tunnel Info và IKE Info vẫn đang màu đỏ.</p>



<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="128" src="https://thegioifirewall.com/wp-content/uploads/43-4-1024x128.png" alt="" class="wp-image-12161" srcset="https://thegioifirewall.com/wp-content/uploads/43-4-1024x128.png 1024w, https://thegioifirewall.com/wp-content/uploads/43-4-300x38.png 300w, https://thegioifirewall.com/wp-content/uploads/43-4-768x96.png 768w, https://thegioifirewall.com/wp-content/uploads/43-4-1536x192.png 1536w, https://thegioifirewall.com/wp-content/uploads/43-4-2048x256.png 2048w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /></figure>



<p class="wp-block-paragraph">Tương tự trên Palo Alto Firewall 2 cũng thể hiện như Palo Alto Firewall 1.</p>



<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="99" src="https://thegioifirewall.com/wp-content/uploads/44-4-1024x99.png" alt="" class="wp-image-12162" srcset="https://thegioifirewall.com/wp-content/uploads/44-4-1024x99.png 1024w, https://thegioifirewall.com/wp-content/uploads/44-4-300x29.png 300w, https://thegioifirewall.com/wp-content/uploads/44-4-768x74.png 768w, https://thegioifirewall.com/wp-content/uploads/44-4-1536x148.png 1536w, https://thegioifirewall.com/wp-content/uploads/44-4-2048x198.png 2048w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /></figure>



<p class="wp-block-paragraph">Thông thường các kết nối trên thiết bị Palo Alto sẽ tự động được thiết bị, tuy nhiên trong trường chúng ta không tự động thiết lập với nhau chúng ta cần làm như sau.</p>



<p class="wp-block-paragraph">Truy cập vào giao diện command line của cả 2 tường lửa Palo Alto Firewall 1 và Palo Alto Firewall 2 và gõ 2 lệnh như sau:</p>



<ul class="wp-block-list"><li>test vpn ike-sa</li><li>test vpn ipsec-sa</li></ul>



<p class="wp-block-paragraph">Thực hiện 2 lệnh trên Palo Alto Firewall 1.</p>



<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="561" src="https://thegioifirewall.com/wp-content/uploads/45-4-1024x561.png" alt="" class="wp-image-12163" srcset="https://thegioifirewall.com/wp-content/uploads/45-4-1024x561.png 1024w, https://thegioifirewall.com/wp-content/uploads/45-4-300x164.png 300w, https://thegioifirewall.com/wp-content/uploads/45-4-768x420.png 768w, https://thegioifirewall.com/wp-content/uploads/45-4-1536x841.png 1536w, https://thegioifirewall.com/wp-content/uploads/45-4-2048x1121.png 2048w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /></figure>



<p class="wp-block-paragraph">Thực hiện 2 lệnh trên Palo Alto Firewall 2.</p>



<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="561" src="https://thegioifirewall.com/wp-content/uploads/46-3-1024x561.png" alt="" class="wp-image-12164" srcset="https://thegioifirewall.com/wp-content/uploads/46-3-1024x561.png 1024w, https://thegioifirewall.com/wp-content/uploads/46-3-300x164.png 300w, https://thegioifirewall.com/wp-content/uploads/46-3-768x420.png 768w, https://thegioifirewall.com/wp-content/uploads/46-3-1536x841.png 1536w, https://thegioifirewall.com/wp-content/uploads/46-3-2048x1121.png 2048w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /></figure>



<p class="wp-block-paragraph">Sau khi thực hiện 2 lệnh trên chúng ta sẽ thấy rằng kết nối IPSec VPN giữa hai thiết bị đã được thiết lập.</p>



<p class="wp-block-paragraph">Trên Palo Alto Firewall 1 chúng ta thấy rằng 2 biểu tượng hình tròn tại Tunnel Info và IKE Info đã chuyển sang màu xanh.</p>



<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="131" src="https://thegioifirewall.com/wp-content/uploads/47-2-1024x131.png" alt="" class="wp-image-12165" srcset="https://thegioifirewall.com/wp-content/uploads/47-2-1024x131.png 1024w, https://thegioifirewall.com/wp-content/uploads/47-2-300x38.png 300w, https://thegioifirewall.com/wp-content/uploads/47-2-768x98.png 768w, https://thegioifirewall.com/wp-content/uploads/47-2-1536x196.png 1536w, https://thegioifirewall.com/wp-content/uploads/47-2-2048x262.png 2048w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /></figure>



<p class="wp-block-paragraph">Trên Palo Alto Firewall 2 cũng xảy ra điều tương tự.</p>



<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="99" src="https://thegioifirewall.com/wp-content/uploads/48-3-1024x99.png" alt="" class="wp-image-12167" srcset="https://thegioifirewall.com/wp-content/uploads/48-3-1024x99.png 1024w, https://thegioifirewall.com/wp-content/uploads/48-3-300x29.png 300w, https://thegioifirewall.com/wp-content/uploads/48-3-768x74.png 768w, https://thegioifirewall.com/wp-content/uploads/48-3-1536x148.png 1536w, https://thegioifirewall.com/wp-content/uploads/48-3-2048x197.png 2048w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /></figure>



<p class="wp-block-paragraph">Sau khi thiết lập kết nối thành công, thegioifirewall sẽ chuẩn bị 2 máy tính chạy Windows 10 tại mỗi site để kiểm tra khả năng giao tiếp thông qua kết nối VPN.</p>



<p class="wp-block-paragraph">Tại Head Office site máy Windows 10 có IP 10.145.41.100/24.</p>



<p class="wp-block-paragraph">Tại Branch Office site máy Windows có IP 192.168.10.100/24</p>



<p class="wp-block-paragraph">Kết quả ping thành công từ máy Windows 10 IP 10.145.41.100/24 tại Head Office đến máy Windows 10 IP 192.168.10.100/24 tại Branch Office.</p>



<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="535" src="https://thegioifirewall.com/wp-content/uploads/49-3-1024x535.png" alt="" class="wp-image-12168" srcset="https://thegioifirewall.com/wp-content/uploads/49-3-1024x535.png 1024w, https://thegioifirewall.com/wp-content/uploads/49-3-300x157.png 300w, https://thegioifirewall.com/wp-content/uploads/49-3-768x401.png 768w, https://thegioifirewall.com/wp-content/uploads/49-3-1536x802.png 1536w, https://thegioifirewall.com/wp-content/uploads/49-3.png 1975w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /></figure>



<p class="wp-block-paragraph">Tương tự kết quả ping thành công từ máy Windows 10 IP 192.168.10.100/24 tại Branch Office đến máy Windows 10 IP 10.145.41.100/24 tại Head Office.</p>



<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="535" src="https://thegioifirewall.com/wp-content/uploads/50-2-1024x535.png" alt="" class="wp-image-12169" srcset="https://thegioifirewall.com/wp-content/uploads/50-2-1024x535.png 1024w, https://thegioifirewall.com/wp-content/uploads/50-2-300x157.png 300w, https://thegioifirewall.com/wp-content/uploads/50-2-768x401.png 768w, https://thegioifirewall.com/wp-content/uploads/50-2-1536x802.png 1536w, https://thegioifirewall.com/wp-content/uploads/50-2.png 1973w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /></figure>
]]></content:encoded>
					
					<wfw:commentRss>https://thegioifirewall.com/huong-dan-cau-hinh-ipsec-vpn-site-to-site-giua-2-thiet-bi-palo-alto-voi-ip-wan-la-ip-tinh/feed/</wfw:commentRss>
			<slash:comments>0</slash:comments>
		
		
			</item>
	</channel>
</rss>
