Athena NGFW (Next-Generation Firewall)

Athena NGFW (previously known as Network Secure) provides comprehensive protection for every network perimeter, ensuring the safety of your valuable assets, data, and users from emerging threats.
{{ $t('productDocDetail.guideClickSwitch') }}
{{ $t('productDocDetail.know') }}
{{ $t('productDocDetail.dontRemind') }}
8.0.107
Athena NGFW (Next-Generation Firewall) {{ breadTitle }} User Manual Network Sangfor/IPSec VPN IPsec VPN Tunnel Between Athena NGFW and Palo Alto Procedures Configure the Palo Alto Firewall
{{sendMatomoQuery("Athena NGFW (Next-Generation Firewall)","Configure the Palo Alto Firewall")}}

Configure the Palo Alto Firewall

{{ $t('productDocDetail.updateTime') }}: 2026-04-29

Steps

Step 1.Configure the interface IP addresses.

Step 2.Configure a default route to connect to the Internet.

Make sure that the route belongs to the same virtual router as the Internet-facing interface, internal-facing interface, and tunnel interface.

Step 3.Configure a security policy to allow business traffic from zones associated with the Internet-facing interface, internal-facing interface, and tunnel interface.

To facilitate testing, traffic from all zones is allowed. In actual scenarios, you need to allow traffic only from the zones associated with the foregoing interfaces.

Step 4.Configure IPsec and IKE cryptographic profiles.

Step 5.Configure an IKE gateway.

If there is a NAT between the Athena NGFW firewall and the Palo Alto firewall, you need to configure the local identification and peer identification.

Step 6.Create an IPsec VPN tunnel.

By default, the Palo Alto firewall establishes a route-based IPsec VPN tunnel. If the addresses associated with the proxy ID are not all-0 addresses, the established IPsec VPN tunnel is equivalent to a policy-based one.

Step 7.Configure a route to route traffic to the tunnel interface.

Step 8.Save all the settings.

Make sure that all configurations are saved. Otherwise, the configurations do not take effect.