IPsec Site-to-Site VPN Palo Alto <-> FortiGate

This is a small tutorial for configuring a site-to-site IPsec VPN between a Palo Alto and a FortiGate firewall. I am publishing step-by-step screenshots for both firewalls as well as a few troubleshooting CLI commands.

This is one of many VPN tutorials on my blog. –> Have a look at this full list. <–


This is my basic laboratory for this VPN connection. I am using a Palo Alto PA-200 with PAN-OS 6.1.1 while the FortiWiFi 90D has v5.2.2 installed.

S2S VPN Palo Alto - FortiGate Laboratory

Palo Alto

The Palo Alto is configured in the following way. Please refer to the descriptions under the images for detailed information.

(And do not forget the “untrust-untrust” policy that allows ipsec!)


And this is the way for the FortiGate firewall:


Following are a few screenshots and listings from both firewalls concerning the VPN:

Palo Alto CLI:


FortiGate CLI:


6 thoughts on “IPsec Site-to-Site VPN Palo Alto <-> FortiGate

  1. We followed step by step for this lab set up and the tunnel isn’t even coming up. Do you have any suggestions that might be the reason for this?

    1. ;) You should at least tell me a bit more about your error logs, etc. Simply saying “it is not working – can you tell me the issue” is like “let me look into my crystal ball”…

      Please have a look at the log entries on both firewalls and try to find the issue then.

  2. The above steps are incomplete as you need to define the proxy ID’s, the peer and local id’s on the ike gateway and double check your IKE gateway on both sides, Fortigate does not like to negotiate child SA’s cleanly.

    Takes a while for the Fortigate to play nicely.

    Other than that, the article is a great step-by-step guide

    1. please could you explain more detail. i’m using fortigate. and other site is using paloalto. how can i define the proxy id, peer, local id

      1. ??? What do you mean with more detail? Absolutely everything is explained in the screenshots above. ;)
        You MUST NOT define any proxy IDs. Everything is done with the routing!
        You also MUST NOT define the local id, if the VPN is between static IP addresses.

  3. Hi Johannes,

    were there any IPv4 policies created for the Fortigate firewall in your Site-to-Site setup?

Leave a Reply

Your email address will not be published. Required fields are marked *