This is a diagram that I have used for the lab.
![](https://tungle.ca/wp-content/uploads/2022/04/image-879.png)
Create a new VPC network on GCP.
![](https://tungle.ca/wp-content/uploads/2022/04/image-828.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-829.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-831.png)
Search VPN keyword on the search function.
Click “Create VPN connection”.
![](https://tungle.ca/wp-content/uploads/2022/04/image-833-1024x338.png)
Select Classic VPN.
![](https://tungle.ca/wp-content/uploads/2022/04/image-834.png)
Select tung-vpc on the network setting.
Create a new static IP address for your VPC.
![](https://tungle.ca/wp-content/uploads/2022/04/image-837.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-838.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-839.png)
Delete tunnel 2 because I have only used tunnel 1 in this lab. Then click Create.
![](https://tungle.ca/wp-content/uploads/2022/04/image-841.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-842-1024x401.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-843-1024x782.png)
Click gpc-pa-tunnel-1.
![](https://tungle.ca/wp-content/uploads/2022/04/image-844.png)
Edit the Routes to allow traffic from my tung-vpc network to the Internet via the Default Internet gateway.
![](https://tungle.ca/wp-content/uploads/2022/04/image-846.png)
We can see the static route from privatesubnet on GCP to the LAN subnets on Palo Alto has been created on the Routes section.
![](https://tungle.ca/wp-content/uploads/2022/04/image-878-1024x679.png)
Check the Firewall and allow SSH from the Internet to Linux instance on the “privatesubnet”.
![](https://tungle.ca/wp-content/uploads/2022/04/image-847.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-848.png)
I have used “Allow all” to allow SSH from the Internet to Linux instance, We are able to change to only allow SSH protocol or port 22. Click Create.
![](https://tungle.ca/wp-content/uploads/2022/04/image-876-1024x567.png)
Search “compute engine”, and click create an instance.
![](https://tungle.ca/wp-content/uploads/2022/04/image-852.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-855.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-854.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-856.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-857.png)
On network interfaces.
![](https://tungle.ca/wp-content/uploads/2022/04/image-853.png)
Click create.
![](https://tungle.ca/wp-content/uploads/2022/04/image-858.png)
Open SSH in browser windows on the Linux instance.
![](https://tungle.ca/wp-content/uploads/2022/04/image-869-1024x446.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-870.png)
Go to FortiGate.
![](https://tungle.ca/wp-content/uploads/2022/04/image-880.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-881.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-882.png)
Create IP tunnel.
![](https://tungle.ca/wp-content/uploads/2022/04/image-883.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-884.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-885.png)
Phase 1.
![](https://tungle.ca/wp-content/uploads/2022/04/image-886.png)
Phase 2.
![](https://tungle.ca/wp-content/uploads/2022/04/image-888.png)
Create a static route to allow traffic from FortiGate LAN subnet to GCP privatesubnet.
![](https://tungle.ca/wp-content/uploads/2022/04/image-889.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-890.png)
Create both FG-LAN and GCP-LAN subnet.
![](https://tungle.ca/wp-content/uploads/2022/04/image-893.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-892.png)
Create both access rules to allow traffic from the FortiGate LAN subnet to the GCP private subnet and vice versa.
![](https://tungle.ca/wp-content/uploads/2022/04/image-894.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-895.png)
Ping from Kali machine to the Linux instance on GCP.
![](https://tungle.ca/wp-content/uploads/2022/04/image-896.png)
The tunnel is up on FortiGate.
![](https://tungle.ca/wp-content/uploads/2022/04/image-897.png)
![](https://tungle.ca/wp-content/uploads/2022/04/image-898.png)
Ping from Linux instance on GCP to Kali machine on FortiGate LAN subnet.
![](https://tungle.ca/wp-content/uploads/2022/04/image-899.png)
The tunnel is up on GCP as well.
![](https://tungle.ca/wp-content/uploads/2022/04/image-901-1024x301.png)