This is a diagram that I have used for this lab.
![](https://tungle.ca/wp-content/uploads/2022/08/131.png)
Understanding on deploying Palo Alto instance in AWS is necessary for this lab (https://tungle.ca/?p=3979).
On PA, Configure a tunnel.
![](https://tungle.ca/wp-content/uploads/2022/08/132.png)
![](https://tungle.ca/wp-content/uploads/2022/08/133.png)
Add a new static route into PA Virtual Route to allow traffic from the Private subnet to a LAN subnet in FortiGate.
![](https://tungle.ca/wp-content/uploads/2022/08/134.png)
![](https://tungle.ca/wp-content/uploads/2022/08/135.png)
![](https://tungle.ca/wp-content/uploads/2022/08/136.png)
![](https://tungle.ca/wp-content/uploads/2022/08/139.png)
![](https://tungle.ca/wp-content/uploads/2022/08/138.png)
Create an IPSEC tunnel.
![](https://tungle.ca/wp-content/uploads/2022/08/140.png)
![](https://tungle.ca/wp-content/uploads/2022/08/141.png)
![](https://tungle.ca/wp-content/uploads/2022/08/142.png)
![](https://tungle.ca/wp-content/uploads/2022/08/143.png)
![](https://tungle.ca/wp-content/uploads/2022/08/144-1024x284.png)
![](https://tungle.ca/wp-content/uploads/2022/08/145.png)
Add 192.168.10.0/24 into the routes and select “Private Interface” on the target.
![](https://tungle.ca/wp-content/uploads/2022/08/146-1024x377.png)
![](https://tungle.ca/wp-content/uploads/2022/08/147-1024x380.png)
![](https://tungle.ca/wp-content/uploads/2022/08/148.png)
Configure interfaces.
![](https://tungle.ca/wp-content/uploads/2022/08/149.png)
Configure default routes on FG.
![](https://tungle.ca/wp-content/uploads/2022/08/150.png)
Configure IPSEC VPN on FG.
![](https://tungle.ca/wp-content/uploads/2022/08/151.png)
![](https://tungle.ca/wp-content/uploads/2022/08/152.png)
![](https://tungle.ca/wp-content/uploads/2022/08/153.png)
![](https://tungle.ca/wp-content/uploads/2022/08/154.png)
![](https://tungle.ca/wp-content/uploads/2022/08/155.png)
![](https://tungle.ca/wp-content/uploads/2022/08/156.png)
![](https://tungle.ca/wp-content/uploads/2022/08/157.png)
![](https://tungle.ca/wp-content/uploads/2022/08/158.png)
![](https://tungle.ca/wp-content/uploads/2022/08/159.png)
![](https://tungle.ca/wp-content/uploads/2022/08/160.png)
![](https://tungle.ca/wp-content/uploads/2022/08/161.png)
Ping from Kali machine to Windows instance (10.0.3.134).
![](https://tungle.ca/wp-content/uploads/2022/08/162.png)
Ping from Windows instance to Kali machine (192.168.10.2).
![](https://tungle.ca/wp-content/uploads/2022/08/163.png)
![](https://tungle.ca/wp-content/uploads/2022/08/164-1024x249.png)
![](https://tungle.ca/wp-content/uploads/2022/08/165-1024x191.png)
![](https://tungle.ca/wp-content/uploads/2022/08/166.png)
Back to Palo Alto in AWS. We can see the traffic from PA-LAN to FG-LAN and vice versa.
![](https://tungle.ca/wp-content/uploads/2022/08/167.png)
The Palo Alto IPSEC tunnel is UP.
![](https://tungle.ca/wp-content/uploads/2022/08/168-1024x373.png)