See if below post I made about a year ago helps. I know its Azure, but would be very similar. I know Prisma is Palo Alto, if Im not mistaken. I only seen it once myself, apologies, but not familiar with it at all. But, to answer your question about route based, yes, you can follow documents I have in the link, hope it makes sense.

Andy

https://community.checkpoint.com/t5/Security-Gateways/Route-based-VPN-tunnel-to-Azure/m-p/206179/emc...

I understand that I could just "gibberish" the VTI numbered addresses, is this correct? 

Thats right. See below from another post while back example I gave. Message me directly if you need further explanation.

Andy

https://community.checkpoint.com/t5/Security-Gateways/Route-based-VPN-failover-issue/m-p/155553#M265...

Hey @shauls , were you able to figure this out?

Andy

I am still not sure about the "Numbered Remote Address" field. I understand that I could come up with any unique IP address for the numbered local address, but what about the remote address? I don't have such address provided to me by Prisma, unlike the AWS example. 

IT IS working. I used your text guide along with the AWS guide. I also configured PBR instead of static route.

There is only one thing that is very strange.. in Tunnel Monitoring I see the the tunnel is down, but on the Prisma side it is up and everything is working as expected.

Never mind, I see that I configured the "permanent tunnels" option but it should only work between checkpoint gateways. I disabled it and now I see that the tunnel is up. Thanks for the help!

I always more rely on vpn tu or vpn tu tlist.

Andy

Hey @shauls I have the same issue. We are setting up a VPN tunnel with Palo Alto Prisma Access on VSX level. Only limitation on VSX is that we have to use numbered VPN since the unnumbered is not supported.

What did you do configure as LOCAL and REMOTE IP?
The local can be whatever you choose? Does it need to be a L3 interface on the FW? Or can it?

For the remote IP, does it need to come from the same subnet?
I see that @the_rock tells us that it doesn't matter? If we route for example 10.1.1.0/24 behind this VPN, the remote IP can't be from this range right?

I also see that Palo Alto can't specify a local and remote address. So at PA side, it's not used?

Thats right @koendsp 

Thanks @the_rock 

If you please allow me to summarize/question so I get it 100% correct:

- The Local IP can be a L3 interface on the VSX Virtual FW. Yes, but not needed you can choose another as long as it's routed/ No, it can't be a layer 3 interface.
- The local IP cannot be the PUBLIC IP that I use to setup my PHASE1. YES/NO
- The Remote IP at Palo Alto Side can be whatever, as long as it's not in the VPN domain at PA side. For example if we want to reach 10.1.1.0/24 at PA, we can't have a remote IP in this range? YES/NO

Thanks a lot!
Koen

Yes to all, but last one, it would supernet, so they better be different, otherwise, certain modifications are needed or nat.

Andy

Thanks for the help! Very much appreciated! 🙂

No problem. FYI, IF supernet happens, make sure below values in Guidbedit are set to FALSE.

Andy

ike_enable_supernet

ike_p2_enable_supernet_from_R80.20

ike_use_largest_possible_subnets

Thanks. We have a /22 routed/used at Palo Alto side.
Could this be the reason that that we have Phase1 up but Phase 2 is having issues?

In SmartView Monitor we see the state as 'Up'.
In the 'FW monitor' on VSX we can see that we have Outgoing Encrypted packets, but we don't see them arriving at Palo Alto side. 

I'm also wondering what we have to set at VPN Tunneling Sharing.
One tunnel per each pair of hots, subnet or gateway pair?

Definitely could be. Thats why I would make sure those guidbedit values are set to FALSE.

Btw, you set per gateway if its route based tunnel or if vpn domain is combo of hosts/subnets.

Andy