Network Security
Prisma Access (Cloud Management)
Table of Contents
Expand All
|
Collapse All
Network Security Docs
Prisma Access
(Cloud Management)
Prisma Access
(Cloud Management)
Based on the IPSec device type you selected,
Prisma Access
provides a recommended
set of ciphers and a key lifetime for the IKE Phase 1 key exchange process between: - the private apps at your data center or headquarters location andPrisma Access—for a service connection
- the remote network site device andPrisma Access—for a remote network site
You can use the recommended settings, or customize the settings as needed for your
environment.
- Select anIKE Protocol Versionfor your IPSec device andPrisma Accessto use for IKE negotiation.If you selectIKEv1 Only Mode,Prisma Accesscan use only the IKEv1 protocol for the negotiation. If you selectIKEv2 Only Mode,Prisma Accesscan use only the IKEv2 protocol for the negotiation.If you selectIKEv2 Preferred Mode,Prisma Accessuses the IKEv2 protocol only if your IPSec device(for service connection)/branch IPSec device(for remote network site) also supports IKEv2. If your IPSec device does not support IKEv2,Prisma Accessfalls back to using the IKEv1 protocol.
- Add anIKEv1 Crypto Profileto customize the IKE crypto settings that define the encryption and authentication algorithms used for the key exchange process in IKE Phase 1.Prisma Accessautomatically uses a default IKE crypto profile based on theBranch Device Typethat’s being used to establish this tunnel.
- Encryption—Specify the encryption algorithm used in the IKE SA negotiation.Prisma Accesssupports the following encryption algorithms: 3des (168 bits), aes-128-cbc (128 bits), aes-192-cbc (192 bits), aes-256-cbc (256 bits), and des (56 bits). You can also select null (no encryption).
- Authentication—Specify the authentication algorithm used in the IKE SA negotiation.Prisma Accesssupports the following authentication algorithms: sha1 (160 bits), sha256 (256 bits), sha384 (384 bits), sha512 (512 bits), and md5 (128 bits). You can also select null (no authentication).
- DH Group—Specify the Diffie-Hellman (DH) groups used to generate symmetrical keys for IKE in the IKE SA negotiation. The Diffie-Hellman algorithm uses the private key of one party and the public key of the other to create a shared secret, which is an encrypted key that both VPN tunnel peers share.Prisma Accesssupports the following DH groups: Group 1 (768 bits), Group 2 (1024 bits—default), Group 5 (1536 bits), Group 14 (2048 bits), Group 19 (256-bit elliptic curve group), and Group 20 (384-bit elliptic curve group). For the strongest security, select the group with the highest number.
- Lifetime—Specify the unit and amount of time for which the IKE Phase 1 key is valid (default is 8 hours). For IKEv1, the security association (SA) is not actively re-keyed before the key lifetime expires. The IKEv1 Phase 1 re-key triggers only when the SA expires. For IKEv2, the SA must be re-keyed before the key lifetime expires. If the SA is not re-keyed upon expiration, the SA must begin a new Phase 1 key.
- IKEv2 Authentication Multiple—Specify the value that is multiplied by the key lifetime to determine the authentication count (range is 0 to 50; default is 0). The authentication count is the number of times that the security processing node can perform IKEv2 IKE SA re-key before it must start over with IKEv2 re-authentication. The default value of 0 disables the re-authentication feature.
- EnableIKE Passive Modeso thatPrisma Accessonly response to IKE connections and does not initiate them.
- IKE NAT Traversalis turned on by default.This means that UDP encapsulation is used on IKE and UDP protocols, enabling them to pass through network address translation (NAT) devices that are between the IPSec VPN tunnel endpoints.