Network Security
Prisma Access (Cloud Management)
Table of Contents
Expand All
|
Collapse All
Network Security Docs
Prisma Access
(Cloud Management)
Prisma Access
(Cloud Management)
Based on the
IPSec device type you selected,
Prisma Access
provides a
recommended set of IPSec protocol and key lifetime settings to secure data within
the IPSec tunnel between
your:- the private apps at your data center or headquarters location andPrisma Accessin IKE Phase 2 for the Security Association (SA)—for a service connection
- branch device andPrisma Accessin IKE Phase 2 for the Security Association (SA)—for a remote network site
You can use the recommended settings, or customize the settings as
needed for your environment.
- Customize theIPSec Crypto Profileto define how data is secured within the tunnel when Auto Key IKE automatically generates keys for the IKE SAs during IKE Phase 2.Prisma Accessautomatically configures a default IPSec crypto profile based on theBranch Device Typevendor. You can either use the default profile or create a custom profile.
- IPSec Protocol—Secure the data that traverses the VPN tunnel. The Encapsulating Security Payload (ESP) protocol encrypts the data, authenticates the source, and verifies the data integrity. The Authentication Header (AH) protocol authenticates the source and verifies the data integrity.If you useESPas the IPSec protocol, also specify theEncryptionalgorithm used in the IPSec SA negotiation.Prisma Accesssupports the following encryption algorithms: aes-256-gcm (256 bits), aes-256-cbc (256 bits), aes-192-cbc (192 bits), aes-128-gcm (128 bits), aes-128-cbc (128 bits), 3des (168 bits), and des (56 bits). You can also select null (no encryption).
- Authentication—Specify the authentication algorithm used in the IPSec SA negotiation.Prisma Accesssupports the following authentication algorithms: sha1 (160 bits), sha256 (256 bits), sha384 (384 bits), sha512 (512 bits), and md5 (128 bits). If you set the IPSec Protocol to ESP, you can also select none (no authentication).
- DH Group—Specify the Diffie-Hellman (DH) groups for IKE in the IPSec security association (SA) negotiation.Prisma Accesssupports the following DH groups: Group 1 (768 bits), Group 2 (1024 bits—default), Group 5 (1536 bits), Group 14 (2048 bits), Group 19 (256-bit elliptic curve group), and Group 20 (384-bit elliptic curve group). For the strongest security, select the group with the highest number. If you don’t want to renew the key thatPrisma Accesscreates during IKE phase 1, selectno-pfs(no perfect forward secrecy). If you select this option,Prisma Accessreuses the current key for the IPSec SA negotiation.
- Lifetime—Specify the unit and amount of time during which the negotiated key is valid (default is one hour).
- Lifesize—Specify the unit and amount of data that the key can use for encryption.