Focus

Network Security

Prisma Access (Cloud Management)

Table of Contents

Prisma Access (Cloud Management)

Set up a

Cloud Managed Prisma Access

IPSec tunnel for your service connection or a remote network site.

Use the following steps to set up an IPSec tunnel for your service connection or a remote network site.

The first tunnel you create is the primary tunnel for the service connection or a remote network site. You can then repeat this workflow to optionally set up a secondary tunnel. When both tunnels are up, the primary tunnel takes priority over the secondary tunnel. If the primary tunnel for a service connection or a remote network site goes down, the connection falls back to the secondary tunnel until the primary tunnel comes back up.

Based on the IPSec device you use to establish the tunnel for your service connection or a remote network site,

Prisma Access

provides built-in, recommended IKE and IPSec security settings. You can use the recommended settings to get started quickly, or customize them as needed for your environment.

Add Primary and Secondary IPSec VPN Tunnels

Launch Prisma Access Cloud Management.

For a service connection, go to

Settings

Prisma Access Setup

Service Connections

and

Set Up

the primary tunnel. For a remote network site, go to

Settings

Prisma Access Setup

Remote Networks

and

Set Up

the primary tunnel. If you’ve already set up a primary tunnel, you can continue here to also add a secondary tunnel.

Give the tunnel a descriptive

Name

Select the

Branch Device Type

for the IPSec device at the HQ/DC (for a service connection) or at the remote network site that you’re using to establish the tunnel with

Prisma Access

For the

Branch Device IP Address

, choose to use either a

Static IP

address that identifies the tunnel endpoint or a

Dynamic

IP address.

(For a service connection) If you set the

Branch Device IP Address

Dynamic

, you must also add the IKE ID for the HQ/DC (

IKE Local Identification

) or for

Prisma Access

(

IKE Peer Identification

) to enable the IPSec peers to authenticate.

Because you do not have the values to use for the

Prisma Access

IKE ID (

IKE Peer Identification

) until the service connection is fully deployed, you would typically want to set the IKE ID for the HQ/DC (

IKE Local Identification

) rather than the

Prisma Access

IKE ID.

(For a remote network site) If you set the

Branch Device IP Address

Dynamic

, you must also add the IKE ID for the remote network site (

IKE Local Identification

) or for

Prisma Access

(

IKE Peer Identification

) to enable the IPSec peers to authenticate.

Because you do not have the values to use for the

Prisma Access

IKE ID (

IKE Peer Identification

) until the remote network is fully deployed, you would typically want to set the IKE ID for the remote network site (

IKE Local Identification

) rather than the

Prisma Access

IKE ID.

Turn on Tunnel Monitoring

Enter a Tunnel Monitoring

Destination IP

address on the HQ/DC network for

Prisma Access

to use determine whether the tunnel is up and, if your IPSec device uses policy-based VPN, enter the associated

Proxy ID

The tunnel monitoring IP address you enter is automatically added to the list of branch subnetworks.

Save

the tunnel settings.

To continue:

Set up and customize advanced crypto settings for IKE and IPSec. See More IKE Options and More IPSec Options.

Enable Routing for Your Remote Network (Cloud Management).

Network Security Docs

Prisma Access (Cloud Management)

Network Security Docs

Prisma Access (Cloud Management)

Add Primary and Secondary IPSec VPN Tunnels

Recommended For You

Activation & Onboarding

Next-Generation Firewalls

SASE

Cloud-Delivered Security Services

Network Security

Agents & Agentless

Visibility & Monitoring