Network Security
Set Up an IPSec Tunnel (Tunnel Mode) (Strata Cloud Manager)
Table of Contents
Expand All
|
Collapse All
Network Security Docs
-
- Security Policy
-
- Security Profile Groups
- Security Profile: AI Security
- Security Profile: WildFire® Analysis
- Security Profile: Antivirus
- Security Profile: Vulnerability Protection
- Security Profile: Anti-Spyware
- Security Profile: DNS Security
- Security Profile: DoS Protection Profile
- Security Profile: File Blocking
- Security Profile: URL Filtering
- Security Profile: Data Filtering
- Security Profile: Zone Protection
-
- Policy Object: Address Groups
- Policy Object: Regions
- Policy Object: Traffic Objects
- Policy Object: Applications
- Policy Object: Application Groups
- Policy Object: Application Filter
- Policy Object: Services
- Policy Object: Auto-Tag Actions
- Policy Object: Devices
-
- Uses for External Dynamic Lists in Policy
- Formatting Guidelines for an External Dynamic List
- Built-in External Dynamic Lists
- Configure Your Environment to Access an External Dynamic List
- Configure your Environment to Access an External Dynamic List from the EDL Hosting Service
- Retrieve an External Dynamic List from the Web Server
- View External Dynamic List Entries
- Enforce Policy on an External Dynamic List
- Find External Dynamic Lists That Failed Authentication
- Disable Authentication for an External Dynamic List
- Policy Object: HIP Objects
- Policy Object: Schedules
- Policy Object: Quarantine Device Lists
- Policy Object: Dynamic User Groups
- Policy Object: Custom Objects
- Policy Object: Log Forwarding
- Policy Object: Authentication
- Policy Object: Decryption Profile
- Policy Object: Packet Broker Profile
-
-
-
- The Quantum Computing Threat
- How RFC 8784 Resists Quantum Computing Threats
- How RFC 9242 and RFC 9370 Resist Quantum Computing Threats
- Support for Post-Quantum Features
- Post-Quantum Migration Planning and Preparation
- Best Practices for Resisting Post-Quantum Attacks
- Learn More About Post-Quantum Security
-
-
-
- Investigate Reasons for Decryption Failure
- Identify Weak Protocols and Cipher Suites
- Troubleshoot Version Errors
- Troubleshoot Unsupported Cipher Suites
- Identify Untrusted CA Certificates
- Repair Incomplete Certificate Chains
- Troubleshoot Pinned Certificates
- Troubleshoot Expired Certificates
- Troubleshoot Revoked Certificates
Set Up an IPSec Tunnel (Tunnel Mode) (Strata Cloud Manager)
Set up a Strata Cloud Manager Managed Prisma Access IPSec tunnel for your service
connection or a
remote network site.
Use the following steps to set up an IPSec tunnel for your service
connection or
a remote network site.
The first tunnel you create is the primary tunnel for the service
connection or
a remote network site. You can then repeat this workflow to
optionally set up a secondary tunnel. When both tunnels are up, the primary tunnel
takes priority over the secondary tunnel. If the primary
tunnel for a
service
connection or
a remote network site
goes down, the connection falls back to the secondary tunnel until the primary
tunnel comes back up.
Based on the IPSec device you use to establish the
tunnel for
your service connection or a remote network site,
Prisma Access provides built-in, recommended IKE and IPSec
security settings. You can use the recommended settings to get started quickly, or
customize them as needed for your environment.
Add Primary and Secondary IPSec VPN Tunnels
- For a service connection, go to SettingsPrisma Access SetupService Connections and Set Up the primary tunnel. For a remote network site, go to SettingsPrisma Access SetupRemote Networks and Set Up the primary tunnel. If you’ve already set up a primary tunnel, you can continue here to also add a secondary tunnel.
- Give the tunnel a descriptive Name.
- Select the Branch Device Type for the IPSec device at the HQ/DC (for a service connection) or at the remote network site that you’re using to establish the tunnel with Prisma Access.
- For the Branch Device IP Address, choose to use either a Static IP address that identifies the tunnel endpoint or a Dynamic IP address.For a service connection If you set the Branch Device IP Address to Dynamic, you must also add the IKE ID for the HQ/DC (IKE Local Identification) or for Prisma Access (IKE Peer Identification) to enable the IPSec peers to authenticate.Because you do not have the values to use for the Prisma Access IKE ID (IKE Peer Identification) until the service connection is fully deployed, you would typically want to set the IKE ID for the HQ/DC (IKE Local Identification) rather than the Prisma Access IKE ID.For a remote network site If you set the Branch Device IP Address to Dynamic, you must also add the IKE ID for the remote network site (IKE Local Identification) or for Prisma Access (IKE Peer Identification) to enable the IPSec peers to authenticate.Because you do not have the values to use for the Prisma Access IKE ID (IKE Peer Identification) until the remote network is fully deployed, you would typically want to set the IKE ID for the remote network site (IKE Local Identification) rather than the Prisma Access IKE ID.
- Turn on Tunnel Monitoring.Enter a Tunnel Monitoring Destination IP address on the HQ/DC network for Prisma Access to use determine whether the tunnel is up and, if your IPSec device uses policy-based VPN, enter the associated Proxy ID.The tunnel monitoring IP address you enter is automatically added to the list of branch subnetworks.
- Save the tunnel settings.To continue:
- Set up and customize advanced crypto settings for IKE and IPSec. See More IKE Options and More IPSec Options.