Focus

Prisma Access

Configure Prisma Access Colo-Connect

Table of Contents

Filter

Expand All | Collapse All

Prisma Access Docs

Administration
Version
- Prisma Access China
- 4.0 & Later
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
Integrations
Incidents & Alerts
Release Notes
Version
- 5.1 Preferred and Innovation
- 5.0 Preferred and Innovation
- 4.2 Preferred
- 4.1 Preferred
- 4.0 Preferred
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred

Requirements and Prerequisites for Prisma Access Colo-Connect

App Acceleration in Prisma Access

Configure
Prisma Access
Colo-Connect

Configure a Colo-Connect deployment in

Prisma Access

Where Can I Use This?	What Do I Need?
Prisma Access (Managed by Strata Cloud Manager) Prisma Access (Managed by Panorama)	A Prisma Access (Managed by Panorama) deployment running a minimum Cloud Services plugin version of 4.1 and a minimum dataplane version of 10.2.4 A Colo-Connect add-on license

Prisma Access

Colo-Connect consists of the following components:

Colo
—The colocation facility that provides rack-space, power and connectivity to host networking, private and public cloud infrastructure, such as Equinix.

Dedicated Interconnect
—The dedicated Layer 2 or Layer 3 physical connection between your router and a GCP edge router in a given GCP compute region. A dedicated Interconnect provides a direct physical connection between your on-premises network and the Google network.

Interconnects are called Links
in the

Prisma Access

UI.

GCP VLAN Attachment
—The logical Layer 2 connection over the link that separates traffic from any other logical connections sharing the same link.

VLAN attachments are called Connections
in the

Prisma Access

UI.

Partner Interconnect
—The Layer 3 physical connection between a service provider owned router and a GCP edge router in a given GCP compute region. A partner Interconnect provides connectivity between your on-premises and VPC networks through a supported service provider.

Colo-Connect supports both Dedicated and Partner interconnects.

Colo (Customer) Router
—The routing device in the Colo facility that establishes eBGP with the GCP cloud router over the interconnect in the Colo facility, as well as eBGP with Colo-Connect service connection over the GRE tunnel. It is a customer router for a dedicated interconnect, or if the service provider has Layer 2 connectivity with GCP over the partner interconnect. The service provider owns the Colo router when it has Layer 3 connectivity with the GCP cloud-router.

GCP Edge Router
—GCP's network edge equipment to provide physical connectivity between GCP and the customer/partner network via the Colo.

Cloud Router
—The GCP software construct in the cloud that establishes BGP sessions with the networking device (for example, router or Layer 3 firewall) in the Colo and routes traffic between

Prisma Access

and your network. You are not required to configure this component; it is automatically done by

Prisma Access

To configure Colo-Connect, you must first gather information about your existing network environment and make sure that you have all required network components in place. Ensure you have all prerequisites; then, deploy Colo-Connect in your organization's network using either a partner or a dedicated interconnect.

Strata Cloud Manager

Panorama

Configure
Prisma Access
Colo-Connect (
Strata Cloud Manager
)

Configure a Colo-Connect deployment in

Prisma Access

To configure Colo-Connect, you must first gather information about your existing network environment and make sure that you have all the required network components in place. Ensure you have all prerequisites; then deploy Colo-Connect in your organization's network using either a partner or a dedicated interconnect.

Configure
Prisma Access
Colo-Connect—Deployments Using Partner Interconnects

To configure

Prisma Access

Colo-Connect using a partner interconnect, complete these steps.

Create subnets for your Colo-Connect connections.

You use the subnets you create here in the connections and service connections that you create in later steps.

From Strata Cloud Manager, go to

Workflows

Prisma Access Setup

Colo-Connect

Add Prefix

and add a Colo-Connect subnet a

Prisma Access

location for it.

See the list of supported colo-connect locations here. Enter a minimum subnet of /28.

(Optional) If you plan on creating Colo-Connect instances for more than one location, add more subnets on a per-location basis.

You can configure one subnet per location.

Add a new Colo-Connect link (also known as the interconnect
).

Go to

Workflows

Prisma Access Setup

Colo-Connect

and

Add Link

Give the link a unique

Link Name

Select

Partner

interconnect as the

Link Type

Specify the remaining Colo-Connect link parameters.

Select either

10Gbps

20Gbps

for the

Bandwidth

Select either

Zone1

Zone2

for the

Edge Availability Domain

. Take this value from the GCP zone used for your edge availability domain.

Enter the

Organization Name

to use for this link.

Enter the

to use for this link. Any email address is acceptable.

Repeat steps 2.a to 2.d and create another link with a different

Edge Availability Domain

Create the connections (also known as the VLAN attachments
) for Colo-Connect.

Go to

Workflows

Prisma Access Setup

Colo-Connect

and

Add Connection

Configure the connection settings.

Enter a unique

Connection Name

Select a

Link Name

from the links you configured in a previous step.

(Optional) Enter a

VLAN ID

for the connection.

VLAN IDs are generated by the interconnect vendor (GCP) if you don't manually enter a value.

Select a

Bandwidth

for the connection.

You can select between

1 Gbps

2 Gbps

5 Gbps

10 Gbps

, or

20 Gbps

If you configure multiple connections for an interconnect, make sure that the total bandwidth of the connections does not exceed the bandwidth of the interconnect. For example, given a partner interconnect of 10 Gbps, you can configure 10 connections of 1 Gbps each, but don't exceed 10 Gbps in total for all connections.

If your deployment requires more than 16 connections, reach out to your Palo Alto Networks account team, who will open an SRE case to accommodate the request.

Enter a

BGP Peer ASN

Enter the Autonomous System (AS) number for the customer on-premises router in the Colo. The range is between 1 and 4294967295.

Select the

Location

from the connection names you created in a previous step.

You must have already added a subnet for any location you specify.

(Optional) Enter the BGP

MD5 Secret

Continue to create connections until complete.

Create two connections. Both connections must be in the same region and one connection each must be in a separate zone. You use these connections in service connections you create in a later step.

Push Config

Refresh the browser after the commit job is complete to view the pairing keys under

Connections

Retrieve the

Pairing Key

and complete your partner interconnect configuration in GCP.

You use this pairing key when you set up the partner interconnect in the Colo.

When you first onboard a new connection, the

Status

in the

Connections

area shows a

Status

PENDING_PARTNER

and a

BGP Status

DOWN

. To bring the connection status to

ACTIVE

, retrieve the pairing key and input in the connection at the Colo.

Go to

Workflows

Prisma Access Setup

Colo-Connect

Connections

and copy the

Pairing Key

Create a new VLAN connection in the Colo.

Paste the Pairing Key in the Colo VLAN.

GCP detects when the pairing key is consumed, brings the VLAN status to

ACTIVE

, and generates the BGP IP address for you to configure on your on-premises router in the Colo. Prisma Access uses these IPs to initiate eBGP adjacency over each associated VLAN between Colo router and GCP cloud router.

Create eBGP routing on the Customer (Colo) router for the Colo-Connect connection.

You need to set up BGP peering to ensure connectivity between the customer router and the cloud router.

Set up the service connections to use with Colo-Connect.

Push Config

Check the status of the Colo-Connect connections.

To check the status of a service connection used by a Colo-Connect connection, go to

Workflows

Prisma Access Setup

Service Connection

Select

Manage

Configuration

NGFW and Prisma Access

. Set the

Configuration Scope

Prisma Access

. Select the

In Sync

status of the

Service Connections

under the Prisma Access sync status. Select the region that has a Colo-Connect connection deployed.

If the Colo-Connect connection and the BGP routing are both up, the Status displays

If the Colo-Connect connection is up but BGP routing isn't up, the Status displays

Warning

If the Colo-Connect connection and BGP routing are down, the Status displays

Down

If the Colo-Connect connection is down but BGP routing is up, the Status displays

Error

For more information, click the region box and view the information in the

Status

tab.

Check the connection details, including the Pairing Key, of the Colo-Connect connections by going to

Workflows

Prisma Access Setup

Colo Connect

Configure
Prisma Access
Colo-Connect—Deployments Using Dedicated Interconnects

To configure

Prisma Access

Colo-Connect using a dedicated interconnect, complete these steps.

Create subnets for your Colo-Connect connections.

You use the subnets you create here in the connections and service connections that you create in later steps.

From Strata Cloud Manager, go to

Workflows

Prisma Access Setup

Colo-Connect

and click the gear icon to edit the settings.

Add Prefix

for

Colo-Connect Subnet

and select a

Prisma Access

location (

PA Location

) for it.

Enter a minimum subnet of /28.

(Optional) If you plan on creating Colo-Connect instances for more than one location, Add more subnets on a per-location basis.

You can configure only one subnet per location.

Add a new Colo-Connect link (also known as the interconnect
).

Go to

Workflows

Prisma Access Setup

Colo-Connect

and

Add Link

Give the link a unique

Link Name

Select a

Dedicated

interconnect as the

Link Type

Specify the remaining Colo-Connect link parameters.

Select either

10Gbps

20Gbps

for the

Bandwidth

If you select 20 Gbps, you must aggregate the Dedicated Interconnect link into two 10 Gbps links using LACP.

You can't change the bandwidth of a dedicated interconnect link after you specify it and commit and push your changes.

Select a

Colo-Connect Location

from the drop-down list.

Make sure that you select the same location that you used for the dedicated interconnect.

Select either

Zone1

Zone2

for the

Edge Availability Domain

. Take this value from the GCP zone used for your edge availability domain.

Enter the

Organization Name

to use for this link.

Enter the

where you want to receive the LOA-CFA details from the cloud provider.

GCP uses this email to send the Letter of Authorization and Connecting Facility Assignment (LOA-CFA). Be sure that the LOA-CFA is sent to your Colo provider, so they can begin to install your connections.

After the dedicated connection is created, the Colo facility tests your connections and informs you that they have been tested and are ready to use.

Prisma Access

configuration is required for this step. Don't create the Colo-Connect connections in

Prisma Access

until the Colo facility lets you know that they have been tested.

Create the connections (also known as the VLAN attachments
) for Colo-Connect.

Make sure that the dedicated link status is Active by going to

Workflows

Prisma Access Setup

Colo-Connect

Colo Connect Links

Until the Dedicated link status is Active, you can't create Colo-Connect links.

Go to

Workflows

Prisma Access Setup

Colo-Connect

and

Add Connection

Configure the connection settings.

Enter a unique

Name

for the connection.

Select a

Link Name

from the links you configured in a previous step.

(Optional) Enter a

VLAN ID

for the connection.

VLAN IDs are generated by the interconnect vendor (GCP) if you don't manually enter a value.

Select a

Bandwidth

for the connection.

You can select between

1 Gbps

2 Gbps

5 Gbps

10 Gbps

, or

20 Gbps

If you configure multiple connections for an interconnect, make sure that the total bandwidth of the connections does not exceed the bandwidth of the interconnect. For example, given a dedicated interconnect of 20 Gbps, you can configure 10 connections of 2 Gbps each, but don't exceed 20 Gbps in total for all connections.

Enter a

BGP Peer ASN

Enter the Autonomous System (AS) number for the customer on-premises router in the Colo. The range is between 1 and 4294967295.

Select the

Location

from the connection names you created in a previous step.

You must have already added a subnet for any location you specify.

(Optional) Enter the BGP

MD5 Secret

Continue to create connections until complete.

Create two connections. Both connections must be in the same region and one connection each must be in a separate zone. You use these connections in service connections you create in a later step.

Push Config

Configure eBGP routing on the customer router.

You need to set up BGP peering to ensure connectivity between the customer router.

Set up the service connections to use with Colo-Connect.

Commit and Push

your configuration changes, making sure that

Colo-Connect

is selected in the

Push Scope

Check the status of the Colo-Connect connections.

To check the status of a service connection used by a Colo-Connect connection, go to

Manage

Configuration

NGFW and Prisma Access

. Set the

Configuration Scope

Prisma Access

Hover over a region that has a Colo-Connect connection deployed.

If the Colo-Connect connection and the BGP routing are both up, the Status displays

If the Colo-Connect connection is up but BGP routing isn't up, the Status displays

Warning

If the Colo-Connect connection and BGP routing are down, the Status displays

Down

If the Colo-Connect connection is down but BGP routing is up, the Status displays

Error

For more information, click the region box and view the information in the

Status

tab.

Check the network details of the Colo-Connect connections by going to

Workflows

Prisma Access Setup

Colo-Connect

Connections

and viewing the details.

For dedicated links, the

Pairing Key

displays as

N/A

Configure VLAN eBGP Routing on the Customer Router

GCP creates IP addresses for the customer (Colo) router and the cloud router during these stages of your deployment:

For partner interconnects, GCP creates the IP addresses after the pairing key is consumed by your Colo (for example, Equinix).

For dedicated interconnects, GCP creates the IP addresses after you onboard your Colo-Connect connections (VLAN attachments) and commit and push your changes.

To ensure correct routing, you must:

Configure the Colo router IP address (the

Colo CPE IP

Prisma Access

) as the local eBGP IP address

Configure the cloud router IP address (

Cloud Router IP

) as the eBGP peer address on your Colo router.

When complete, eBGP is configured for the connection (VLAN attachment) between the Colo router and the cloud router.

Creating this routing is the first step in setting up GRE tunnel routing. You complete the GRE tunnel routing when you set up GRE tunnels during service connection configuration.

Use the following steps to configure routing between the Colo and the cloud router.

From Strata Cloud Manager, create the subnets, links, and connections and

Push Config

Use the workflow specific to your interconnect type (either Partner or Dedicated) For Partner interconnects, be sure that you pasted the Pairing Key into the Colo VLAN.

Go to

Workflows

Prisma Access Setup

Colo-Connect

Connections

Make a note of the following connection elements:

Colo CPE IP

Cloud Router IP

Cloud Router BGP ASN

In the following example:

For the vlan-central-1 connection, the

Colo CPE IP

is 169.254.24.170/29, the

Cloud Router IP

is 169.254.24.169/29, and the

Cloud Router BGP ASN

is 16550

For the vlan-central-2 connection, the

Colo CPE IP

is 169.254.120.74/29, the

Cloud Router IP

is 169.254.120.73/29, and the

Cloud Router BGP ASN

is 16550.

Determine the IP addresses you will use for the local GRE IP addresses when you set up the Colo-Connect service connections.

You configure these when you set up a Colo-Connect service connection (

Workflows

Prisma Access Setup

Service Connections

). In the

Peer IP 1

and, if required,

Peer IP 2

areas.

If you're configuring a service connection to support up to 10 Gbps of throughput, put one tunnel each in

Connection 1

and

Connection 2

, for a total of two tunnels in each service connection.

If you're configuring a service connection to support more than 10 Gbps of throughput (up to 20 Gbps), put two tunnels each in

Connection 1

and

Connection 2

, for a total of four tunnels in each service connection.

The following examples show a tunnel being configured for more than 10 Gbps throughput, so two tunnels per connection are used, and they use the following peer IP addresses:

172.120.1.1 for Connection 1

172.130.1.1 for Connection 1

172.121.1.1 for Connection 2

172.131.1.1 for Connection 2

The following configuration screenshots use a Palo Alto Networks Next-Generation Firewall as the Colo router.

Add a VLAN interface, specifying the

Colo CPE IP

address as the IP address.

If you're using a next-generation firewall as the Colo router, go to

Network

Interfaces

VLAN

and

Add

the VLAN interface, specifying the

Virtual Router

name, and

Configure the Colo router IP address (

Colo CPE IP

) as the local eBGP IP address and Configure the cloud router IP address (

Cloud Router IP

) as the eBGP peer address on your Colo router.

If you're using a next-generation firewall as the Colo router, go to

Network

Virtual Routers

Add

a virtual router, go to

BGP

Peer Group

, and enter the

Colo CPE IP

as the

Peer Address

and the

Cloud Router IP

as the

Local Address

Configure the

Cloud Router BGP ASN

as the eBGP peer Autonomous System Number (ASN).

If you're using a next-generation firewall as the Colo router, go to

Network

Virtual Routers

Add

a virtual router, go to

BGP

Peer Group

Add

a peer group, and select a

Peer AS

16500

Create a BGP export policy that allows only the local GRE IP address to be advertised to the cloud router peer IP address.

Because cloud routers can receive only a limited number of routes, you need to create policies so that only the routing between the IP addresses for the service connection GRE tunnels is sent to the cloud router.

If you're using a next-generation firewall as the Colo router, go to

Network

Virtual Routers

Add

a virtual router, go to

BGP

Export

Add

an export rule,

Match

the IP addresses used as the peer IP address, and create an

Action

Allow

Create the Colo-Connect service connections.

Create Colo-Connect Service Connections

Colo-Connect uses service connections, but they differ from

Prisma Access

in that they use GRE tunnels instead of IPSec tunnels and always use BGP for routing. To configure Colo-Connect service connections, complete the following steps.

Make sure that

Prisma Access

withdraws static routes by going to

Workflows

Prisma Access Setup

Service Connections

Advanced Settings

, and selecting

Withdraw Static Routes if Service Connection or Remote Network IPSec tunnel is down

Selecting this choice ensures that, if the GRE tunnel is down, the static route used by the GRE tunnel is withdrawn.

Go to the

Workflows

Prisma Access Setup

Colo-Connect

Connections

tab and make sure that the connections are in an

Active

state by checking their

Status

Until the

Status

of the connection is

Active

, you can't configure service connections.

Go to

Manage

Configuration

NGFW and Prisma Access

and set the configuration scope to

Prisma Access

Refresh the

Prisma Access Sync Status

so that the Colo-Connect configuration is provisioned in the service connections area.

Go to

Workflows

Prisma Access Setup

Service Connection

Add Service Connection

, give it a unique

Name

, and select a

Transport Type

Colo-Connect

Select two connections to use with the service connections (

Connection 1

and

Connection 2

These connections must be in two different zones.

Select

Active

Backup

for

Connection 1

and

Connection 2

Use these guidelines when setting up service connections:

You can configure connections in these modes:

Active

Backup

Active

Configuring both connections in

Backup

mode is invalid and not supported.

The bandwidth of the connections must be the same for all modes.

The connections must be in different zones.

The maximum bandwidth you can specify for a service connection is 20 Gbps. If you specify a

Bandwidth

20 Gbps

for a connection, you can't use that connection in a

Active

configuration (it must be set as

Active

Backup

Don't mix dedicated and partner interconnects in the same service connection, and make sure that the service connections use different zones. This table shows the allowed and disallowed configurations for service connections, assuming that zones, locations, bandwidth, and roles follow the service connection guidelines and requirements:

Connection 1 Belongs To	Connection 2 Belongs To	Valid Colo-Connect Service Connection Configuration?
Partner Connect 1	Partner Connect 2	Yes
Dedicated Connect 1	Dedicated Connect 2	Yes
Partner Connect 1	Partner Connect 1	No
Dedicated Connect 1	Dedicated Connect 1	No
Partner Connect	Dedicated Connect	No

(Optional and for hot potato routing deployments only) Select a service connection to use as the preferred backup, which is the

Backup SC

, in the hot potato routing configuration.

You can only select a service connection that has been configured as a Colo-Connect service connection.

Prisma Access

uses the Backup SC you select as the preferred service connection in the event of a connection failure. Selecting a backup service connection can prevent asymmetric routing issues if you have created more than two service connections.

(Optional) Enable Source NAT for Mobile Users—GlobalProtect IP pool addresses, IP addresses in the Infrastructure subnet, or both.

You can specify a subnet at one or more service connections that are used to NAT traffic between

Prisma Access

GlobalProtect mobile users and private applications and resources at a data center.

Enable Data Traffic Source NAT
—Performs NAT on Mobile User IP address pool addresses so that they are not advertised to the data center, and only the subnets you specify at the service connections are advertised and routed in the data center.

Enable Infrastructure Traffic Source NAT
—Performs NAT on addresses from the Infrastructure subnet so that they are not advertised to the data center, and only those subnets you specify at the service connections are advertised and routed in the data center.

IP Pool
—Specify the IP address pool used to perform NAT on the mobile user IP address pool, Infrastructure subnet, or both. Use a private IP (RFC 1918) subnet or a suitable subnet that’s routable in your routing domain, and does not overlap with the Mobile Users—GlobalProtect IP address pool or the Infrastructure subnet. Enter a subnet between /25 and /32.

In the

GRE and BGP

area, configure the GRE tunnel and BGP settings for the service connection.

BGP is always set to

Enable

(Optional) Select from the following choices:

To add a

no-export

community for Corporate Access Nodes (Service Connections) to the outbound prefixes from the eBGP peers at the customer premises equipment (CPE), set

Add no-export community

Enabled Out

. This capability is

Disabled

by default.

Don't use this capability in hot potato routing mode.

To reduce the number of mobile user IP subnet advertisements over BGP to your customer premises equipment (CPE), select

Summarize Mobile User Routes before advertising

By default,

Prisma Access

advertises the mobile users IP address pools in blocks of /24 subnets; if you summarize them, Prisma Access advertises the pool based on the subnet you specified. For example,

Prisma Access

advertises a public user mobile IP pool of 10.8.0.0/20 using the /20 subnet, rather than dividing the pool into subnets of 10.8.1.0/24, 10.8.2.0/24, 10.8.3.0/24, and so on, before advertising them. Summarizing these advertisements can reduce the number of routes stored in CPE routing tables. For example, you can use IP pool summarization with cloud VPN gateways (Virtual Private Gateways (VGWs) or Transit Gateways (TGWs)) that can accept a limited number of routes.

If you have hot potato routing enabled and you enable route summarization,

Prisma Access

no longer prepends AS-PATHs, which might cause asymmetric routing. Be sure that your return traffic from the data center or headquarters location has guaranteed symmetric return before you enable route summarization with hot potato routing.

To prevent the

Prisma Access

BGP peer from forwarding routes into your organization’s network.

Don’t Advertise Prisma Access Routes

By default,

Prisma Access

advertises all BGP routing information, including local routes and all prefixes it receives from other service connections, remote networks, and mobile user subnets. Select this check box to prevent

Prisma Access

from sending any BGP advertisements, but still use the BGP information it receives to learn routes from other BGP neighbors.

Since

Prisma Access

does not send BGP advertisements if you select this option, you must configure static routes on the on-premises equipment to establish routes back to

Prisma Access

What is the "Route Exchange" setting?

Set up routing for the service connection using GRE tunnels.

From Strata Cloud Manager, return to

Workflows

Prisma Access Setup

Service Connection

a GRE tunnel for

Connection 1

by entering a

GRE Tunnel Name 1

and a

Peer IP 1

for

Connection 1

and, if more than 10 Gbps of bandwidth is required, entering

GRE Tunnel Name 2

and

Peer IP 2

for the second tunnel for Connection 1; then, create a GRE tunnel for

Connection 2

by repeating these same steps.

Each pair of GRE tunnels in a connection supports a maximum of 10 Gbps of bandwidth. If you require more than 10 Gbps of bandwidth, configure two tunnels per connection. For example:

For the Peer IP, enter the GRE IP address of the on-premises router in the Colo.

Use IPv4 addresses for the BGP values; IPv6 isn't supported.

Enter the

Peer Address

and the

Local Address

for the BGP Peer 1 and, if a second is required for Connection 1, BGP Peer 2.

For

Peer Address

, enter the BGP Peer IP address of the Colo router; for

Local Address

, enter the address that will be used for BGP network establishment over the GRE tunnel.

(Optional) To configure a BGP secret, enter the

Secret

and

Confirm Secret

values.

Commit and Push

your configuration changes, making sure that

Colo-Connect

is selected in the

Push Scope

Set Up Routing for the Service Connection Using GRE Tunnels

The Colo router advertises its GRE tunnel peer IP address to the cloud router, and learns the subnet for the GRE tunnel from the cloud router. When you first configured the eBGP routing over the VLAN on the customer router, you advertised local reachability for the GRE tunnels. After the cloud router and the Colo router advertise and learn the routes for the Colo subnet and the local GRE IP addresses from each other, the GRE tunnels used by the service connection become active (up).

To set up routing and add GRE tunnels to the service connections, complete the following steps.

Make a note of the IP addresses you will use for the

Peer Address

and the

Local Address

for the BGP Peer 1 and, if a second is required for Connection 1, BGP Peer 2.

The following examples use the following peer and local addresses:

Peer Address

—10.10.120.0 and 10.10.130.1 for Connection 1, 10.10.120.2 and 10.10.130.2 for Connection 2

Local Address

—10.10.120.2 and 10.10.130.2 for Connection 1, 10.10.121.2 and 10.10.131.2 for Connection 2

Make a note of the IP addresses you will use for the

Peer IP 1

and, if required,

Peer IP 2

address in the service connections.

You use these IP addresses to create a Deny policy that prevents the local GRE IP address to be advertised to the Colo-Connect service connection.

All examples in this document use these IP addresses:

172.120.1.1 for Connection 1

172.121.1.1 for Connection 2

Configure Peer groups for the peer and local IP addresses.

If you're using a next-generation firewall as the Colo router, go to

Network

Virtual Routers

Add

a virtual router, go to

BGP

Peer Group

, and enter the Peer Address as the

Peer Address

and the

Local Address

as the

Local Address

Create a BGP export policy to deny the peer IP addresses you configured (172.120.1.1, 172.130.1.1, 172.121.1.1, and 172.131.1.1) and apply them to the peer groups you created.

This export policy places a DENY rule on the local GRE tunnel peer IP addresses and allows all other routes to be advertised to the service connection.

If you're using a next-generation firewall as the Colo router, go to

Network

Virtual Routers

Add

a virtual router, go to

BGP

Export

Add

an export rule,

Match

the IP addresses used as the peer IP address, and create an

Action

Deny

Increase or Decrease the Bandwidth of a Colo-Connect Service Connections

When you configure service connections, you configure bandwidth based on the connections (VLAN attachments) you associate with it. You allocate two connections per service connection, and then allocate either one or two GRE tunnels per connection.

While each Colo-Connect service connection supports a maximum of 20 Gbps, each GRE tunnel in the service connection supports 10 Gbps. For this reason, you might have to add or delete the GRE tunnels in the Colo-Connect service connection change the total bandwidth in a link and it causes the service connection bandwidth to go above or below 10 Gbps.

Increase the Bandwidth of a Colo-Connect Service Connection

To increase the bandwidth of an existing service connection above 10 Gbps, complete the following steps:

Go to

Workflows

Prisma Access Setup

Colo-Connect

Select the

Link Name

associated with the service connection.

Increase the

Bandwidth

of the link (interconnect).

Push Config

Go to

Workflows

Prisma Access Setup

Service Connection

Add the extra GRE tunnel to the Colo-Connect service connection.

Push Config

Add the GRE local (peer) IP addresses to your export policies for the VLAN eBGP routing and service connection routing for the GRE tunnels.

Decrease the Bandwidth of a Colo-Connect Service Connection

To decrease the bandwidth of an existing service connection above 10 Gbps, complete the following steps:

Go to

Workflows

Prisma Access Setup

Colo-Connect

Select the

Link Name

associated with the service connection.

Decrease the

Bandwidth

of the link (interconnect).

Push Config

You don't have to reconfigure the service connection to remove the extra GRE tunnel;

Prisma Access

detects and lowered bandwidth of the link and removes the extra tunnel when you commit and push your changes in the service connection push scope.

Delete a Colo-Connect Connection

To deleting a Colo-Connect connection, follow the reverse order of configuring it by completing the following steps:

Delete the service connections associated with the connection by going to

Workflows

Prisma Access Setup

Service Connections

, selecting the service connection, and

Delete

it.

Push Config

Delete the Colo-Connect connections associated with the connection by going to

Workflows

Prisma Access Setup

Colo-Connect

, selecting the

Connection Name

in the

Onboarding

section, and

Delete

it.

Delete the Colo-Connect link by selecting the

Link Name

and

Delete

it.

Delete the GRE local (peer) IP addresses to your export policies for the VLAN eBGP routing and service connection routing for the GRE tunnels.

Configure
Prisma Access
Colo-Connect (
Panorama
)

Configure a Colo-Connect deployment in

Prisma Access

Configure
Prisma Access
Colo-Connect—Deployments Using Partner Interconnects

To configure

Prisma Access

Colo-Connect using a partner interconnect, complete these steps.

Create subnets for your Colo-Connect connections.

You use the subnets you create here in the connections and service connections that you create in later steps.

Go to

Panorama

Cloud Services

Configuration

Colo-Connect

and click the gear icon to edit the settings.

Add

Colo-Connect Subnet

and select a

Prisma Access

location (

PA Location

) for it.

Enter a minimum subnet of /28.

(Optional) If you plan on creating Colo-Connect instances for more than one location, Add more subnets on a per-location basis.

You can configure one subnet per location.

Select

Create new templates and device-group for Prisma Access Colo-Connect

The first time you configure a Colo-Connect deployment, select this check box so that templates and device groups (Colo_Connect_Template and Colo_Connect_Device_Group, respectively) are created for Colo-Connect. After you create these templates and device groups, this check box is grayed out.

Add a new Colo-Connect link (also known as the interconnect
).

Go to

Panorama

Cloud Services

Configuration

Colo-Connect

Colo Connect Link

and

Add

a Colo-Connect link.

Give the link a unique

Link Name

Select a

Partner

interconnect.

You do not need to enter a

VLAN ID

, your Colo provides one when it uses the pairing key to complete the configuration of your VLAN attachment.

Specify the remaining Colo-Connect link parameters.

Select either

10Gbps

20Gbps

for the

Bandwidth

You cannot change the bandwidth of a dedicated interconnect link after you specify it and commit and push your changes.

Select either

Zone1

Zone2

for the

Edge Availability Domain

. Take this value from the GCP zone used for your edge availability domain.

Enter the

Organization Name

to use for this link.

Enter the

to use for this link. Any email address is acceptable.

Create the connections (also known as the VLAN attachments
) for Colo-Connect.

Go to

Panorama

Cloud Services

Configuration

Colo-Connect

Onboarding

and

Add

a new connection.

Configure the connection settings.

Enter a unique

Name

for the connection.

Select a

Link Name

from the links you configured in a previous step.

Select a

Bandwidth

for the connection.

You can select between

1 Gbps

2 Gbps

5 Gbps

10 Gbps

, or

20 Gbps

If your deployment requires more than 16 connections, reach out to your Palo Alto Networks account team, who will open an SRE case to accommodate the request.

Enter a

BGP Peer ASN

Enter the Autonomous System (AS) number for the customer on-premises router in the Colo. The range is between 1 and 4294967295.

Select the

Location

from the connection names you created in a previous step.

You must have already added a subnet for any location you specify.

(Optional) Enter the BGP

MD5 Secret

Disregard the

BGP BFD

field; it is reserved for a future Colo-Connect release.

Continue to create connections until complete.

You must create two connections. Both connections must be in the same region and one connection each must be in a separate zone. You use these connections in service connections you create in a later step.

Commit and push your changes.

Go to

Commit

Commit and Push

Edit Selections

and make sure that Colo-Connect is selected in the push scope.

Click

to save your changes to the Push Scope.

Commit and Push

your changes.

Retrieve the

Pairing Key

and complete your partner interconnect configuration in GCP.

You use this pairing key when you set up the partner interconnect in the Colo.

When you first onboard a new connection, the Status in the Colo-Connect Onboarding area shows a

Status

PENDING_PARTNER

and a

BGP Status

DOWN

. To bring the connection status to

ACTIVE

, retrieve the Pairing Key and input in the connection at the Colo.

Go to

Panorama

Cloud Services

Status

Network Details

Colo Connect

and copy the

Pairing Key

Create a new VLAN connection in the Colo (for example, Equinix).

Paste the Pairing Key in the Colo VLAN.

GCP detects when the pairing key is consumed, brings the VLAN status to

ACTIVE

, and generates the BGP IP address for you to configure on your on-premises router in the Colo. These actions initiate eBGP routing over the VLAN between the Colo router and the GCP cloud router.

Create eBGP routing on the Customer (Colo) router for the Colo-Connect connection.

You need to set up BGP peering to ensure connectivity between the customer router. and the cloud router.

Set up the service connections to use with Colo-Connect.

Commit and Push

your configuration changes, making sure that

Colo-Connect

is selected in the

Push Scope

Check the status of the Colo-Connect connections.

To check the status of a service connection used by a Colo-Connect connection, go to

Panorama

Cloud Services

Status

Colo Connect

Monitor

Hover over a region that has a Colo-Connect connection deployed.

If the Colo-Connect connection and the BGP routing are both up, the Status displays

If the Colo-Connect connection is up but BGP routing is not up, the Status displays

Warning

If the Colo-Connect connection and BGP routing are down, the Status displays

Down

If the Colo-Connect connection is down but BGP routing is up, the Status displays

Error

For more information, click the region box and view the information in the

Status

tab.

Check the network details, including the Pairing Key, of the Colo-Connect connections by going to

Panorama

Cloud Services

Status

Network Details

Colo Connect

and viewing the information in the following fields.

Configure
Prisma Access
Colo-Connect—Deployments Using Dedicated Interconnects

To configure

Prisma Access

Colo-Connect using a dedicated interconnect, complete these steps.

Create subnets for your Colo-Connect connections.

You use the subnets you create here in the connections and service connections that you create in later steps.

From the Panorama that manages

Prisma Access

, go to

Panorama

Cloud Services

Configuration

Colo-Connect

and click the gear icon to edit the settings.

Add

Colo-Connect Subnet

and select a

Prisma Access

location (

PA Location

) for it.

Enter a minimum subnet of /28.

(Optional) If you plan on creating Colo-Connect instances for more than one location, Add more subnets on a per-location basis.

You can configure only one subnet per location.

Select

Create new templates and device-group for Prisma Access Colo-Connect

Add a new Colo-Connect link (also known as the interconnect
).

Go to

Panorama

Cloud Services

Configuration

Colo-Connect

Colo Connect Link

and

Add

a Colo-Connect link.

Give the link a unique

Link Name

Select a

Dedicated

interconnect.

Specify the remaining Colo-Connect link parameters.

Select either

10Gbps

20Gbps

for the

Bandwidth

If you select 20 Gbps, you must aggregate the Dedicated Interconnect link into two 10 Gbps links using LACP.

You cannot change the bandwidth of a dedicated interconnect link after you specify it and commit and push your changes.

Select a

Colo-Connect Location

from the drop-down list.

Make sure that you select the same location that you used for the dedicated interconnect.

Select either

Zone1

Zone2

for the

Edge Availability Domain

. Take this value from the GCP zone used for your edge availability domain.

Enter the

Organization Name

to use for this link.

Enter the

where you want to receive the LOA-CFA details from the cloud provider.

After the dedicated connection is created, the Colo facility tests your connections and informs you that they have been tested and are ready to use.

Prisma Access

configuration is required for this step. Do not create the Colo-Connect connections in

Prisma Access

until the Colo facility lets you know that they have been tested.

Create the connections (also known as the VLAN attachments
) for Colo-Connect.

Make sure that the dedicated link status is Active by going to

Panorama

Cloud Services

Configuration

Colo-Connect

Colo Connect Link

Until the Dedicated link status is Active, you cannot create Colo-Connect links.

Go to

Panorama

Cloud Services

Configuration

Colo-Connect

Onboarding

and

Add

a new connection.

Configure the connection settings.

Enter a unique

Name

for the connection.

Select a

Link Name

from the links you configured in a previous step.

(Optional) Enter a

VLAN ID

for the connection.

VLAN IDs are generated by the interconnect vendor (GCP) if you do not manually enter a value.

Select a

Bandwidth

for the connection.

You can select between

1 Gbps

2 Gbps

5 Gbps

10 Gbps

, or

20 Gbps

If you configure multiple connections for an interconnect, make sure that the total bandwidth of the connections does not exceed the bandwidth of the interconnect. For example, given a dedicated interconnect of 20 Gbps, you can configure 10 connections of 2 Gbps each, but do not exceed 20 Gbps in total for all connections.

Enter a

BGP Peer ASN

Enter the Autonomous System (AS) number for the customer on-premises router in the Colo. The range is between 1 and 4294967295.

Select the

Location

from the connection names you created in a previous step.

You must have already added a subnet for any location you specify.

(Optional) Enter the BGP

MD5 Secret

Continue to create connections until complete.

Commit and push your changes.

Go to

Commit

Commit and Push

Edit Selections

and make sure that Colo-Connect is selected in the push scope.

Click

to save your changes to the Push Scope.

Commit and Push

your changes.

Configure eBGP routing on the customer router.

You need to set up BGP peering to ensure connectivity between the customer router,

Set up the service connections to use with Colo-Connect.

Commit and Push

your configuration changes, making sure that

Colo-Connect

is selected in the

Push Scope

Check the status of the Colo-Connect connections.

To check the status of a service connection used by a Colo-Connect connection, go to

Panorama

Cloud Services

Status

Colo Connect

Monitor

Hover over a region that has a Colo-Connect connection deployed.

If the Colo-Connect connection and the BGP routing are both up, the Status displays

If the Colo-Connect connection is up but BGP routing is not up, the Status displays

Warning

If the Colo-Connect connection and BGP routing are down, the Status displays

Down

If the Colo-Connect connection is down but BGP routing is up, the Status displays

Error

For more information, click the region box and view the information in the

Status

tab.

Check the network details of the Colo-Connect connections by going to

Panorama

Cloud Services

Status

Network Details

Colo Connect

and viewing the details.

For dedicated links, the

Pairing Key

displays as

N/A

Configure VLAN eBGP Routing On the Customer Router

GCP creates IP addresses for the customer (Colo) router and the cloud router during these stages of your deployment:

For partner interconnects, GCP creates the IP addresses after the pairing key is consumed by your Colo (for example, Equinix).

For dedicated interconnects, GCP creates the IP addresses after you onboard your Colo-Connect connections (VLAN attachments) and commit and push your changes.

To ensure correct routing, you must:

Configure the Colo router IP address (the

Colo CPE IP

in the

Prisma Access

UI) as the local VLAN IP address and the local eBGP IP address

Configure the cloud router IP address (

Cloud Router IP

) as the eBGP peer address on your Colo router.

When complete, eBGP is configured for the connection (VLAN attachment) between the Colo router and the cloud router.

Creating this routing is the first step in setting up GRE tunnel routing. You complete the GRE tunnel routing when you set up GRE tunnels during service connection configuration.

Use the following steps to configure routing between the Colo and the cloud router.

From the Panorama that manages

Prisma Access

, create the subnets, links, and connections and

Commit and Push

your changes.

Use the workflow specific to your interconnect type (either Partner or Dedicated) For Partner interconnects, be sure that you pasted the Pairing Key into the Colo VLAN.

Go to

Panorama

Cloud Services

Status

Network Details

Colo Connect

Make a note of the following connection elements:

Colo CPE IP

Cloud Router IP

Cloud Router BGP ASN

In the following example:

For the vlan-central-1 connection, the

Colo CPE IP

is 169.254.24.170/29, the

Cloud Router IP

is 169.254.24.169/29, and the

Cloud Router BGP ASN

is 16550

For the vlan-central-2 connection, the

Colo CPE IP

is 169.254.120.74/29, the

Cloud Router IP

is 169.254.120.73/29, and the

Cloud Router BGP ASN

is 16550.

Determine the IP addresses you will use for the local GRE IP addresses when you set up the Colo-Connect service connections.

You configure these when you set up a Colo-Connect service connection (

Panorama

Cloud Services

Configuration

Service Connection

). in the

Peer IP 1

and

Peer IP 2

areas.

If you are configuring a service connection to support up to 10 Gbps of throughput, put one tunnel each in

Connection 1

and

Connection 2

, for a total of two tunnels in each service connection.

If you are configuring a service connection to support more than 10 Gbps of throughput (up to 20 Gbps), put two tunnels each in

Connection 1

and

Connection 2

, for a total of four tunnels in each service connection.

The following examples show a tunnel being configured for more than 10 Gbps throughput, so two tunnels per connection are used, and they use the following peer IP addresses:

172.120.1.1 for Connection 1

172.130.1.1 for Connection 1

172.121.1.1 for Connection 2

172.131.1.1 for Connection 2

The following configuration screenshots use a Palo Alto Networks next-generation firewall as the Colo router.

Add a VLAN interface, specifying the

Colo CPE IP

address as the IP address.

If you are using a next-generation firewall as the Colo router, go to

Network

Interfaces

VLAN

and

Add

the VLAN interface, specifying the

Virtual Router

name, and

Configure the Colo router IP address (

Colo CPE IP

) as the local eBGP IP address and Configure the cloud router IP address (

Cloud Router IP

) as the eBGP peer address on your Colo router.

If you are using a next-generation firewall as the Colo router, go to

Network

Virtual Routers

Add

a virtual router, go to

BGP

Peer Group

, and enter the

Colo CPE IP

as the

Peer Address

and the

Cloud Router IP

as the

Local Address

Configure the

Cloud Router BGP ASN

as the eBGP peer Autonomous System Number (ASN).

If you are using a next-generation firewall as the Colo router, go to

Network

Virtual Routers

Add

a virtual router, go to

BGP

Peer Group

Add

a peer group, and select a

Peer AS

16500

Create a BGP export policy that allows only the local GRE IP address to be advertised to the cloud router peer IP address.

If you are using a next-generation firewall as the Colo router, go to

Network

Virtual Routers

Add

a virtual router, go to

BGP

Export

Add

an export rule,

Match

the IP addresses used as the peer IP address, and create an

Action

Allow

Create the Colo-Connect service connections.

Create Colo-Connect Service Connections

Colo-Connect uses service connections, but they differ from

Prisma Access

in that they use GRE tunnels instead of IPSec tunnels and always use BGP for routing. To configure Colo-Connect service connections, complete the following steps.

From the Panorama that manages

Prisma Access

, make sure that

Prisma Access

withdraws static routes by going to

Panorama

Cloud Services

Configuration

Service Setup

, clicking the gear icon to edit the

Settings

, and selecting

Withdraw Static Routes if Service Connection or Remote Network IPSec tunnel is down

Selecting this choice ensures that, if GRE tunnel is down, the static route used by the GRE tunnel is withdrawn.

Go to the

Colo-Connect

tab and make sure that the connections are in an

Active

state by checking the

Status

field in the Onboarding area.

Until the

Status

of the connection is

Active

, you cannot configure service connections.

Go to

Panorama

Cloud Services

Configuration

Service Connection

Click

Refresh

on the top right of the Panorama UI so that the Colo-Connect configuration is provisioned in the service connections area.

Add

a service connection, give it a unique

Name

, and select a

Transport Type

Colo-Connect

Select two connections to use with the service connections (

Connection 1

and

Connection 2

These connections must be in two different zones.

Select

Active

Backup

for

Connection 1

and

Connection 2

Use these guidelines when setting up service connections:

You can configure connections in these modes:

Active

Backup

Active

Configuring both connections in

Backup

mode is invalid and not supported.

The bandwidth of the connections must be the same for all modes.

The connections must be in different zones.

The maximum bandwidth you can specify for a service connection is 20 Gbps. If you specify a

Bandwidth

20 Gbps

for a connection, you cannot use that connection in a

Active

configuration (it must be set as

Active

Backup

Do not mix dedicated and partner interconnects in the same service connection, and make sure that the service connections use different zones. This table shows the allowed and disallowed configurations for service connections, assuming that zones, locations, bandwidth, and roles follow the service connection guidelines and requirements:

Connection 1 Belongs To	Connection 2 Belongs To	Valid Colo-Connect Service Connection Configuration?
Partner Connect 1	Partner Connect 2	Yes
Dedicated Connect 1	Dedicated Connect 2	Yes
Partner Connect 1	Partner Connect 1	No
Dedicated Connect 1	Dedicated Connect 1	No
Partner Connect	Dedicated Connect	No

(Optional, Hot Potato Routing Deployments Only) Select a service connection to use as the preferred backup (Backup SC).

You can only select a service connection that has been configured as Colo-Connect service connection.

Prisma Access

(Optional) Enable Source NAT for Mobile Users—GlobalProtect IP pool addresses, IP addresses in the Infrastructure Subnet, or both.

You can specify a subnet at one or more service connections that are used to NAT traffic between

Prisma Access

GlobalProtect mobile users and private applications and resources at a data center.

Enable Infrastructure Traffic Source NAT
—Performs NAT on addresses from the Infrastructure Subnet so that they are not advertised to the data center, and only those subnets you specify at the service connections are advertised and routed in the data center.

IP Pool
—Specify the IP address pool used to perform NAT on the mobile user IP address pool, Infrastructure Subnet, or both. Use a private IP (RFC 1918) subnet or a suitable subnet that is routable in your routing domain, and does not overlap with the Mobile Users—GlobalProtect IP address pool or the Infrastructure Subnet. Enter a subnet between /25 and /32.

In the

GRE and BGP

area, configure the GRE tunnel and BGP settings for the service connection.

BGP is always set to

Enable

(Optional) Select from the following choices:

To add a

no-export

community for Corporate Access Nodes (Service Connections) to the outbound prefixes from the eBGP peers at the customer premises equipment (CPE), set

Add no-export community

Enabled Out

. This capability is

Disabled

by default.

Do not use this capability in hot potato routing mode.

To prevent the

Prisma Access

BGP peer from forwarding routes into your organization’s network.

Don’t Advertise Prisma Access Routes

By default,

Prisma Access

advertises all BGP routing information, including local routes and all prefixes it receives from other service connections, remote networks, and mobile user subnets. Select this check box to prevent

Prisma Access

from sending any BGP advertisements, but still use the BGP information it receives to learn routes from other BGP neighbors.

Since

Prisma Access

does not send BGP advertisements if you select this option, you must configure static routes on the on-premises equipment to establish routes back to

Prisma Access

To reduce the number of mobile user IP subnet advertisements over BGP to your customer premises equipment (CPE), select

Summarize Mobile User Routes before advertising

By default,

Prisma Access

advertises the mobile users IP address pools in blocks of /24 subnets; if you summarize them, Prisma Access advertises the pool based on the subnet you specified. For example,

Prisma Access

advertises a public user mobile IP pool of 10.8.0.0/20 using the /20 subnet, rather than dividing the pool into subnets of 10.8.1.0/24, 10.8.2.0/24, 10.8.3.0/24, and so on before advertising them. Summarizing these advertisements can reduce the number of routes stored in CPE routing tables. For example, you can use IP pool summarization with cloud VPN gateways (Virtual Private Gateways (VGWs) or Transit Gateways (TGWs)) that can accept a limited number of routes.

If you have hot potato routing enabled and you enable route summarization,

Prisma Access

Set up routing for the service connection using GRE tunnels.

From the Panorama that manages

Prisma Access

, return to

Panorama

Cloud Service

Configuration

Service Connection

a GRE tunnel for

Connection 1

by entering a

GRE Tunnel Name 1

and a

Peer IP 1

for

Connection 1

and, if more than 10 Gbps of bandwidth is required, entering

GRE Tunnel Name 2

and

Peer IP 2

for the second tunnel for Connection 1; then, create a GRE tunnel for

Connection 2

by repeating these same steps.

Each pair of GRE tunnels in a connection supports a maximum of 10 Gbps of bandwidth. If you require more than 10 Gbps of bandwidth, configure two tunnels per connection. For example:

For the Peer IP, enter the GRE IP address of the on-premises router in the Colo.

Use IPv4 addresses for the BGP values; IPv6 is not supported.

Enter the

Peer Address

and the

Local Address

for the BGP Peer 1 and, if a second tunnel was required for Connection 1, BGP Peer 2.

For

Peer Address

, enter the BGP Peer IP address of the Colo router; for

Local Address

, enter the address that will be used for BGP network establishment over the GRE tunnel.

(Optional) To configure a BGP secret, enter the

Secret

and

Confirm Secret

values.

Commit and Push

your configuration changes, making sure that

Colo-Connect

is selected in the

Push Scope

Set Up Routing for the Service Connection Using GRE Tunnels

To set up routing and add GRE tunnels to the service connections, complete the following steps.

Make a note of the IP addresses you will use for the

Peer Address

and the

Local Address

for the BGP Peer 1 and, if a second tunnel was required for Connection 1, BGP Peer 2.

The following examples use the following peer and local addresses:

Peer Address

—10.10.120.0 and 10.10.130.1 for Connection 1, 10.10.120.2 and 10.10.130.2 for Connection 2

Local Address

—10.10.120.2 and 10.10.130.2 for Connection 1, 10.10.121.2 and 10.10.131.2 for Connection 2

Make a note of the IP addresses you will use for the

Peer IP 1

and, if required,

Peer IP 2

address in the service connections.

You use these IP addresses to create a Deny policy that prevents the local GRE IP address to be advertised to the Colo-Connect service connection.

All examples in this document use these IP addresses:

172.120.1.1 for Connection 1

172.130.1.1 for Connection 1

172.121.1.1 for Connection 2

172.131.1.1 for Connection 2

Configure Peer groups for the peer and local IP addresses.

If you are using a next-generation firewall as the Colo router, go to

Network

Virtual Routers

Add

a virtual router, go to

BGP

Peer Group

, and enter the Peer Address as the

Peer Address

and the

Local Address

as the

Local Address

Create a BGP export policy to deny the peer IP addresses you configured (172.120.1.1, 172.130.1.1, 172.121.1.1, and 172.131.1.1) and apply them to the peer groups you created.

This export policy places a DENY rule on the local GRE tunnel peer IP addresses and allows all other routes to be advertised to the service connection.

If you are using a next-generation firewall as the Colo router, go to

Network

Virtual Routers

Add

a virtual router, go to

BGP

Export

Add

an export rule,

Match

the IP addresses used as the peer IP address, and create an

Action

Deny

Increase or Decrease the Bandwidth of a Colo-Connect Service Connections

Increase the Bandwidth of a Colo-Connect Service Connection

To increase the bandwidth of an existing service connection above 10 Gbps, complete the following steps:

Go to

Panorama

Cloud Services

Configuration

Colo-Connect

Go to

Panorama

Cloud Services

Configuration

Service Connection

and click

Refresh

on the top right of the Panorama UI so that the Colo-Connect configuration is provisioned in the service connections area.

Select the

Link Name

associated with the service connection.

Increase the

Bandwidth

of the link (interconnect).

Commit and Push

your changes, selecting only

Colo-Connect

in the

Push Scope

Go to

Panorama

Cloud Services

Configuration

Service Connection

<service-connection-name>

Onboarding

Add the extra GRE tunnel to the Colo-Connect service connection.

Commit and Push

your changes, selecting

Service Connections

in the

Push Scope

Add the GRE local (peer) IP addresses to your export policies for the VLAN eBGP routing and service connection routing for the GRE tunnels.

Decrease the Bandwidth of a Colo-Connect Service Connection

To decrease the bandwidth of an existing service connection above 10 Gbps, complete the following steps:

Go to

Panorama

Cloud Services

Configuration

Colo-Connect

Go to

Panorama

Cloud Services

Configuration

Service Connection

and click

Refresh

on the top right of the Panorama UI so that the Colo-Connect configuration is provisioned in the service connections area.

Select the

Link Name

associated with the service connection.

Decrease the

Bandwidth

of the link (interconnect).

Commit and Push

your changes, selecting only

Colo-Connect

in the

Push Scope

Commit and Push

your changes, selecting

Service Connections

in the

Push Scope

You do not have to reconfigure the service connection to remove the extra GRE tunnel;

Prisma Access

detects and lowered bandwidth of the link and removes the extra tunnel when you commit and push your changes in the service connection push scope.

Delete a Colo-Connect Connection

To deleting a Colo-Connect connection, follow the reverse order of configuring it by completing the following steps:

Delete the service connections associated with the connection by going to

Panorama

Cloud Services

Configuration

Service Connection

, selecting the service connection, and

Delete

it.

Commit and Push

your changes, selecting

Service Connections

in the

Push Scope

Delete the Colo-Connect connections associated with the connection by going to

Panorama

Cloud Services

Configuration

Colo-Connect

, selecting the

Connection Name

in the

Onboarding

section, and

Delete

it.

Delete the Colo-Connect link by selecting the

Link Name

and

Delete

it.

Delete the GRE local (peer) IP addresses to your export policies for the VLAN eBGP routing and service connection routing for the GRE tunnels.

Requirements and Prerequisites for Prisma Access Colo-Connect

App Acceleration in Prisma Access

Prisma Access Docs

Configure Prisma Access Colo-Connect

Prisma Access Docs

Configure
Prisma Access
Colo-Connect

Configure
Prisma Access
Colo-Connect (
Strata Cloud Manager
)

Configure
Prisma Access
Colo-Connect—Deployments Using Partner Interconnects

Configure
Prisma Access
Colo-Connect—Deployments Using Dedicated Interconnects

Configure VLAN eBGP Routing on the Customer Router

Create Colo-Connect Service Connections

Set Up Routing for the Service Connection Using GRE Tunnels

Increase or Decrease the Bandwidth of a Colo-Connect Service Connections

Increase the Bandwidth of a Colo-Connect Service Connection

Decrease the Bandwidth of a Colo-Connect Service Connection

Delete a Colo-Connect Connection

Configure
Prisma Access
Colo-Connect (
Panorama
)

Configure
Prisma Access
Colo-Connect—Deployments Using Partner Interconnects

Configure
Prisma Access
Colo-Connect—Deployments Using Dedicated Interconnects

Configure VLAN eBGP Routing On the Customer Router

Create Colo-Connect Service Connections

Set Up Routing for the Service Connection Using GRE Tunnels

Increase or Decrease the Bandwidth of a Colo-Connect Service Connections

Increase the Bandwidth of a Colo-Connect Service Connection

Decrease the Bandwidth of a Colo-Connect Service Connection

Delete a Colo-Connect Connection

Recommended For You

Activation & Onboarding

SASE

Cloud-Delivered Security Services

Network Security

Endpoints

Visibility & Monitoring

Best Practices

Experts Corner

Configure Prisma Access Colo-Connect

Prisma Access Docs

Configure Prisma Access Colo-Connect

Configure Prisma Access Colo-Connect (Strata Cloud Manager)

Configure Prisma Access Colo-Connect—Deployments Using Partner Interconnects

Configure Prisma Access Colo-Connect—Deployments Using Dedicated Interconnects

Configure VLAN eBGP Routing on the Customer Router

Create Colo-Connect Service Connections

Set Up Routing for the Service Connection Using GRE Tunnels

Increase or Decrease the Bandwidth of a Colo-Connect Service Connections

Increase the Bandwidth of a Colo-Connect Service Connection

Decrease the Bandwidth of a Colo-Connect Service Connection

Delete a Colo-Connect Connection

Configure Prisma Access Colo-Connect (Panorama)

Configure Prisma Access Colo-Connect—Deployments Using Partner Interconnects

Configure Prisma Access Colo-Connect—Deployments Using Dedicated Interconnects

Configure VLAN eBGP Routing On the Customer Router

Create Colo-Connect Service Connections

Set Up Routing for the Service Connection Using GRE Tunnels

Increase or Decrease the Bandwidth of a Colo-Connect Service Connections

Increase the Bandwidth of a Colo-Connect Service Connection

Decrease the Bandwidth of a Colo-Connect Service Connection

Delete a Colo-Connect Connection

Recommended For You

Configure
Prisma Access
Colo-Connect

Configure
Prisma Access
Colo-Connect (
Strata Cloud Manager
)

Configure
Prisma Access
Colo-Connect—Deployments Using Partner Interconnects

Configure
Prisma Access
Colo-Connect—Deployments Using Dedicated Interconnects

Configure
Prisma Access
Colo-Connect (
Panorama
)

Configure
Prisma Access
Colo-Connect—Deployments Using Partner Interconnects

Configure
Prisma Access
Colo-Connect—Deployments Using Dedicated Interconnects