Prisma Access
Cloud Management
Table of Contents
Cloud Management
Cloud Management
To onboard a remote network site to
Prisma Access
, specify the location and define the
amount of bandwidth to allocate to the connection.Here’s how to add a new remote network site to Prisma
Access. You’ll start by specifying the location and defining the amount of bandwidth
to allocate to the connection.
- LaunchPrisma Access (Managed by Strata Cloud Manager).
- Make sure that you have allocated bandwidth to the location where you’ll deploy the remote network. See Planning Checklist for Remote Networks.
- Go to .If you're usingStrata Cloud Manager, go to .
- Give the remote network a descriptiveSite Name.
- Select theRegionin which the site is located, and the closestPrisma AccessLocation.
- (Only if you’re planning to use BGP for dynamic routing) EnableECMP Load Balancingso that the remote network site can use up to four IPSec tunnels.BGP is required for ECMP load balancing; QoS and static routes are not supported.When you enable ECMP, Remote Network traffic is load balanced over the tunnels you configure.
- ConfigureAdvanced Settings.
- (Optional) UseStatic Entriesto resolve FQDNs to specific IP addresses.This functionality can be useful if you have guest internet services at your organization and you want your guests to safely use search engines, preventing them from searching for potentially inappropriate or offensive material that could be against company policy. To do so, enter a uniqueNamefor the static entry rule, anFQDN, and the IPAddresswhere the FQDN request should be directed.
- If you wantPrisma Accessto proxy DNS requests, configure values forUDP Queries Retries(theInterval (Sec)to retry the query in seconds and the number of retryAttemptsto perform.
- Connect a Remote Network Site to Prisma Access, where you’ll create an IPSec VPN tunnel to connect the remote network site toPrisma Access.
- Configure static routing.
- For static routes to route traffic to and from your HQ or data center,Addthe IP subnets or IP addresses that you want to secure at the branch.If you make any changes to the IP subnets on your HQ or data center network, you must manually update the static routes.
- Configure dynamic routing.
- For dynamic routing to advertise HQ or data center subnets,Enable BGP for Dynamic Routing.
- (Optional) Select anMRAI Timervalue.BGP routing offers a timer you can use to tailor BGP routing convergence in your network called theMinimum Route Advertisement Interval (MRAI). MRAI acts to rate-limit updates on a per-destination basis, and the BGP routers wait for at least the configured MRAI time before sending an advertisement for the same prefix. A smaller number gives you faster convergence time but creates more advertisements in your network. A larger number decreases the number of advertisements that can be sent, but can also make routing convergence slower. You decide the number to put in your network for the best balance between faster routing convergence and fewer advertisements.Configure an MRAI range of between 1 and 600 seconds, with a default value of 30 seconds.
- To reduce the number of mobile user IP subnet advertisements over BGP to your customer premises equipment (CPE), specifyPrisma Accessto summarize the subnets before it advertises them by selectingSummarize Mobile User Routes before advertising.By default,Prisma Accessadvertises the mobile users IP address pools in blocks of /24 subnets; if you summarize them,Prisma Accessadvertises the pool based on the subnet you specified. For example, Prisma Access advertises a public user mobile IP pool of 10.8.0.0/20 using the /20 subnet, rather than dividing the pool into subnets of 10.8.1.0/24, 10.8.2.0/24, 10.8.3.0/24, and so on, before advertising them. Summarizing these advertisements can reduce the number of routes stored in CPE routing tables. For example, you can use IP pool summarization with cloud VPN gateways (Virtual Private Gateways (VGWs) or Transit Gateways (TGWs)) that can accept a limited number of routes.
- (Optional) to havePrisma Accessoriginate a default route advertisement for the remote network using eBGP, selectAdvertise Default Route. Be sure that your network does not have another default route being advertised by BGP, or you could introduce routing issues in your network.
- (Optional) If you configured a secondary WAN and you need to change the peer address for the secondary (backup) BGP peer, selectUse different BGP Peer for Secondary Tunneland enter a unique Peer and, optionally, Local IP address for the secondary WAN.
- (Optional) SelectDo Not Export Routesto preventPrisma Accessfrom forwarding routes into the HQ or data center.By default,Prisma Accessadvertises all BGP routing information, including local routes and all prefixes it receives from other service connections, remote networks, and mobile user subnets. Select this check box to preventPrisma Accessfrom sending any BGP advertisements, but still use the BGP information it receives to learn routes from other BGP neighbors.BecausePrisma Accessdoes not send BGP advertisements, if you select this option you must configure static routes on your on-premises equipment to establish routes back to Prisma Access.
- Enter thePeer IP Addressassigned as the Router ID of the eBGP router on the HQ or data center network.
- Enter thePeer AS, the autonomous system (AS) for your network.Use and RFC 6996-compliant BGP Private AS number.
- Enter theLocal IP AddressthatPrisma Accessuses as its Local IP address for BGP.A local address is only required if your HQ or data center device requires it for BGP peering to be successful. Make sure the address you specify does not conflict or overlap with IP addresses in the infrastructure subnet or subnets in the remote network.
- Enter aSecretpassword to authenticate BGP peer communications.
- SelectConfirm Secret.
