Prisma Access
Onboard Multiple Remote Networks
Table of Contents
Expand All
|
Collapse All
Prisma Access Docs
-
5.2 Preferred and Innovation
- 5.2 Preferred and Innovation
- 5.1 Preferred and Innovation
- 5.0 Preferred and Innovation
- 4.2 Preferred
- 4.1 Preferred
- 4.0 Preferred
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
-
-
-
-
- Allocate Licenses for Prisma Access (Managed by Strata Cloud Manager)
- Plan Service Connections for Prisma Access (Managed by Strata Cloud Manager) and Add-ons
- Add Additional Locations for Prisma Access (Managed by Strata Cloud Manager) and Add-ons
- Enable Available Add-ons for Prisma Access (Managed by Strata Cloud Manager)
- Enable Dynamic Privilege Access for Prisma Access (Managed by Strata Cloud Manager)
- Search for Subscription Details
- Share a License for Prisma Access (Managed by Strata Cloud Manager) and Add-ons
- Increase Subscription Allocation Quantity
-
- Activate a License for Prisma Access (Managed by Strata Cloud Manager) and Prisma SD-WAN Bundle
-
- Onboard Prisma Access
-
4.0 & Later
- 4.0 & Later
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
- Prisma Access China
-
- Set Up Prisma Access
- Configure the Prisma Access Service Infrastructure
- Remote Networks: IPSec Termination Nodes and Service IP Addresses
- Remote Networks: IP Address Changes Related To Bandwidth Allocation
- Remote Networks: Service IP Address and Egress IP Address Allocation
- API Examples for Retrieving Prisma Access IP Addresses
- Get Notifications When Prisma Access IP Addresses Change
- Prisma Access Zones
- DNS for Prisma Access
- High Availability for Prisma Access
-
- Enable ZTNA Connector
- Delete Connector IP Blocks
- Set Up Auto Discovery of Applications Using Cloud Identity Engine
- Private Application Target Discovery
- Security Policy for Apps Enabled with ZTNA Connector
- Monitor ZTNA Connector
- View ZTNA Connector Logs
- Preserve User-ID Mapping for ZTNA Connector Connections with Source NAT
-
- Enable Dynamic Privilege Access for Prisma Access Through Common Services
- Authorize User Group Mapping in Cloud Identity Engine for Dynamic Privilege Access
- Enable the Access Agent
- Set Up the Agent Infrastructure for Dynamic Privilege Access
- Create a Snippet
- Create a Project
- Traffic Steering for Dynamic Privilege Access
- Push the Prisma Access Agent Configuration
- Download the Dynamic Privilege Access Enabled Prisma Access Agent Package
-
- Install the Prisma Access Agent
- Log in to the Dynamic Privilege Access Enabled Prisma Access Agent
- Change Preferences for the Dynamic Privilege Access Enabled Prisma Access Agent
- Connect the Dynamic Privilege Access Enabled Prisma Access Agent to a Different Location
- Switch to a Different Project
- Connect the Dynamic Privilege Access Enabled Prisma Access Agent to a Different Server
- Disable the Dynamic Privilege Access Enabled Prisma Access Agent
- Switch Between the Prisma Access Agent and GlobalProtect App
- View and Monitor Dynamic Privilege Access Users
- View and Monitor Dynamic Privilege Access Projects
- App Acceleration in Prisma Access
-
-
- Planning Checklist for GlobalProtect on Prisma Access
- Set Up GlobalProtect Mobile Users
- GlobalProtect — Customize Tunnel Settings
- GlobalProtect — Customize App Settings
- Ticket Request to Disable GlobalProtect
- GlobalProtect Pre-Logon
- GlobalProtect — Clientless VPN
- Monitor GlobalProtect Mobile Users
- How the GlobalProtect App Selects Prisma Access Locations for Mobile Users
- Allow Listing GlobalProtect Mobile Users
-
- Explicit Proxy Configuration Guidelines
- GlobalProtect in Proxy Mode
- GlobalProtect in Tunnel and Proxy Mode
- Private IP Address Visibility and Enforcement for Agent Based Proxy Traffic
- SAML Authentication for Explicit Proxy
- Set Up Explicit Proxy
- Cloud Identity Engine Authentication for Explicit Proxy Deployments
- Proxy Mode on Remote Networks
- How Explicit Proxy Identifies Users
- Explicit Proxy Forwarding Profiles
- PAC File Guidelines
- Explicit Proxy Best Practices
- Monitor and Troubleshoot Explicit Proxy
- Block Settings for Explicit Proxy
- Use Special Objects to Restrict Explicit Proxy Internet Traffic to Specific IP Addresses
- Access Your Data Center Using Explicit Proxy
- App-Based Office 365 Integration with Explicit Proxy
- Configure Proxy Chaining with Blue Coat Proxy
- IP Address Optimization for Explicit Proxy Users- Proxy Deployments
- DNS Resolution for Mobile Users—Explicit Proxy Deployments
- View User to IP Address or User Groups Mappings
- Report Mobile User Site Access Issues
- Enable Mobile Users to Access Corporate Resources
-
-
- Planning Checklist for Remote Networks
- Allocate Remote Network Bandwidth
- Onboard a Remote Network
- Connect a Remote Network Site to Prisma Access
- Enable Routing for Your Remote Network
- Onboard Multiple Remote Networks
- Configure Remote Network and Service Connection Connected with a WAN Link
- Remote Networks—High Performance
- Integrate a Shared Desktop VDI with Prisma Access Using Terminal Server
-
- Multitenancy Configuration Overview
- Plan Your Multitenant Deployment
- Create an All-New Multitenant Deployment
- Enable Multitenancy and Migrate the First Tenant
- Add Tenants to Prisma Access
- Delete a Tenant
- Create a Tenant-Level Administrative User
- Sort Logs by Device Group ID in a Multitenant Deployment
-
- Add a New Compute Location for a Deployed Prisma Access Location
- How BGP Advertises Mobile User IP Address Pools for Service Connections and Remote Network Connections
- Proxy Support for Prisma Access and Strata Logging Service
- Block Incoming Connections from Specific Countries
- Prisma Access for No Default Route Networks
-
-
- Default Routes With Prisma Access Traffic Steering
- Traffic Steering in Prisma Access
- Traffic Steering Requirements
- Default Routes with Traffic Steering Example
- Default Routes with Traffic Steering Direct to Internet Example
- Default Routes with Traffic Steering and Dedicated Service Connection Example
- Prisma Access Traffic Steering Rule Guidelines
- Configure Zone Mapping and Security Policies for Traffic Steering Dedicated Connections
- Configure Traffic Steering in Prisma Access
- Preserve User-ID and Device-ID Mapping for Service Connections with Source NAT
-
- Prisma Access Internal Gateway
-
- Configure Privileged Remote Access Settings
- Set Up the Privileged Remote Access Portal
- Configure Applications for Privileged Remote Access
- Set Up Privileged Remote Access Profiles
- Define Permissions for Accessing Privileged Remote Access Apps
- Configure Split Tunneling for Privileged Remote Access Traffic
- Manage Privileged Remote Access Connections
- Use Privileged Remote Access
-
- Integrate Prisma Access With Other Palo Alto Networks Apps
- Integrate Third-Party Enterprise Browser with Explicit Proxy
-
-
- Connect your Mobile Users in Mainland China to Prisma Access Overview
- Configure Prisma Access for Mobile Users in China
- Configure Real-Name Registration and Create the VPCs in Alibaba Cloud
- Attach the CEN and Specify the Bandwidth
- Create Linux Instances in the Alibaba Cloud VPCs
- Configure the Router Instances
- Onboard the GlobalProtect Gateway and Configure the Prisma Access Portal
-
-
-
- INC_CIE_AGENT_DISCONNECT
- INC_CIE_DIRECTORY_DISCONNECT
- INC_GLOBALPROTECT_GW_USER_AUTH_ TIMEOUT_FAILURES_COUNT_EXCEEDED_ ABOVE_BASELINE_ALL_PA_LOCATIONS
- INC_GLOBALPROTECT_GW_USER_AUTH_ TIMEOUT_FAILURES_COUNT_EXCEEDED_ ABOVE_BASELINE_PER_PA_LOCATION
- INC_GLOBALPROTECT_PORTAL_AUTH_ TIMEOUT_FAILURES_COUNT_EXCEEDED_ ABOVE_BASELINE_ALL_PA_LOCATIONS
- INC_GLOBALPROTECT_PORTAL_AUTH_ TIMEOUT_FAILURES_COUNT_EXCEEDED_ ABOVE_BASELINE_PER_PA_LOCATION
- INC_PORTAL_CLIENTLESS_VPN_AUTH_ TIMEOUT_FAILURES_COUNT_EXCEEDED_ ABOVE_BASELINE_ALL_PA_LOCATIONS
- INC_PORTAL_CLIENTLESS_VPN_AUTH_ TIMEOUT_FAILURES_COUNT_EXCEEDED_ ABOVE_BASELINE_PER_PA_LOCATION
- INC_MU_AUTH_SERVER_UNREACHABLE_ALL_ PA_LOCATIONS
- INC_MU_AUTH_SERVER_UNREACHABLE_PER_ PA_LOCATION
- INC_MU_DNS_SERVER_UNREACHABLE_ALL_ PA_LOCATIONS
- INC_MU_DNS_SERVER_UNREACHABLE_ PER_PA_LOCATION
- INC_RN_AUTH_SERVER_UNREACHABLE_ALL_ PA_LOCATIONS
- INC_RN_AUTH_SERVER_UNREACHABLE_PER_ PA_LOCATION
- INC_RN_DNS_SERVER_UNREACHABLE_ALL_ PA_LOCATIONS
- INC_RN_DNS_SERVER_UNREACHABLE_PER_ PA_LOCATION
- INC_RN_ECMP_TUNNEL_RTT_EXCEEDED_ BASELINE
- INC_RN_PRIMARY_WAN_TUNNEL_RTT_ EXCEEDED_BASELINE
- INC_RN_SECONDARY_TUNNEL_DOWN
- INC_RN_SECONDARY_WAN_TUNNEL_RTT_ EXCEEDED_BASELINE
- INC_RN_SITE_CAPACITY_PREDICTION
- INC_SC_PRIMARY_WAN_TUNNEL_RTT_ EXCEEDED_BASELINE
- INC_SC_SECONDARY_WAN_TUNNEL_RTT_ EXCEEDED_BASELINE
- INC_SC_SITE_CAPACITY_PREDICTION
-
- INC_CERTIFICATE_EXPIRY
- INC_GP_CLIENT_VERSION_UNSUPPORTED
- INC_MU_IP_POOL_BLOCK_UTILIZATION_ EXCEEDED_CAPACITY
- INC_MU_IP_POOL_BLOCK_UTILIZATION_ EXCEEDED_THRESHOLD
- INC_PA_INFRA_DEGRADATION
- INC_PA_SERVICE_DEGRADATION_PA_LOCATION
- INC_PA_SERVICE_DEGRADATION_RN_ SITE_CONNECTIVITY
- INC_PA_SERVICE_DEGRADATION_SC_ CONNECTIVITY
- INC_RN_ECMP_BGP_DOWN
- INC_RN_ECMP_BGP_FLAP
- INC_RN_ECMP_PROXY_TUNNEL_DOWN
- INC_RN_ECMP_PROXY_TUNNEL_FLAP
- INC_RN_ECMP_TUNNEL_DOWN
- INC_RN_ECMP_TUNNEL_FLAP
- INC_RN_PRIMARY_WAN_BGP_FLAP
- INC_RN_PRIMARY_WAN_PROXY_TUNNEL_DOWN
- INC_RN_PRIMARY_WAN_PROXY_TUNNEL_FLAP
- INC_RN_PRIMARY_WAN_TUNNEL_DOWN
- INC_RN_PRIMARY_WAN_TUNNEL_FLAP
- INC_RN_SECONDARY_WAN_BGP_DOWN
- INC_RN_SECONDARY_WAN_BGP_FLAP
- INC_RN_SECONDARY_WAN_PROXY_TUNNEL_DOWN
- INC_RN_SECONDARY_WAN_PROXY_TUNNEL_FLAP
- INC_RN_SECONDARY_WAN_TUNNEL_DOWN
- INC_RN_SECONDARY_WAN_TUNNEL_FLAP
- INC_RN_SITE_DOWN
- INC_RN_SITE_LONG_DURATION_CAPACITY_ EXCEEDED_THRESHOLD
- INC_RN_SITE_LONG_DURATION_EXCEEDED_ CAPACITY
- INC_RN_SPN_LONG_DURATION_CAPACITY_EXCEEDED _THRESHOLD
- INC_RN_SPN_LONG_DURATION_EXCEEDED_ CAPACITY
- INC_SC_PRIMARY_WAN_BGP_DOWN
- INC_SC_PRIMARY_WAN_BGP_FLAP
- INC_SC_PRIMARY_WAN_PROXY_TUNNEL_DOWN
- INC_SC_PRIMARY_WAN_PROXY_TUNNEL_FLAP
- INC_SC_PRIMARY_WAN_TUNNEL_DOWN
- INC_SC_PRIMARY_WAN_TUNNEL_FLAP
- INC_SC_SECONDARY_WAN_BGP_DOWN
- INC_SC_SECONDARY_WAN_BGP_FLAP
- INC_SC_SECONDARY_WAN_PROXY_TUNNEL_DOWN
- INC_SC_SECONDARY_WAN_PROXY_TUNNEL_FLAP
- INC_SC_SECONDARY_WAN_TUNNEL_DOWN
- INC_SC_SECONDARY_WAN_TUNNEL_FLAP
- INC_SC_SITE_DOWN
- INC_SC_SITE_LONG_DURATION_CAPACITY_ EXCEEDED_THRESHOLD
- INC_SC_SITE_LONG_DURATION_EXCEEDED_ CAPACITY
- INC_ZTNA_CONNECTOR_APP_STATUS_DOWN
- INC_ZTNA_CONNECTOR_APP_STATUS_DOWN_PARTIAL
- INC_ZTNA_CONNECTOR_CPU_HIGH
- INC_ZTNA_CONNECTOR_MEMORY_HIGH
- INC_ZTNA_CONNECTOR_TUNNEL_DOWN
-
- AL_CIE_AGENT_DISCONNECT
- AL_CIE_DIRECTORY_DISCONNECT
- AL_MU_IP_POOL_CAPACITY
- AL_MU_IP_POOL_USAGE
- AL_RN_ECMP_BGP_DOWN
- AL_RN_ECMP_BGP_FLAP
- AL_RN_PRIMARY_WAN_BGP_DOWN
- AL_RN_PRIMARY_WAN_BGP_FLAP
- AL_RN_PRIMARY_WAN_TUNNEL_DOWN
- AL_RN_PRIMARY_WAN_TUNNEL_FLAP
- AL_RN_SECONDARY_WAN_BGP_DOWN
- AL_RN_SECONDARY_WAN_BGP_FLAP
- AL_RN_SECONDARY_WAN_TUNNEL_DOWN
- AL_RN_SECONDARY_WAN_TUNNEL_FLAP
- AL_RN_SITE_DOWN
- AL_RN_SITE_LONG_DURATION_CAPACITY_ EXCEEDED_THRESHOLD
- AL_RN_SITE_LONG_DURATION_EXCEEDED_ CAPACITY
- AL_RN_SPN_LONG_DURATION_CAPACITY_ EXCEEDED_THRESHOLD
- AL_SC_PRIMARY_WAN_BGP_DOWN
- AL_SC_PRIMARY_WAN_BGP_FLAP
- AL_SC_PRIMARY_WAN_TUNNEL_DOWN
- AL_SC_PRIMARY_WAN_TUNNEL_FLAP
- AL_SC_SECONDARY_WAN_BGP_DOWN
- AL_SC_SECONDARY_WAN_BGP_FLAP
- AL_SC_SECONDARY_WAN_TUNNEL_DOWN
- AL_SC_SECONDARY_WAN_TUNNEL_FLAP
- AL_SC_SITE_DOWN
- AL_SC_SITE_LONG_DURATION_CAPACITY_ EXCEEDED_THRESHOLD
- AL_SC_SITE_LONG_DURATION_EXCEEDED_CAPACITY
- AL_ZTNA_CONNECTOR_APP_STATUS_DOWN
- AL_ZTNA_CONNECTOR_APP_STATUS_DOWN_PARTIAL
- AL_ZTNA_CONNECTOR_CPU_HIGH
- AL_ZTNA_CONNECTOR_MEMORY_HIGH
- AL_ZTNA_CONNECTOR_TUNNEL_DOWN
- New Features in Incidents and Alerts
- Known Issues
Onboard Multiple Remote Networks
Use the bulk import capability to speed up the process of onboarding remote
networks.
Where Can I Use This? | What Do I Need? |
---|---|
|
|
To streamline the process to onboard and configure remote networks, you have the
option to onboard at least one remote network and then export those settings to a
Comma Separated Value (CSV) text file. The CSV file includes the values of IPSec
tunnel and IKE gateway settings for the network you selected for export, and you can
then edit these settings and make them unique for each new network you may want to
onboard. You can modify the CSV file to include 100 new remote networks and then
import the CSV file back to speed up the process of onboarding new remote network
locations.
The CSV file does not include keys or passwords, such as the BGP shared secret, the
IKE preshared key, Proxy ID, IKE crypto profile, IPSec crypto profile.
Therefore, any keys and passwords required for the IPSec tunnel and IKE gateway
settings are inherited from the network you select when you initiate the CSV file
import.
When using this bulk import process, you must wait for Prisma Access to deploy the
infrastructure for securing these locations.
- Select PanoramaCloud ServicesConfigurationRemote Networks (in the Onboarding section).
- Select a location, then Export the configuration of a remote network that you have previously onboarded.If you have not yet added any locations, you need to Add a location, then download its configuration. You must select a remote network and click Export. A CSV file that includes the settings is downloaded to your computer.
- (Deployments that allocate bandwidth by compute location only) Make sure that you have allocated bandwidth for the locations to onboard.Each location you onboard has a corresponding compute location for which bandwidth is allocated.
- Select PanoramaCloud ServicesConfigurationRemote Networks and click the gear in the Bandwidth Allocation area.
- Check the Bandwidth Allocation field in the table that displays.The table in this area shows the compute location-to-Prisma Access location mapping. You must have bandwidth allocated for the compute locations that are associated with the locations you want to onboard. For example, to onboard the Japan Central location, make sure that you have allocated bandwidth in the Asia Northeast compute location.
- If you have not yet allocated bandwidth for the compute locations that are associated with the locations you want to onboard, add it now.
- (Deployments that allocate bandwidth by compute location only) Find the IPSec Termination Node associated with the location or locations you want to onboard.You assign an IPSec Termination Node to the remote network during onboarding, and you enter this value in the spn-name column of the CSV file. Each IPSec termination node can provide up to 1,000 Mbps of bandwidth.To find the IPSec Termination Node, perform one of the following actions:
- Select PanoramaCloud ServicesConfigurationRemote Networks, Add a remote network and select the location you want to onboard, and make a note of the IPSec Termination Node choices in the onboarding area.
- Open a command-line interface (CLI) session with the Panorama that manages Prisma Access and enter the show plugins cloud_services remote-networks agg-bandwidth region compute-location-name, where compute-location-name is the compute location that is associated with the location you want to onboard. The IPSec Termination Node displays in the spn-name-list field.
- Modify the CSV file to add configuration for remote networks.SeeFields in Remote Networks Tablefor a description of the fields and the possible values in this file.You must rename the network(s) listed in the exported file. If the file has duplicate names the import will fail.
- Import the CSV file.The configuration from the file are displayed on screen. The remote network you selected to import the file will serve as a model configuration, and the remote networks listed in the file will inherit the keys and any missing values that do not have to be unique from there.
- Commit and push your changes.
- CommitCommit and Push your changes.
- Click OK and Push.
Fields in Remote Networks Table
The following table provides a description of the fields in the remote networks
table. Fields marked as Y in the Required row are required fields
and fields marked as N are optional.
Field | Description | Required?(Y/N) |
---|---|---|
name | The name of the remote network. | Y |
bandwidth |
(Deployments that allocate bandwidth by location
only) The allocated bandwidth of the remote
network. Acceptable values are:
The 1000 Mbps bandwidth option is in preview mode. The
throughput during preview is delivered on a best-effort
basis and the actual performance will vary depending
upon the traffic mix. | Y |
region | The remote network’s location. Enter the
locations exactly as they are in this document (for example,
US West, or Japan
South). | Y |
subnets | Statically routed subnets on the LAN side of the remote network. Separate multiple subnets with commas. | N |
bgp_peer_as | The BGP Autonomous System Number (ASN) of the remote network peer device. | N |
bgp_peer_address | The BGP peer address of the remote network peer device. | N |
tunnel_name | The name of the IPSec tunnel configuration. A unique value is required. | Y |
gateway_name | The name of the IKE Gateway configuration. A unique value is required. | Y |
peer_ip_address | The IP address of the Prisma Access peer device. | N |
local_id_type | The type of IKE ID that Prisma Access presents to the peer device. If you use certificates in the remote network to which you import this file, all imported types specified will refer to the Configured Certificate values. | N |
local_id_value | The value of the IKE ID that Prisma Access presents to the peer device. If you use certificates in the remote network to which you import this file, all imported types specified will refer to the Configured Certificate values. | N |
peer_id_type | The value of the IKE ID that the peer presents to Prisma Access. If you use certificates in the remote network to which you import this file, all imported types specified will refer to the Peer Certificate values. | N |
peer_id_value | The value of the IKE ID that Prisma Access presents to the peer device. If you use certificates in the remote network to which you import this file, all imported types specified will refer to the Peer Certificate values. | N |
monitor_ip | The tunnel monitoring IP address the cloud will
use to determine that the IPSec tunnel is up and the peer
network is reachable. You cannot export a proxy-ID value for the tunnel
monitor. | N |
proxy_ids | The proxy IDs that are configured for the peer.
For route-based VPNs, leave this field blank. Specify the Proxy
ID in the following CSV configuration format:
[{"name":"proxyidname",
"local":"1.2.3.4/32",
"remote":"4.3.2.1/32",
"protocol":{"udp":
{"local-port":123,
"remote-port":234}}},
{"name":"proxyidname2",
"local":"2.3.4.5/32",
"remote":"3.4.5.6/32",
"protocol":{"tcp":
{"local-port":234,"remote-port":345}}}] | N |
sec_wan_enabled | Specifies whether or not you enable a secondary IPSec tunnel. Acceptable values are yes and no. | N |
sec_tunnel_name | The name of the secondary IPSec tunnel configuration. A unique value is required if you specify a secondary tunnel. | N |
sec_gateway_name | The name of the secondary IKE Gateway configuration. A unique value is required if you specify a secondary tunnel. | N |
sec_peer_ip_address | The IP address of the Prisma Access peer device for the secondary IPSec tunnel. | N |
sec_local_id_type | The type of IKE ID that Prisma Access presents to the peer device for the secondary IPSec tunnel. If you use certificates in the remote network to which you import this file, all imported types specified will refer to the Configured Certificate values. | N |
sec_local_id_value | The value of the IKE ID that Prisma Access presents to the peer device for the secondary IPSec tunnel. If you use certificates in the remote network to which you import this file, all imported types specified will refer to the Configured Certificate values. | N |
sec_peer_id_type | The value of the IKE ID that the peer presents to Prisma Access for the secondary IPSec tunnel. If you use certificates in the remote network to which you import this file, all imported types specified will refer to the Peer Certificate values. | N |
sec_peer_id_value | The value of the IKE ID that Prisma Access presents to the peer device for the secondary IPSec tunnel. If you use certificates in the remote network to which you import this file, all imported types specified will refer to the Peer Certificate values. | N |
sec_monitor_ip | The tunnel monitoring IP address the cloud will
use for the secondary IPSec tunnel to determine that the IPSec
tunnel is up and the peer network is reachable. You cannot export a proxy-ID value for the tunnel
monitor. | N |
sec_proxy_ids | The proxy IDs that are configured for the peer
for the secondary IPSec tunnel. For route-based VPNs, leave this
field blank. Specify the Proxy ID in the following CSV
configuration format:
[{"name":"proxyidname",
"local":"1.2.3.4/32",
"remote":"4.3.2.1/32",
"protocol":{"udp":
{"local-port":123,
"remote-port":234}}},
{"name":"proxyidname2",
"local":"2.3.4.5/32",
"remote":"3.4.5.6/32",
"protocol":{"tcp":
{"local-port":234,"remote-port":345}}}] | N |
ecmp_link_1_tunnel_name | (ECMP deployments only) The name of the IPSec tunnel configuration for ECMP tunnel 1. A unique value is required. | |
ecmp_link_1_gateway_name | (ECMP deployments only) The name of the IKE Gateway configuration for ECMP tunnel 1. A unique value is required. | |
ecmp_link_1_peer_ip_address | (ECMP deployments only) The IP address of the Prisma Access peer device for ECMP tunnel 1. | |
ecmp_link_1_local_id_type | (ECMP deployments only) The type of IKE ID that Prisma Access presents to the peer device for ECMP tunnel 1. If you use certificates in the remote network to which you import this file, all imported types specified will refer to the Configured Certificate values. | |
ecmp_link_1_local_id_value | (ECMP deployments only) The value of the IKE ID that Prisma Access presents to the peer device for ECMP tunnel 1. If you use certificates in the remote network to which you import this file, all imported types specified will refer to the Configured Certificate values. | |
ecmp_link_1_peer_id_type | (ECMP deployments only) The value of the IKE ID that the peer presents to Prisma Access for ECMP tunnel 1. If you use certificates in the remote network to which you import this file, all imported types specified will refer to the Peer Certificate values. | |
ecmp_link_1_peer_id_value | (ECMP deployments only) The value of the IKE ID that Prisma Access presents to the peer device for ECMP tunnel 1. If you use certificates in the remote network to which you import this file, all imported types specified will refer to the Peer Certificate values. | |
ecmp_link_1_monitor_ip | (ECMP deployments only) The tunnel
monitoring IP address the cloud will use to determine that the
IPSec tunnel is up and the peer network is reachable for ECMP
tunnel 1. You cannot export a proxy-ID value for the tunnel
monitor. | |
ecmp_link_1_proxy_ids | (ECMP deployments only) The proxy IDs
that are configured for the peer for ECMP tunnel 1. For
route-based VPNs, leave this field blank. Specify the Proxy ID
in the following CSV configuration format:
[{"name":"proxyidname",
"local":"1.2.3.4/32",
"remote":"4.3.2.1/32",
"protocol":{"udp":
{"local-port":123,
"remote-port":234}}},
{"name":"proxyidname2",
"local":"2.3.4.5/32",
"remote":"3.4.5.6/32",
"protocol":{"tcp":
{"local-port":234,"remote-port":345}}}] | |
ecmp_link_1_bgp_peer_as | (ECMP deployments only) The BGP Autonomous System Number (ASN) of the remote network peer device for ECMP tunnel 1. | |
ecmp_link_1_bgp_peer_address | (ECMP deployments only) The BGP peer address of the remote network peer device for ECMP tunnel 1. | |
ecmp_link_2_tunnel_name | (ECMP deployments only) The name of the IPSec tunnel configuration for ECMP tunnel 2. A unique value is required. | |
ecmp_link_2_gateway_name | (ECMP deployments only) The name of the IKE Gateway configuration for ECMP tunnel 2. A unique value is required. | |
ecmp_link_2_peer_ip_address | (ECMP deployments only) The IP address of the Prisma Access peer device for ECMP tunnel 2. | |
ecmp_link_2_local_id_type | (ECMP deployments only) The type of IKE ID that Prisma Access presents to the peer device for ECMP tunnel 2. If you use certificates in the remote network to which you import this file, all imported types specified will refer to the Configured Certificate values. | |
ecmp_link_2_local_id_value | (ECMP deployments only) The value of the IKE ID that Prisma Access presents to the peer device for ECMP tunnel 2. If you use certificates in the remote network to which you import this file, all imported types specified will refer to the Configured Certificate values. | |
ecmp_link_2_peer_id_type | (ECMP deployments only) The value of the IKE ID that the peer presents to Prisma Access for ECMP tunnel 2. If you use certificates in the remote network to which you import this file, all imported types specified will refer to the Peer Certificate values. | |
ecmp_link_2_peer_id_value | (ECMP deployments only) The value of the IKE ID that Prisma Access presents to the peer device for ECMP tunnel 2. If you use certificates in the remote network to which you import this file, all imported types specified will refer to the Peer Certificate values. | |
ecmp_link_2_monitor_ip | (ECMP deployments only) The tunnel
monitoring IP address the cloud will use to determine that the
IPSec tunnel is up and the peer network is reachable for ECMP
tunnel 2. You cannot export a proxy-ID value for the tunnel
monitor. | |
ecmp_link_2_proxy_ids | (ECMP deployments only) The proxy IDs
that are configured for the peer for ECMP tunnel 2. For
route-based VPNs, leave this field blank. Specify the Proxy ID
in the following CSV configuration format:
[{"name":"proxyidname",
"local":"1.2.3.4/32",
"remote":"4.3.2.1/32",
"protocol":{"udp":
{"local-port":123,
"remote-port":234}}},
{"name":"proxyidname2",
"local":"2.3.4.5/32",
"remote":"3.4.5.6/32",
"protocol":{"tcp":
{"local-port":234,"remote-port":345}}}] | |
ecmp_link_2_bgp_peer_as | (ECMP deployments only) The BGP Autonomous System Number (ASN) of the remote network peer device for ECMP tunnel 2. | |
ecmp_link_2_bgp_peer_address | (ECMP deployments only) The BGP peer address of the remote network peer device for ECMP tunnel 2. | |
ecmp_link_3_tunnel_name | (ECMP deployments only) The name of the IPSec tunnel configuration for ECMP tunnel 3. A unique value is required. | |
ecmp_link_3_gateway_name | (ECMP deployments only) The name of the IKE Gateway configuration for ECMP tunnel 3. A unique value is required. | |
ecmp_link_3_peer_ip_address | (ECMP deployments only) The IP address of the Prisma Access peer device for ECMP tunnel 3. | |
ecmp_link_3_local_id_type | (ECMP deployments only) The type of IKE ID that Prisma Access presents to the peer device for ECMP tunnel 3. If you use certificates in the remote network to which you import this file, all imported types specified will refer to the Configured Certificate values. | |
ecmp_link_3_local_id_value | (ECMP deployments only) The value of the IKE ID that Prisma Access presents to the peer device for ECMP tunnel 3. If you use certificates in the remote network to which you import this file, all imported types specified will refer to the Configured Certificate values. | |
ecmp_link_3_peer_id_type | (ECMP deployments only) The value of the IKE ID that the peer presents to Prisma Access for ECMP tunnel 3. If you use certificates in the remote network to which you import this file, all imported types specified will refer to the Peer Certificate values. | |
ecmp_link_3_peer_id_value | (ECMP deployments only) The value of the IKE ID that Prisma Access presents to the peer device for ECMP tunnel 3. If you use certificates in the remote network to which you import this file, all imported types specified will refer to the Peer Certificate values. | |
ecmp_link_3_monitor_ip | (ECMP deployments only) The tunnel
monitoring IP address the cloud will use to determine that the
IPSec tunnel is up and the peer network is reachable for ECMP
tunnel 3. You cannot export a proxy-ID value for the tunnel
monitor. | |
ecmp_link_3_proxy_ids | (ECMP deployments only) The proxy IDs
that are configured for the peer for ECMP tunnel 3. For
route-based VPNs, leave this field blank. Specify the Proxy ID
in the following CSV configuration format:
[{"name":"proxyidname",
"local":"1.2.3.4/32",
"remote":"4.3.2.1/32",
"protocol":{"udp":
{"local-port":123,
"remote-port":234}}},
{"name":"proxyidname2",
"local":"2.3.4.5/32",
"remote":"3.4.5.6/32",
"protocol":{"tcp":
{"local-port":234,"remote-port":345}}}] | |
ecmp_link_3_bgp_peer_as | (ECMP deployments only) The BGP Autonomous System Number (ASN) of the remote network peer device for ECMP tunnel 3. | |
ecmp_link_3_bgp_peer_address | (ECMP deployments only) The BGP peer address of the remote network peer device for ECMP tunnel 3. | |
ecmp_link_4_tunnel_name | (ECMP deployments only) The name of the IPSec tunnel configuration for ECMP tunnel 4. A unique value is required. | |
ecmp_link_4_gateway_name | (ECMP deployments only) The name of the IKE Gateway configuration for ECMP tunnel 4. A unique value is required. | |
ecmp_link_4_peer_ip_address | (ECMP deployments only) The IP address of the Prisma Access peer device for ECMP tunnel 4. | |
ecmp_link_4_local_id_type | (ECMP deployments only) The type of IKE ID that Prisma Access presents to the peer device for ECMP tunnel 4. If you use certificates in the remote network to which you import this file, all imported types specified will refer to the Configured Certificate values. | |
ecmp_link_4_local_id_value | (ECMP deployments only) The value of the IKE ID that Prisma Access presents to the peer device for ECMP tunnel 4. If you use certificates in the remote network to which you import this file, all imported types specified will refer to the Configured Certificate values. | |
ecmp_link_4_peer_id_type | (ECMP deployments only) The value of the IKE ID that the peer presents to Prisma Access for ECMP tunnel 4. If you use certificates in the remote network to which you import this file, all imported types specified will refer to the Peer Certificate values. | |
ecmp_link_4_peer_id_value | (ECMP deployments only) The value of the IKE ID that Prisma Access presents to the peer device for ECMP tunnel 4. If you use certificates in the remote network to which you import this file, all imported types specified will refer to the Peer Certificate values. | |
ecmp_link_4_monitor_ip | (ECMP deployments only) The tunnel
monitoring IP address the cloud will use to determine that the
IPSec tunnel is up and the peer network is reachable for ECMP
tunnel 4. You cannot export a proxy-ID value for the tunnel
monitor. | |
ecmp_link_4_proxy_ids | (ECMP deployments only) The proxy IDs
that are configured for the peer for ECMP tunnel 4. For
route-based VPNs, leave this field blank. Specify the Proxy ID
in the following CSV configuration format:
[{"name":"proxyidname",
"local":"1.2.3.4/32",
"remote":"4.3.2.1/32",
"protocol":{"udp":
{"local-port":123,
"remote-port":234}}},
{"name":"proxyidname2",
"local":"2.3.4.5/32",
"remote":"3.4.5.6/32",
"protocol":{"tcp":
{"local-port":234,"remote-port":345}}}] | |
ecmp_link_4_bgp_peer_as | (ECMP deployments only) The BGP Autonomous System Number (ASN) of the remote network peer device for ECMP tunnel 4. | |
ecmp_link_4_bgp_peer_address | (ECMP deployments only) The BGP peer address of the remote network peer device for ECMP tunnel 4. | |
spn-name | (Deployments that allocate bandwidth by compute location only) The name of the IPSec Termination Node. This field is required for deployments that allocate bandwidth by compute location. |