Prisma Access
Remote Networks—High Performance
Table of Contents
Expand All
|
Collapse All
Prisma Access Docs
-
5.2 Preferred and Innovation
- 5.2 Preferred and Innovation
- 5.1 Preferred and Innovation
- 5.0 Preferred and Innovation
- 4.2 Preferred
- 4.1 Preferred
- 4.0 Preferred
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
-
-
-
-
- Allocate Licenses for Prisma Access (Managed by Strata Cloud Manager)
- Plan Service Connections for Prisma Access (Managed by Strata Cloud Manager) and Add-ons
- Add Additional Locations for Prisma Access (Managed by Strata Cloud Manager) and Add-ons
- Enable Available Add-ons for Prisma Access (Managed by Strata Cloud Manager)
- Enable Dynamic Privilege Access for Prisma Access (Managed by Strata Cloud Manager)
- Search for Subscription Details
- Share a License for Prisma Access (Managed by Strata Cloud Manager) and Add-ons
- Increase Subscription Allocation Quantity
-
- Activate a License for Prisma Access (Managed by Strata Cloud Manager) and Prisma SD-WAN Bundle
-
- Onboard Prisma Access
-
4.0 & Later
- 4.0 & Later
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
- Prisma Access China
-
- Set Up Prisma Access
- Configure the Prisma Access Service Infrastructure
- Remote Networks: IPSec Termination Nodes and Service IP Addresses
- Remote Networks: IP Address Changes Related To Bandwidth Allocation
- Remote Networks: Service IP Address and Egress IP Address Allocation
- API Examples for Retrieving Prisma Access IP Addresses
- Get Notifications When Prisma Access IP Addresses Change
- Prisma Access Zones
- DNS for Prisma Access
- High Availability for Prisma Access
-
- Enable ZTNA Connector
- Delete Connector IP Blocks
- Set Up Auto Discovery of Applications Using Cloud Identity Engine
- Private Application Target Discovery
- Security Policy for Apps Enabled with ZTNA Connector
- Monitor ZTNA Connector
- View ZTNA Connector Logs
- Preserve User-ID Mapping for ZTNA Connector Connections with Source NAT
-
- Enable Dynamic Privilege Access for Prisma Access Through Common Services
- Authorize User Group Mapping in Cloud Identity Engine for Dynamic Privilege Access
- Enable the Access Agent
- Set Up the Agent Infrastructure for Dynamic Privilege Access
- Create a Snippet
- Create a Project
- Traffic Steering for Dynamic Privilege Access
- Push the Prisma Access Agent Configuration
- Download the Dynamic Privilege Access Enabled Prisma Access Agent Package
-
- Install the Prisma Access Agent
- Log in to the Dynamic Privilege Access Enabled Prisma Access Agent
- Change Preferences for the Dynamic Privilege Access Enabled Prisma Access Agent
- Connect the Dynamic Privilege Access Enabled Prisma Access Agent to a Different Location
- Switch to a Different Project
- Connect the Dynamic Privilege Access Enabled Prisma Access Agent to a Different Server
- Disable the Dynamic Privilege Access Enabled Prisma Access Agent
- Switch Between the Prisma Access Agent and GlobalProtect App
- View and Monitor Dynamic Privilege Access Users
- View and Monitor Dynamic Privilege Access Projects
- App Acceleration in Prisma Access
-
-
- Planning Checklist for GlobalProtect on Prisma Access
- Set Up GlobalProtect Mobile Users
- GlobalProtect — Customize Tunnel Settings
- GlobalProtect — Customize App Settings
- Ticket Request to Disable GlobalProtect
- GlobalProtect Pre-Logon
- GlobalProtect — Clientless VPN
- Monitor GlobalProtect Mobile Users
- How the GlobalProtect App Selects Prisma Access Locations for Mobile Users
- Allow Listing GlobalProtect Mobile Users
-
- Explicit Proxy Configuration Guidelines
- GlobalProtect in Proxy Mode
- GlobalProtect in Tunnel and Proxy Mode
- Private IP Address Visibility and Enforcement for Agent Based Proxy Traffic
- SAML Authentication for Explicit Proxy
- Set Up Explicit Proxy
- Cloud Identity Engine Authentication for Explicit Proxy Deployments
- Proxy Mode on Remote Networks
- How Explicit Proxy Identifies Users
- Explicit Proxy Forwarding Profiles
- PAC File Guidelines
- Explicit Proxy Best Practices
- Monitor and Troubleshoot Explicit Proxy
- Block Settings for Explicit Proxy
- Use Special Objects to Restrict Explicit Proxy Internet Traffic to Specific IP Addresses
- Access Your Data Center Using Explicit Proxy
- App-Based Office 365 Integration with Explicit Proxy
- Configure Proxy Chaining with Blue Coat Proxy
- IP Address Optimization for Explicit Proxy Users- Proxy Deployments
- DNS Resolution for Mobile Users—Explicit Proxy Deployments
- View User to IP Address or User Groups Mappings
- Report Mobile User Site Access Issues
- Enable Mobile Users to Access Corporate Resources
-
-
- Planning Checklist for Remote Networks
- Allocate Remote Network Bandwidth
- Onboard a Remote Network
- Connect a Remote Network Site to Prisma Access
- Enable Routing for Your Remote Network
- Onboard Multiple Remote Networks
- Configure Remote Network and Service Connection Connected with a WAN Link
- Remote Networks—High Performance
- Integrate a Shared Desktop VDI with Prisma Access Using Terminal Server
-
- Multitenancy Configuration Overview
- Plan Your Multitenant Deployment
- Create an All-New Multitenant Deployment
- Enable Multitenancy and Migrate the First Tenant
- Add Tenants to Prisma Access
- Delete a Tenant
- Create a Tenant-Level Administrative User
- Sort Logs by Device Group ID in a Multitenant Deployment
-
- Add a New Compute Location for a Deployed Prisma Access Location
- How BGP Advertises Mobile User IP Address Pools for Service Connections and Remote Network Connections
- Proxy Support for Prisma Access and Strata Logging Service
- Block Incoming Connections from Specific Countries
- Prisma Access for No Default Route Networks
-
-
- Default Routes With Prisma Access Traffic Steering
- Traffic Steering in Prisma Access
- Traffic Steering Requirements
- Default Routes with Traffic Steering Example
- Default Routes with Traffic Steering Direct to Internet Example
- Default Routes with Traffic Steering and Dedicated Service Connection Example
- Prisma Access Traffic Steering Rule Guidelines
- Configure Zone Mapping and Security Policies for Traffic Steering Dedicated Connections
- Configure Traffic Steering in Prisma Access
- Preserve User-ID and Device-ID Mapping for Service Connections with Source NAT
-
- Prisma Access Internal Gateway
-
- Configure Privileged Remote Access Settings
- Set Up the Privileged Remote Access Portal
- Configure Applications for Privileged Remote Access
- Set Up Privileged Remote Access Profiles
- Define Permissions for Accessing Privileged Remote Access Apps
- Configure Split Tunneling for Privileged Remote Access Traffic
- Manage Privileged Remote Access Connections
- Use Privileged Remote Access
-
- Integrate Prisma Access With Other Palo Alto Networks Apps
- Integrate Third-Party Enterprise Browser with Explicit Proxy
-
-
- Connect your Mobile Users in Mainland China to Prisma Access Overview
- Configure Prisma Access for Mobile Users in China
- Configure Real-Name Registration and Create the VPCs in Alibaba Cloud
- Attach the CEN and Specify the Bandwidth
- Create Linux Instances in the Alibaba Cloud VPCs
- Configure the Router Instances
- Onboard the GlobalProtect Gateway and Configure the Prisma Access Portal
-
-
-
- INC_CIE_AGENT_DISCONNECT
- INC_CIE_DIRECTORY_DISCONNECT
- INC_GLOBALPROTECT_GW_USER_AUTH_ TIMEOUT_FAILURES_COUNT_EXCEEDED_ ABOVE_BASELINE_ALL_PA_LOCATIONS
- INC_GLOBALPROTECT_GW_USER_AUTH_ TIMEOUT_FAILURES_COUNT_EXCEEDED_ ABOVE_BASELINE_PER_PA_LOCATION
- INC_GLOBALPROTECT_PORTAL_AUTH_ TIMEOUT_FAILURES_COUNT_EXCEEDED_ ABOVE_BASELINE_ALL_PA_LOCATIONS
- INC_GLOBALPROTECT_PORTAL_AUTH_ TIMEOUT_FAILURES_COUNT_EXCEEDED_ ABOVE_BASELINE_PER_PA_LOCATION
- INC_PORTAL_CLIENTLESS_VPN_AUTH_ TIMEOUT_FAILURES_COUNT_EXCEEDED_ ABOVE_BASELINE_ALL_PA_LOCATIONS
- INC_PORTAL_CLIENTLESS_VPN_AUTH_ TIMEOUT_FAILURES_COUNT_EXCEEDED_ ABOVE_BASELINE_PER_PA_LOCATION
- INC_MU_AUTH_SERVER_UNREACHABLE_ALL_ PA_LOCATIONS
- INC_MU_AUTH_SERVER_UNREACHABLE_PER_ PA_LOCATION
- INC_MU_DNS_SERVER_UNREACHABLE_ALL_ PA_LOCATIONS
- INC_MU_DNS_SERVER_UNREACHABLE_ PER_PA_LOCATION
- INC_RN_AUTH_SERVER_UNREACHABLE_ALL_ PA_LOCATIONS
- INC_RN_AUTH_SERVER_UNREACHABLE_PER_ PA_LOCATION
- INC_RN_DNS_SERVER_UNREACHABLE_ALL_ PA_LOCATIONS
- INC_RN_DNS_SERVER_UNREACHABLE_PER_ PA_LOCATION
- INC_RN_ECMP_TUNNEL_RTT_EXCEEDED_ BASELINE
- INC_RN_PRIMARY_WAN_TUNNEL_RTT_ EXCEEDED_BASELINE
- INC_RN_SECONDARY_TUNNEL_DOWN
- INC_RN_SECONDARY_WAN_TUNNEL_RTT_ EXCEEDED_BASELINE
- INC_RN_SITE_CAPACITY_PREDICTION
- INC_SC_PRIMARY_WAN_TUNNEL_RTT_ EXCEEDED_BASELINE
- INC_SC_SECONDARY_WAN_TUNNEL_RTT_ EXCEEDED_BASELINE
- INC_SC_SITE_CAPACITY_PREDICTION
-
- INC_CERTIFICATE_EXPIRY
- INC_GP_CLIENT_VERSION_UNSUPPORTED
- INC_MU_IP_POOL_BLOCK_UTILIZATION_ EXCEEDED_CAPACITY
- INC_MU_IP_POOL_BLOCK_UTILIZATION_ EXCEEDED_THRESHOLD
- INC_PA_INFRA_DEGRADATION
- INC_PA_SERVICE_DEGRADATION_PA_LOCATION
- INC_PA_SERVICE_DEGRADATION_RN_ SITE_CONNECTIVITY
- INC_PA_SERVICE_DEGRADATION_SC_ CONNECTIVITY
- INC_RN_ECMP_BGP_DOWN
- INC_RN_ECMP_BGP_FLAP
- INC_RN_ECMP_PROXY_TUNNEL_DOWN
- INC_RN_ECMP_PROXY_TUNNEL_FLAP
- INC_RN_ECMP_TUNNEL_DOWN
- INC_RN_ECMP_TUNNEL_FLAP
- INC_RN_PRIMARY_WAN_BGP_FLAP
- INC_RN_PRIMARY_WAN_PROXY_TUNNEL_DOWN
- INC_RN_PRIMARY_WAN_PROXY_TUNNEL_FLAP
- INC_RN_PRIMARY_WAN_TUNNEL_DOWN
- INC_RN_PRIMARY_WAN_TUNNEL_FLAP
- INC_RN_SECONDARY_WAN_BGP_DOWN
- INC_RN_SECONDARY_WAN_BGP_FLAP
- INC_RN_SECONDARY_WAN_PROXY_TUNNEL_DOWN
- INC_RN_SECONDARY_WAN_PROXY_TUNNEL_FLAP
- INC_RN_SECONDARY_WAN_TUNNEL_DOWN
- INC_RN_SECONDARY_WAN_TUNNEL_FLAP
- INC_RN_SITE_DOWN
- INC_RN_SITE_LONG_DURATION_CAPACITY_ EXCEEDED_THRESHOLD
- INC_RN_SITE_LONG_DURATION_EXCEEDED_ CAPACITY
- INC_RN_SPN_LONG_DURATION_CAPACITY_EXCEEDED _THRESHOLD
- INC_RN_SPN_LONG_DURATION_EXCEEDED_ CAPACITY
- INC_SC_PRIMARY_WAN_BGP_DOWN
- INC_SC_PRIMARY_WAN_BGP_FLAP
- INC_SC_PRIMARY_WAN_PROXY_TUNNEL_DOWN
- INC_SC_PRIMARY_WAN_PROXY_TUNNEL_FLAP
- INC_SC_PRIMARY_WAN_TUNNEL_DOWN
- INC_SC_PRIMARY_WAN_TUNNEL_FLAP
- INC_SC_SECONDARY_WAN_BGP_DOWN
- INC_SC_SECONDARY_WAN_BGP_FLAP
- INC_SC_SECONDARY_WAN_PROXY_TUNNEL_DOWN
- INC_SC_SECONDARY_WAN_PROXY_TUNNEL_FLAP
- INC_SC_SECONDARY_WAN_TUNNEL_DOWN
- INC_SC_SECONDARY_WAN_TUNNEL_FLAP
- INC_SC_SITE_DOWN
- INC_SC_SITE_LONG_DURATION_CAPACITY_ EXCEEDED_THRESHOLD
- INC_SC_SITE_LONG_DURATION_EXCEEDED_ CAPACITY
- INC_ZTNA_CONNECTOR_APP_STATUS_DOWN
- INC_ZTNA_CONNECTOR_APP_STATUS_DOWN_PARTIAL
- INC_ZTNA_CONNECTOR_CPU_HIGH
- INC_ZTNA_CONNECTOR_MEMORY_HIGH
- INC_ZTNA_CONNECTOR_TUNNEL_DOWN
-
- AL_CIE_AGENT_DISCONNECT
- AL_CIE_DIRECTORY_DISCONNECT
- AL_MU_IP_POOL_CAPACITY
- AL_MU_IP_POOL_USAGE
- AL_RN_ECMP_BGP_DOWN
- AL_RN_ECMP_BGP_FLAP
- AL_RN_PRIMARY_WAN_BGP_DOWN
- AL_RN_PRIMARY_WAN_BGP_FLAP
- AL_RN_PRIMARY_WAN_TUNNEL_DOWN
- AL_RN_PRIMARY_WAN_TUNNEL_FLAP
- AL_RN_SECONDARY_WAN_BGP_DOWN
- AL_RN_SECONDARY_WAN_BGP_FLAP
- AL_RN_SECONDARY_WAN_TUNNEL_DOWN
- AL_RN_SECONDARY_WAN_TUNNEL_FLAP
- AL_RN_SITE_DOWN
- AL_RN_SITE_LONG_DURATION_CAPACITY_ EXCEEDED_THRESHOLD
- AL_RN_SITE_LONG_DURATION_EXCEEDED_ CAPACITY
- AL_RN_SPN_LONG_DURATION_CAPACITY_ EXCEEDED_THRESHOLD
- AL_SC_PRIMARY_WAN_BGP_DOWN
- AL_SC_PRIMARY_WAN_BGP_FLAP
- AL_SC_PRIMARY_WAN_TUNNEL_DOWN
- AL_SC_PRIMARY_WAN_TUNNEL_FLAP
- AL_SC_SECONDARY_WAN_BGP_DOWN
- AL_SC_SECONDARY_WAN_BGP_FLAP
- AL_SC_SECONDARY_WAN_TUNNEL_DOWN
- AL_SC_SECONDARY_WAN_TUNNEL_FLAP
- AL_SC_SITE_DOWN
- AL_SC_SITE_LONG_DURATION_CAPACITY_ EXCEEDED_THRESHOLD
- AL_SC_SITE_LONG_DURATION_EXCEEDED_CAPACITY
- AL_ZTNA_CONNECTOR_APP_STATUS_DOWN
- AL_ZTNA_CONNECTOR_APP_STATUS_DOWN_PARTIAL
- AL_ZTNA_CONNECTOR_CPU_HIGH
- AL_ZTNA_CONNECTOR_MEMORY_HIGH
- AL_ZTNA_CONNECTOR_TUNNEL_DOWN
- New Features in Incidents and Alerts
- Known Issues
Remote Networks—High Performance
Deploy branch sites to set up Remote Networks—High Performance in Prisma Access.
Where Can I Use This? | What Do I Need? |
---|---|
|
This is a Limited Availability release. To
activate this functionality, reach out to your Palo Alto Networks
account representative. |
As your business scales and your office locations become geographically distributed, Prisma Access remote networks allow you to quickly onboard your branch sites and
deliver best-in-class security for your users. To onboard a branch site with a high
bandwidth, Prisma Access provides you with a Remote Network—High Performance.
To onboard a Remote Network—High Performance, you specify the branch site's location, and
Prisma Access selects the location that’s closest to the site. You can
optionally set up a secondary (backup) location to the site for redundancy and
resiliency. The high-performance remote network uses a single service IP address for
every 3 Gbps of bandwidth, removing the complexity in configuring and managing multiple
IPSec devices at every remote location.
A secondary location isn't supported for Prisma Access (Managed by Panorama) deployments.
After you have planned for your Remote Network—High
Performance, you can begin the configuration process, which includes
onboarding the high-performance remote network to Prisma Access and enabling QoS and
routing.
Remote Networks—High Performance Capabilities and Guidelines
A high-performance remote network provides you with the following core
capabilities:
- Up to 3 Gbps aggregate bandwidth per node in a compute region
- Up to 2 Gbps bandwidth per remote network tunnel from a remote site
- Up to 500 remote branches per service IP address with Prisma SD-WAN and extended (third-party) CPE deployments
When configuring a high-performance remote network for a branch site, be aware of the
following guidelines and differences between sites and remote networks:
- Prisma Access Locations—Remote Networks—High Performance support a subset of Prisma Access locations.
- Quality of Service (QoS)—For branch sites, Prisma Access supports QoS at a per-site level, and the QoS Profile you select applies to the entire site.
- Committed Information Rate (CIR)—To secure and commit the amount of bandwidth used per site, specify a CIR. If there are multiple remote networks that share bandwidth in a compute location, the Remote Network—High Performance receives at least the bandwidth specified in the CIR when there is contention with other sites in that compute location.
- IPSec Termination Nodes—Unlike remote networks, you don't need to select
an IPSec termination node during onboarding
for Prisma Access (Managed by Strata Cloud Manager) deployments. Prisma Access automatically
load-balances the remote network connections to maximize the bandwidth
allocation to the sites. You still need to select an IPSec termination node for remote networks onboarded from Panorama.
- Tunnel and Compute Location Redundancy and Maximum Tunnels Per Site—A
high-performance remote network lets you configure both location and IPSec
redundancy.
- Location redundancy (specifying a Primary
location in one compute location
and specifying a Secondary location in a separate
compute location). Configuring a secondary location is optional, and the secondary location must be in a different compute location than the primary location.
- IPSec tunnel redundancy (specifying tunnels as Active/Active or Active/Passive).
This table provides you with the minimum and maximum number of locations per tunnel.Location Deployment Type Tunnel Deployment Type Minimum Number of Tunnels Maximum Number of Tunnels Primary only Active/Passive 1 2 Primary only Active/Active 2 4 Primary and Secondary Active/Passive 2 4 Primary and Secondary Active/Active 4 8 - Location redundancy (specifying a Primary
location in one compute location
and specifying a Secondary location in a separate
compute location).
- Service IP Address Allocation Based on Deployment Type—The number of
Service IP Addresses you receive depends on if you have set up your
high-performance remote networks in a single location or if you have set them up
using two different locations in a primary and secondary deployment.
- If you have set up your high-performance remote network in a single location with no secondary location, Prisma Access provides you with a single Service IP address.
- If you set up compute location redundancy in a primary and secondary configuration, Prisma Access provides you with two Service IP addresses (one each for the primary and secondary configuration).
If you set up IPSec tunnels in an Active/Passive configuration, Prisma Access provides you with a single Service IP address for both tunnels (the same as a standard Prisma Access remote network configuration). - Service IP Address Allocation Based on Bandwidth—Prisma Access provides you with a single IP address or FQDN for every 3 Gbps of bandwidth in a compute location.
- Bandwidth Per Compute Location—You allocate bandwidth per compute location the same as allocating bandwidth for a standard remote network. You can plan and allocate the bandwidth before you begin configuration or during high-performance remote network creation.
- IPv6 Support—IPv6 isn't supported for Remote Networks—High Performance deployments.
Use one of the following procedures to onboard your remote networks depending on your
bandwidth allocation type:
Strata Cloud Manager
Here’s how to add a Remote Network—High Performance using Strata Cloud Manager.
- From Strata Cloud Manager, go to WorkflowsPrisma Access SetupBranch Sites.This choice indicates that the tunnel you create for the branch sites is terminated by your CPE (a Palo Alto Networks Next-Generation Firewall or third-party CPE).
- Add Site and give the remote network a descriptive Site Name.
- Select the City and Country of the site.For more precise searches, add an address.
- Click Next.
- Enter the QoS CIR (Committed Information Rate) in Mbps.If you have multiple remote networks that share bandwidth in a compute location, and if there is bandwidth contention with other sites in that compute location, the Remote Network—High Performance receives at least the bandwidth specified in the CIR.If you configure primary and secondary sites, you specify different compute regions and the secondary region gets 20% of the CIR. For example, if you configure a CIR of 100 Mbps to a site, Prisma Access provides the primary site with 100 Mbps CIR and the secondary site with 20 Mbps CIR.If the CIR is 500 Mbps and if all remaining bandwidth in the compute location is used by other sites, Prisma Access drops any bandwidth in excess of 500 Mbps. However, if other sites are not using bandwidth, the bandwidth for the high-performance remote network can go above 500 Mbps up to the allocated bandwidth in the compute location.Enter a minimum CIR of 1 Mbps and a maximum of 2000 Mbps. Don't exceed the bandwidth you specify for the compute region.
- Select a Primary Prisma Access Location.If multiple locations are Recommended in the list; select the location that works best for your deployment.
- (Optional) To create a secondary (backup) site, select Allow connection to a secondary Prisma Access Location as backup when necessary and then select a Secondary Prisma Access Location.If you select this choice, Prisma Access prepopulates the best secondary location or locations that are in a different compute location than the primary location. If multiple locations are Recommended; select the location that works best for your deployment.Prisma Access provides you with a map with suggested locations to assist you with choosing one.
- Select a QoS Profile to use for this site.Remote Networks—High Performance use a single QoS Profile.If you have not yet created a QoS Profile, Add a QoS Profile, specifying the following values:
- Enter a unique QoS Profile Name.
- (Optional) Enter an Egress Max (Mbps) that represents the maximum throughput in Mbps for traffic leaving the service connection or remote network connection.
- (Optional) Enter an Egress Guaranteed (Mbps) value that represents the guaranteed bandwidth for this profile in Mbps.
- Enter a Class Bandwidth Type of either
Percentage or Mbps.
QoS for Remote Networks—High Performance does not use a guaranteed bandwidth ratio.
- In the Classes section, Add Class and specify how
to mark up to eight individual QoS classes.
- Enter a Class Name.
- Select the Priority for the class (either real-time, high, medium, or low).
- Enter an Egress Max that represents the maximum throughput (in Mbps) for traffic leaving the service connection or remote network connection.
- Enter an Egress Guaranteed value that represents the guaranteed bandwidth for this profile (in Mbps).
- Save your changes.
- If you have not yet allocated bandwidth, Prisma Access prompts you to allocate bandwidth for the compute location that's associated with the location you selected. Specify a minimum bandwidth of 50 Mbps per compute location.
- Allocate bandwidth for the locations you selected if you have not already; then, Update your changes.
- Click Next.
- Define Tunnel & Circuit Settings.
- Select a Tunnel Mode: either Active/Active or Active/Passive.The tunnel mode specifies how many of your ISP circuits you want to utilize for the high-performance remote network.
- If you select Active/Active, Prisma Access utilizes four ISP circuits to create either two or four active tunnels.
- If you select Active/Passive, Prisma Access utilizes two ISP circuits to create two active tunnels. If the active tunnel goes down, the passive tunnel becomes active.
- Select the number of Internet Circuits to use.Prisma Access assigns tunnels based on the number of circuits you specify here, and whether your deployment is Active/Active or Active/Passive, as shown in the following table.
Number of Circuits Deployment Type Number of Tunnels 1 Active/Passive 1 (one for the active tunnel). 2 Active/Active 2 (one for each active tunnel). If you select primary and secondary locations, Prisma Access creates one active tunnel for the primary location and one active tunnel for the secondary location.2 Active/Passive 2 (one for each active tunnel). If you select primary and secondary locations, Prisma Access creates one active and passive tunnel for the primary location and one active and passive tunnel for the secondary location. If the active tunnel goes down, Prisma Access uses the same Service IP address or FQDN for the passive tunnel that becomes active.4 Active/Active 4 (one for each active tunnel). If you select primary and secondary locations, Prisma Access creates two active tunnels for the primary location and two active tunnels for the secondary location. - (Optional) Configure your IPSec tunnel settings.Prisma Access provides you with default IPSec tunnel settings. These settings determine the IPSec and IKE crypto settings for the remote network tunnel. If you want to change them, select the Primary Tunnel and Edit your settings.If you specify a secondary location, Prisma Access autopopulates the values from the primary tunnel to the secondary tunnel; to edit the secondary tunnel, select that tunnel and Edit the settings.Make a note of these settings; you must match the settings on the CPE that terminates the IPSec tunnel at your site.
- Give the Active tunnel a unique Tunnel Name.
- Specify IPSec Settings.
- Specify an Authentication type
(either Pre-Shared Key or
Certificate).If you specify Pre-Shared Key, enter and confirm the Pre-Shared Key.If you specify a Certificate, enter the Local Certificate to use. This certificate must already exist in Strata Cloud Manager.
- Specify the IKE Local Identification (either IP Address, Distinguished Name (Subject), User FQDN (email address), or FQDN (hostname) .
- Specify the IKE Peer Identification (either IP Address, Distinguished Name (Subject), User FQDN (email address), or FQDN (hostname).
- Specify an Authentication type
(either Pre-Shared Key or
Certificate).
- Specify the type of Peer ID Check:
- Exact—Ensures that the local setting and peer IKE ID payload match exactly.
- Wildcard—Allows the peer identification to match as long as every character before the wildcard (*) matches. The characters after the wildcard don't need to match.
- (Optional) Permit peer identification and certificate payload identification mismatch to allow a successful IKE security association (SA) even when the peer identification does not match the peer identification in the certificate.
- Choose a Certificate Profile. A certificate profile contains information about how to authenticate the peer gateway.
- (Optional) Enable strict validation of peer’s extended key use to control strictly how the key can be used.
- Choose the Branch Device IP Address
(Static or
Dynamic).
- If you select Static, enter the Static IP Address to use for the IPSec tunnel.
- Specify Dynamic to obtain the IP address automatically.
- (Optional, Recommended) Enable IKE Passive
Mode to have Prisma Access respond to IKE
connections but not initiate them. While not required, IKE Passive Mode is the recommended setting.
- (Optional) Turn on Tunnel
Monitoring. Enter a Tunnel Monitoring Destination IP address on the remote network for Prisma Access to determine whether the tunnel is up and, if your branch IPSec device uses a policy-based VPN, enter the associated Proxy ID as the Monitored Proxy ID.
- (Optional) If you need a proxy ID:
- Add Proxy ID and enter the Proxy ID.
- Optionally, enter the Local Proxy ID and Remote Proxy ID.
- Enter the Protocol to use for the proxy ID. Enter a Number, TCP, or UDP.
- Specify a Local Port and Remote Port for TCP or UDP.
- Save your changes.
- (Optional) Specify IKE Advanced
Options.
- Select an IKE Protocol Version.
- Select an IKEv1 Crypto
Profile.To add a crypto profile, Add IKE. To manage an existing IKE profile, Manage IKE and select the profile to edit.
- Select an IKEv2 Crypto
Profile.To add a crypto profile, Add IKE. To manage an existing IKE profile, Manage IKE and select the profile to edit.
- (Optional) Specify IPSec Advanced
Options.
- Select an IPSec Crypto
Profile.To add a crypto profile, Add IPSec. To manage an existing IPSec profile, Manage IPSec and select the profile to edit.
- Select an IPSec Crypto
Profile.
- Choose your Routing Settings.
- Select the Routing Type (either
Static or
Dynamic).If you select Static, Add the IP subnets or IP addresses that you want to secure at the site.If you select Dynamic:
- Enter the Peer As (the
autonomous system (AS) for your network). Use an RFC 6996-compliant BGP Private AS number.
- Enter the Peer IP Address assigned as the Router ID of the eBGP router on the HQ or data center network.
- (Optional) Enter a Shared Secret password to authenticate BGP peer communications.
- Enter the Local IP Address that Prisma Access uses as its Local IP address for BGP.
- (Optional) Select Summarize Mobile User Routes before advertising to reduce the number of mobile user IP subnet advertisements over BGP to your customer premises equipment (CPE) by having Prisma Access summarize the subnets before it advertises them.
- (Optional) Select Advertise Default Route to have Prisma Access originate a default route advertisement for the remote network using eBGP. Be sure that your network does not have another default route advertised by BGP, or you could introduce routing issues in your network.
- (Optional) Select Don't Export Routes to prevent Prisma Access from forwarding routes into the HQ or data center.
- Enter the Peer As (the
autonomous system (AS) for your network).
- Select the Routing Type (either
Static or
Dynamic).
- Save your IPSec tunnel changes.
- Save & Exit.
- Push Configuration to save your configuration changes, making sure to select Remote Networks in the Push Scope.
- Find the Service IP address that you specify on your CPE.When you set up the remote network, use the service IP address as the peer IP address on your CPE to terminate the IPSec tunnel.
- Go to WorkflowsPrisma SASE SetupBranch Site ManagementExtended CPE Site.
- Find the Service IP/FQDN address.
Panorama
Configure a Prisma Access remote network deployment that allocates bandwidth by
compute location.
Steps to configure a Remote Network—High Performance are the same as onboarding a
standard Remote Network in Prisma Access (Managed by Panorama), including choosing
an IPSec Termination Node during onboarding.