Strata Cloud Manager

1. From Strata Cloud Manager, go to WorkflowsPrisma Access SetupBranch Sites.

   This choice indicates that the tunnel you create for the branch sites is terminated by your CPE (a Palo Alto Networks Next-Generation Firewall or third-party CPE).
2. Add Site and give the remote network a descriptive Site Name.
3. Select the City and Country of the site.

   For more precise searches, add an address.

4. Click Next.
5. Enter the QoS CIR (Committed Information Rate) in Mbps.

   If you have multiple remote networks that share bandwidth in a compute location, and if there is bandwidth contention with other sites in that compute location, the Remote Network—High Performance receives at least the bandwidth specified in the CIR.

   If you configure primary and secondary sites, you specify different compute regions and the secondary region gets 20% of the CIR. For example, if you configure a CIR of 100 Mbps to a site, Prisma Access provides the primary site with 100 Mbps CIR and the secondary site with 20 Mbps CIR.

   If the CIR is 500 Mbps and if all remaining bandwidth in the compute location is used by other sites, Prisma Access drops any bandwidth in excess of 500 Mbps. However, if other sites are not using bandwidth, the bandwidth for the high-performance remote network can go above 500 Mbps up to the allocated bandwidth in the compute location.

   Enter a minimum CIR of 1 Mbps and a maximum of 2000 Mbps. Don't exceed the bandwidth you specify for the compute region.
6. Select a Primary Prisma Access Location.

   If multiple locations are Recommended in the list; select the location that works best for your deployment.
7. (Optional) To create a secondary (backup) site, select Allow connection to a secondary Prisma Access Location as backup when necessary and then select a Secondary Prisma Access Location.

   If you select this choice, Prisma Access prepopulates the best secondary location or locations that are in a different compute location than the primary location. If multiple locations are Recommended; select the location that works best for your deployment.

   Prisma Access provides you with a map with suggested locations to assist you with choosing one.

8. Select a QoS Profile to use for this site.

   Remote Networks—High Performance use a single QoS Profile.

   If you have not yet created a QoS Profile, Add a QoS Profile, specifying the following values:

   • Enter a unique QoS Profile Name.
   • (Optional) Enter an Egress Max (Mbps) that represents the maximum throughput in Mbps for traffic leaving the service connection or remote network connection.
   • (Optional) Enter an Egress Guaranteed (Mbps) value that represents the guaranteed bandwidth for this profile in Mbps.
   • Enter a Class Bandwidth Type of either Percentage or Mbps.

     QoS for Remote Networks—High Performance does not use a guaranteed bandwidth ratio.

   • In the Classes section, Add Class and specify how to mark up to eight individual QoS classes.
     • Enter a Class Name.
     • Select the Priority for the class (either real-time, high, medium, or low).
     • Enter an Egress Max that represents the maximum throughput (in Mbps) for traffic leaving the service connection or remote network connection.
     • Enter an Egress Guaranteed value that represents the guaranteed bandwidth for this profile (in Mbps).
   • Save your changes.

9. If you have not yet allocated bandwidth, Prisma Access prompts you to allocate bandwidth for the compute location that's associated with the location you selected. Specify a minimum bandwidth of 50 Mbps per compute location.

10. Allocate bandwidth for the locations you selected if you have not already; then, Update your changes.

11. Click Next.
12. Define Tunnel & Circuit Settings.

    1. Select a Tunnel Mode: either Active/Active or Active/Passive.

       The tunnel mode specifies how many of your ISP circuits you want to utilize for the high-performance remote network.

       • If you select Active/Active, Prisma Access utilizes four ISP circuits to create either two or four active tunnels.
       • If you select Active/Passive, Prisma Access utilizes two ISP circuits to create two active tunnels. If the active tunnel goes down, the passive tunnel becomes active.
    2. Select the number of Internet Circuits to use.

       Prisma Access assigns tunnels based on the number of circuits you specify here, and whether your deployment is Active/Active or Active/Passive, as shown in the following table.

       Number of Circuits	Deployment Type	Number of Tunnels
       1	Active/Passive	1 (one for the active tunnel).
       2	Active/Active	2 (one for each active tunnel). If you select primary and secondary locations, Prisma Access creates one active tunnel for the primary location and one active tunnel for the secondary location.
       2	Active/Passive	2 (one for each active tunnel). If you select primary and secondary locations, Prisma Access creates one active and passive tunnel for the primary location and one active and passive tunnel for the secondary location. If the active tunnel goes down, Prisma Access uses the same Service IP address or FQDN for the passive tunnel that becomes active.
       4	Active/Active	4 (one for each active tunnel). If you select primary and secondary locations, Prisma Access creates two active tunnels for the primary location and two active tunnels for the secondary location.

    3. (Optional) Configure your IPSec tunnel settings.

       Prisma Access provides you with default IPSec tunnel settings. These settings determine the IPSec and IKE crypto settings for the remote network tunnel. If you want to change them, select the Primary Tunnel and Edit your settings.

       If you specify a secondary location, Prisma Access autopopulates the values from the primary tunnel to the secondary tunnel; to edit the secondary tunnel, select that tunnel and Edit the settings.

       Make a note of these settings; you must match the settings on the CPE that terminates the IPSec tunnel at your site.

       • Give the Active tunnel a unique Tunnel Name.
       • Specify IPSec Settings.
         • Specify an Authentication type (either Pre-Shared Key or Certificate).
           If you specify Pre-Shared Key, enter and confirm the Pre-Shared Key.
           If you specify a Certificate, enter the Local Certificate to use. This certificate must already exist in Strata Cloud Manager.
         • Specify the IKE Local Identification (either IP Address, Distinguished Name (Subject), User FQDN (email address), or FQDN (hostname) .
         • Specify the IKE Peer Identification (either IP Address, Distinguished Name (Subject), User FQDN (email address), or FQDN (hostname).
       • Specify the type of Peer ID Check:
         • Exact—Ensures that the local setting and peer IKE ID payload match exactly.
         • Wildcard—Allows the peer identification to match as long as every character before the wildcard (*) matches. The characters after the wildcard don't need to match.
       • (Optional) Permit peer identification and certificate payload identification mismatch to allow a successful IKE security association (SA) even when the peer identification does not match the peer identification in the certificate.
       • Choose a Certificate Profile. A certificate profile contains information about how to authenticate the peer gateway.
       • (Optional) Enable strict validation of peer’s extended key use to control strictly how the key can be used.
       • Choose the Branch Device IP Address (Static or Dynamic).
         • If you select Static, enter the Static IP Address to use for the IPSec tunnel.
         • Specify Dynamic to obtain the IP address automatically.
       • (Optional, Recommended) Enable IKE Passive Mode to have Prisma Access respond to IKE connections but not initiate them.
         While not required, IKE Passive Mode is the recommended setting.
       • (Optional) Turn on Tunnel Monitoring.
         Enter a Tunnel Monitoring Destination IP address on the remote network for Prisma Access to determine whether the tunnel is up and, if your branch IPSec device uses a policy-based VPN, enter the associated Proxy ID as the Monitored Proxy ID.
       • (Optional) If you need a proxy ID:
         • Add Proxy ID and enter the Proxy ID.
         • Optionally, enter the Local Proxy ID and Remote Proxy ID.
         • Enter the Protocol to use for the proxy ID. Enter a Number, TCP, or UDP.
         • Specify a Local Port and Remote Port for TCP or UDP, or specify a
         • Save your changes.

       • Specify IKE Advanced Options.
         • Select an IKE Protocol Version.
         • Select an IKEv1 Crypto Profile.
           To add a crypto profile, Add IKE. To manage an existing IKE profile, Manage IKE and select the profile to edit.
         • Select an IKEv2 Crypto Profile.
           To add a crypto profile, Add IKE. To manage an existing IKE profile, Manage IKE and select the profile to edit.
       • Specify IPSec Advanced Options.
         • Select an IPSec Crypto Profile.
           To add a crypto profile, Add IPSec. To manage an existing IPSec profile, Manage IPSec and select the profile to edit.
       • Choose your Routing Settings.
         • Select the Routing Type (either Static or Dynamic).
           If you select Static, Add the IP subnets or IP addresses that you want to secure at the site.
           If you select Dynamic:
           • Enter the Peer As (the autonomous system (AS) for your network).
             Use an RFC 6996-compliant BGP Private AS number.
           • Enter the Peer IP Address assigned as the Router ID of the eBGP router on the HQ or data center network.
           • (Optional) Enter a Shared Secret password to authenticate BGP peer communications.
           • Enter the Local IP Address that Prisma Access uses as its Local IP address for BGP.
           • (Optional) Select Summarize Mobile User Routes before advertising to reduce the number of mobile user IP subnet advertisements over BGP to your customer premises equipment (CPE) by having Prisma Access summarize the subnets before it advertises them.
           • (Optional) Select Advertise Default Route to have Prisma Access originate a default route advertisement for the remote network using eBGP. Be sure that your network does not have another default route advertised by BGP, or you could introduce routing issues in your network.
           • (Optional) Select Don't Export Routes to prevent Prisma Access from forwarding routes into the HQ or data center.
    4. Save your IPSec tunnel changes.

13. Save & Exit.
14. Push Configuration to save your configuration changes, making sure to select Remote Networks in the Push Scope.

15. Find the Service IP address that you specify on your CPE.

    When you set up the remote network, use the service IP address as the peer IP address on your CPE to terminate the IPSec tunnel.

    1. Go to WorkflowsPrisma SASE SetupBranch Site ManagementExtended CPE Site.
    2. Find the Service IP/FQDN address.