Prisma Access
Cloud Management
Table of Contents
Expand All
|
Collapse All
Prisma Access Docs
-
- Prisma Access China
- 4.0 & Later
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
-
-
-
- 5.0 Preferred and Innovation
- 4.2 Preferred
- 4.1 Preferred
- 4.0 Preferred
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
Cloud Management
Cloud Management
Learn how to set up service infrastructure in
Prisma Access (Managed by Strata Cloud Manager)
.Use the following recommendations and requirements when you add an infrastructure
subnet for
Prisma Access
:- Use an RFC 1918-compliant subnet. While the use of non-RFC 1918-compliant (public) IP addresses is supported, it is not recommend because of possible conflicts with the internet public IP address space.
- Do not specify any subnets that overlap with the 169.254.0.0/16 and 100.64.0.0/10 subnet range becausePrisma Accessreserves those IP addresses and subnets for its internal use.
- This subnetwork is an extension to your existing network and therefore, cannot overlap with any IP subnets that you use within your corporate network or with the IP address pools that you assign forPrisma Accessfor users orPrisma Accessfor networks.
- Because the service infrastructure requires a large number of IP addresses, you must designate a /24 subnetwork (for example, 172.16.55.0/24).
- If you use dynamic routing for your remote networks or service connections, you must also configure an RFC 6996-compliant BGP Private AS number.
- LaunchPrisma Access.
- Go to.ManageService SetupSharedPrisma AccessSetupInfrastructure SettingsIf you're using Strata Cloud Manager, go to.WorkflowsPrisma AccessSetupPrisma AccessInfrastructure Settings
- Enter anInfrastructure SubnetthatPrisma Accesscan use to enable communication between your remote network locations, mobile users, and the HQ or data centers that you plan on connecting toPrisma Accessover service connections.Use an RFC 1918-compliant subnet for the infrastructure subnet. While the use of non-RFC 1918-compliant (public) IP addresses is supported, it is not recommend because of possible conflicts with the internet public IP address space.
- Enter theInfrastructure BGP ASyou want to use within thePrisma Accessinfrastructure.If you want to enable dynamic routing so thatPrisma Accesscan dynamically discover routes to resources in your remote networks and HQ or data center locations, you must use the Border Gateway Protocol (BGP). TheInfrastructure BGP ASis the autonomous system (AS) number that identifies the routes through which BGP can send traffic. If you do not supply an AS number,Prisma Accessuses the default AS number (65534).If you want to specify your own AS number, you must use an RFC 6996-compliant private AS number. Accepted formats are 4-Byte AS Plain [64512-65534],[4200000000-4294967294] or AS Dot [0.64512-0.65534], [64086.59904-65535.65534] notation.
- If you enable your users to access applications based on source IP address, you will need to get the list of IP addresses that traffic fromPrisma Accessuses as the source address so that you can allow them in your application access policies.CopytheEgress IP API Keyto enable use of thePrisma AccessEgress IP Address API. Also, because the IP addresses thatPrisma Accessuses change periodically—for example when you add a new location, whenPrisma Accessneeds to scale resources in an existing location, or when there is an infrastructure upgrade—you need to know when the IP addresses change so that you can update your policy rules, or automate these updates by defining aEgress IP Notification URL. See Retrieve the IP Addresses for Prisma Access for more details.
- (Optional) Enable the tenant as a pre-production or lab tenant.
- Enablethe tenant asPre-prod or Lab Tenant.
- Agreeto confirm.When you enable a tenant as a pre-production or lab tenant, you can schedule upgrades for this tenant alone before upgrading other production tenants. The tenant receives notifications 24 to 48 hours before an upcoming upgrade. When you disable the tenant from pre-production or lab tenant, it is considered as a production tenant.
- To enablePrisma Accessto resolve your internal domains,AddanInternal Domain List.If you plan on configuring service connections to enable access to resources in your corporate network and you also needPrisma Accessto resolve your internal domains, you must define the list of internal domains. DNS queries for domains in theInternal Domain Listare sent to your localDNS servers to ensure that resources are available to Prisma Access remote network users and mobile users.
- Enter thePrimary DNSserver andSecondary DNSserver thatPrisma Accessshould use to resolve the internal domain names.
- Addthe internalDomain Namesthat you wantPrisma Accessto resolve.You can use a wildcard (*) in front of the domains in the domain list, for example *.acme.local or *.acme.com.
- Push Configto save your service infrastructure settings toPrisma Access.