Prisma Access
Panorama
Table of Contents
Expand All
|
Collapse All
Prisma Access Docs
-
- Prisma Access China
- 4.0 & Later
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
-
-
-
- 5.0 Preferred and Innovation
- 4.2 Preferred
- 4.1 Preferred
- 4.0 Preferred
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
Panorama
Panorama
Before you can begin setting up
Prisma Access
to secure your remote networks and/or mobile users,
you must configure an infrastructure subnet, which Prisma Access
will use to create the
network backbone for communication between your service connections, remote networks, and
mobile users, as well as with the corporate networks you plan to connect to Prisma Access
over service connections. Because a large number of IP addresses will be required to set up
the infrastructure, you must use a /24 subnet (for example, 172.16.55.0/24) at a minimum. Be
sure you follow all guidelines and requirements.- Selectand click the gear icon to edit the Settings.PanoramaCloud ServicesConfigurationService Setup
- On theGeneraltab, specify anInfrastructure Subnetthat meets the requirements, for example, 172.16.55.0/24.
- (Optional) If you want to enablePrisma Accessto use BGP to dynamically discover routes to resources on your remote networks and HQ/data center locations, enter theInfrastructure BGP ASyou want to use within thePrisma Accessinfrastructure.If you do not supply an AS number, the default AS number 65534 will be used.
- (Optional) Enable a tenant asPre-prod or Lab Tenant Environment.When you enable a tenant as a pre-production or lab tenant, you can schedule upgrades for this tenant alone before upgrading other production tenants. The tenant receives notifications 24 to 48 hours before an upcoming upgrade.When you disable the tenant from pre-production or lab tenant, it is considered as a production tenant.Prisma Accessfor Clean Pipe does not support this functionality.
- (Optional) EnablePrisma Accessto resolve your internal domains using your corporate DNS servers.Use this step if you needPrisma Accessto be able to resolve your internal domains to access services, such as LDAP servers, on your corporate network via service connections. For example, if you want a DNS lookup for your corporate domain to go exclusively to the corporate DNS server, specify the corporate domain and the corporate DNS servers here.
- Select theInternal Domain Listtab.
- AddtheDomain Names,Primary DNS, andSecondary DNSservers that you wantPrisma Accessto use to resolve your internal domain names.You can use a wildcard (*) in front of the domains in the domain list, for example *.acme.local or *.acme.com.Do not enter a 127.0.0.1 address as it can cause Prisma Access internal routing issues.
- Enable Cortex Data Lake.
- Select theCortex Data Laketab.
- Select aCortex Data Lake Theaterand clickOK.
- Configure the device groups you are using to push settings toPrisma Accesswith a Log Forwarding profile that forwards the desired log types toPanorama/Cortex Data Lake.The Cloud Services plugin automatically adds the following Log Settings () after a new installation or when removing non-DeviceLog SettingsPrisma Accesstemplates from aPrisma Accesstemplate stack:
- Log Settings for System logs (system-gpcs-default), User-ID logs (userid-gpcs-default), HIP Match logs (hipmatch-gpcs-default), and GlobalProtect logs (gp-prismaaccess-default) are added to the Mobile_User_Template.
- Log Settings for System logs (system-gpcs-default), User-ID logs (userid-gpcs-default), and GlobalProtect logs (gp-prismaaccess-default) are added to the Remote_Network_Template.
- Log Settings for System logs (system-gpcs-default) and GlobalProtect logs (gp-prismaaccess-default) are added to the Service_Conn_Template.
These Log Setting configurations automatically forward System, User-ID, HIP Match, and GlobalProtect logs to Cortex Data Lake.To apply log setting changes, perform the following steps, then commit and push your changes:- To apply the log setting to the mobile user template, select, click the gear icon to edit the settings, and click OK.PanoramaCloud ServicesConfigurationMobile Users
- To apply the log setting to the remote network template, select, click the gear icon to edit the settings, and click OK.PanoramaCloud ServicesConfigurationRemote Networks
- To apply the log setting to the service connection template, select, click the gear icon to edit the settings, and click OK.PanoramaCloud ServicesConfigurationService Setup
The way you enable log forwarding for other log types depends on the type. For logs that are generated based on a policy match, use a log forwarding profile. See the Cortex Data Lake Getting Started Guide for more information.
- (Optional) ConfigureMiscellaneoussettings.
- (Optional) Append the ending token for URLs in external dynamic lists (EDLs) or custom URL categories by selectingAppend the ending token to the URLs in the URL filtering configuration.If you use URLs in EDLs or custom URL categories and do not append a forward slash (/) to the URL, it is possible to allow more URLs than you intended. For example, enteringexample.comas a matching URL instead ofexample.com/would also match example.com.website.info or example.com.br.By selectingAppend the ending token to the URLs in the URL filtering configuration,Prisma Accesssets an ending token to URLs in EDLs or custom URL categories so that, if you enterexample.com,Prisma Accesstreats it as it would treat example.com/ and only matches that URL.
- (Optional)Disable Traffic Logging on Service Connectionsto disable logging on the service connections for yourPrisma Accessdeployment.If the majority of the traffic flows logged by the service connections are asymmetric, disabling service connection logging might be required to reduce the consumption of Cortex Data Lake logging storage. If your deployment does not have asymmetric flows via the service connections, you do not need to disable logging.
- (Optional) ConfigureAdvancedsettings (routing preferences, symmetric network path options for service connections, and HIP redistribution).
- Specify theRouting Preferenceto use with service connections.You can specify network preferences to use either your organization’s network, or thePrisma Accessnetwork, to process the service connection traffic.
- Default—Prisma Access uses default routing in its internal network.
- Hot potato routing—Prisma Accesshands off service connection traffic to your organization’s WAN as quickly as possible.
Changing thePrisma Accessservice connection routing method requires a thorough understanding of your organization’s topology and routing devices, along with an understanding of howPrisma Accessrouting works. We recommend that you read Routing for Service Connection Traffic carefully before changing the routing method from default. - Configure theBackbone Routingto use for the service connections.By default, thePrisma Accessbackbone requires that you have a symmetric network path for the traffic returning from the data center or headquarters location by way of a service connection. If you want to use ECMP or another load balancing mechanism for service connections from your CPE, you can enable asymmetric flows through thePrisma Accessbackbone.
- Selectno-asymmetric-routingto require symmetric flows across the service connection backbone (the default setting).
- Selectasymmetric-routing-onlyto allowPrisma Accessto use asymmetric flows across the service connection backbone.
- If you have multiple service connections to a location, you can take advantage of load balancing in yourPrisma Accessdeployment by selectingasymmetric-routing-with-load-share. However, load balancing is done on a best-effort basis, and load balancing will fail if one of the service connections goes down.
- Redistribute HIP Information with Prisma Access to use service connections to redistribute HIP information from mobile users and users at remote networks.
- Identification and Quarantine of Compromised Devices in a Prisma Access GlobalProtect Deployment to have Prisma Access identify and quarantine compromised devices that are connected with the GlobalProtect app.
- Withdraw Static Routes if Service Connection or Remote Network IPSec tunnel is downif you want Prisma Access to remove static routes when a tunnel goes down without a backup tunnel.Prisma Accessremoves the route in the following situations:
- The primary tunnel goes down and there is no secondary tunnel.
- If a primary and secondary tunnel is configured, but both go down.
You cannot apply this change if tunnel monitoring is not enabled. - (Optional) If you want to route remote network and service connection IPSec tunnel packets to the static IKE gateways over the internet,Enable automatic IKE peer host routes for Remote Networks and Service Connections.
- (Optional)Specify Outbound Routes for the Service (Max 10)by adding up to 10 prefixes for whichPrisma Accessadds static routes on all service connections and remote network connections.Prisma Accessthen routes traffic to these prefixes over the internet.
- ClickOKto save the Service Setup settings.
- Commit all your changes to Panorama and push the configuration changes toPrisma Access.
- Click.CommitCommit to Panorama
- Clickand clickCommitPush to DevicesEdit Selections.
- On thetab, make surePrisma AccessService setupis selected and then clickOK.Prisma Accessshould automatically select the components that need to be committed.
- ClickPush.
- Verify thatPrisma Accessis successfully connected to Cortex Data Lake.
- Selectand verify that the Status isPanoramaCloud ServicesStatusStatusCortex Data LakeOK.If the status isError, click the details link to view any errors.
- Continue setting upPrisma Access: