>
    Onboard a ZTNA Connector Using KVM
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma Access
    3. Prisma Access ZTNA Connector
    4. Onboard the ZTNA Connector VM in Your Data Center
    5. KVM Deployments Supported by Prisma Access ZTNA Connector
    6. Onboard a ZTNA Connector Using KVM
    Download PDF
    Prisma Access

    Onboard a ZTNA Connector Using KVM

    Table of Contents

    Onboard a ZTNA Connector Using KVM

    Onboard a ZTNA Connector using Kernel-based Virtual Machine (KVM).
    To onboard a ZTNA Connector using a Kernel-based Virtual Machine (KVM), complete the following steps.
    Before you start, make sure that you have the following prerequisites:
    2. Select
      Settings
      ZTNA Connector
      Connectors
      , and find the connector you created for the KVM host,
      Copy Token
       in the
      Status
       area, and copy the
      Key
       and
      Secret
       values.
      If you're using Strata Cloud Manager, go to
      Workflows
      ZTNA Connector
      Connectors
      .
    3. Upload the
      qcow
       image you downloaded from the CSP to the KVM host.
    4. If you have not already, build and associate the virtual bridge interfaces on the KVM host and prepare the host by entering the following commands:
      • brctl addbr virbr0
      • brctl addbr virbr0
      • brctl addbr virbr1
      • brctl addif virbr1 ens192
    5. Deploy the VM on the KVM host by running the
      virt-install
       command with the following options set:
      • -name
         is the name of the virtual machine.
      • -vcpu
         is
        4
        .
      • -memory
         is
        16384
         (16 GB).
      • -disk
         is the location and name of the
        qcow
         image on the KVM host.
      • -network
         references the virtual interfaces to attach to this VM (you need to deploy interfaces for a ZTNA Connector).
      The following is a sample command used to deploy the KVM host:
      virt-install --name ztna-conn-1 --vcpus 4 --memory 16384 --disk ./200v-6.1.1-ztna-connector-b4-kvm.qcow2 --import --network bridge=virbr0,model=virtio --network bridge=virbr1,model=virtio
    6. Connect to the VM console by entering the following command:
      virsh console ztna-conn-1
      An interactive CLI install program initiates.
    7. Configure the ION model, key, and secret.
      1. Select
        1
         (an ION Model of
        ion 200v
        ) from the choices that display.
        root@ubuntu-kvm-vm:/home/ubuntu-kvm/Desktop# virsh console ztna-conn-1
Connected to domain ztna-conn-1
Escape character is ^]

Select an ION model:
 1) ion 200v
 2) ion 3102v
 3) ion 3104v
 4) ion 3108v
 5) ion 7108v
 6) ion 7116v
 7) ion 7132v
 8) ion 9100v

Choose a Number or (Q)uit: 
        1
        
      CPU: Passed (needed 4)
   Memory: Passed (needed 8.0G)
     Disk: Could not verify (needs 40.0G)
  Network: Passed (needed 1)

Select an item to modify, or submit config:
 1) 	Model		: ion 200v
 2) 	ION Key		:
 3) 	Secret Key	:
 4) 	Controller 1	: Controller - DHCP
 5) 	Port 1		: Disabled/Unused
 6) 	Port 2		: Disabled/Unused
 7) 	Port 3		: Disabled/Unused
 8) 	Port 4		: Disabled/Unused
 9) 	Port 5		: Disabled/Unused
 10) 	Port 6		: Disabled/Unused
 11) 	Port 7		: Disabled/Unused
 12) 	Port 8		: Disabled/Unused
 13) 	Port 9		: Disabled/Unused
 14) 	Submit and restart
      2. Input the Key from the connector by selecting option
        2
         and entering the key you saved from the ZTNA Connector UI. 
        Choose a Number or (Q)uit: 
        2
        
Enter ION Key[None]: xxxxxxxxxx-yyyyyyyy-zzz-1234-1234-abcdefghijkl
Select an item to modify, or submit config:
 1) 	Model		: ion 200v
 2) 	ION Key	: xxxxxxxxx-yyyyyyyy-zzz-1234-1234-abcdefghijkl
 3) 	Secret Key	:
 4) 	Controller 1	: Controller - DHCP
 5) 	Port 1		: Disabled/Unused
 6) 	Port 2		: Disabled/Unused
 7) 	Port 3		: Disabled/Unused
 8) 	Port 4		: Disabled/Unused
 9) 	Port 5		: Disabled/Unused
 10) 	Port 6		: Disabled/Unused
 11) 	Port 7		: Disabled/Unused
 12) 	Port 8		: Disabled/Unused
 13) 	Port 9		: Disabled/Unused
 14) 	Submit and restart
      3. Enter the ZTNA Connector secret by selecting option
        3
         and entering the secret you saved from the ZTNA Connector UI.
        Choose a Number or (Q)uit: 
        3
        
Enter ION secret[None]: abcde12345
Select an item to modify, or submit config:
 1) 	Model		: ion 200v
 2) 	ION Key	: xxxxxxxxx-yyyyyyyy-zzz-1234-1234-abcdefghijkl
 3) 	Secret Key	: abcde12345
 4) 	Controller 1	: Controller - DHCP
 5) 	Port 1		: Disabled/Unused
 6) 	Port 2		: Disabled/Unused
 7) 	Port 3		: Disabled/Unused
 8) 	Port 4		: Disabled/Unused
 9) 	Port 5		: Disabled/Unused
 10) 	Port 6		: Disabled/Unused
 11) 	Port 7		: Disabled/Unused
 12) 	Port 8		: Disabled/Unused
 13) 	Port 9		: Disabled/Unused
 14) 	Submit and restart
    8. Configure WAN port optiona.
      1. Select option
        5
         (Port 1).
        Choose a Number or (Q)uit: 
        5
        
Port 1:
 1) 	Role		: Disable
 2) 	Cancel Port changes
 3) 	Apply and return
      2. Select option
        1
         (Public/WAN).
        Choose a Number or (Q)uit: 
        1
        
Select Port Role:
 1) Internet facing port (PublicWAN)
 2) Private WAN port (PrivateWAN)
 3) Bypass Port Pair 1 (WAN Port)
 4) Bypass Port Pair 1 (LAN Port)
 5) Bypass Port Pair 2 (WAN Port)
 6) Bypass Port Pair 2 (LAN Port)
 7) Bypass Port Pair 3 (WAN Port)
 8) Bypass Port Pair 3 (LAN Port)
 9) Bypass Port Pair 4 (WAN Port)
 10) Bypass Port Pair 4 (LAN Port)
 11) Disabled/Unused
      3. (
        Optional
        ) If you need to set a static IP address, choose option
        2
         and set the IP address, gateway, and DNS server parameters; otherwise, select
        1
        . 
        Choose a Number or (Q)uit: 
        1
        
Port 1:
 1) 	Role		: PublicWAN
 2) 	Config via	: DHCP
 3) 	Cancel Port changes
 4) 	Apply and return
      4. Select option
        4
         to return to the main menu. 
        Choose a Number or (Q)uit: 
        4
        
Select an item to modify, or submit config:
 1) 	Model		: ion 200v
 2) 	ION Key	: xxxxxxxxx-yyyyyyyy-zzz-1234-1234-abcdefghijkl
 3) 	Secret Key	: abcde12345
 4) 	Controller 1	: Controller - DHCP
 5) 	Port 1		: PublicWAN - DHCP
 6) 	Port 2		: Disabled/Unused
 7) 	Port 3		: Disabled/Unused
 8) 	Port 4		: Disabled/Unused
 9) 	Port 5		: Disabled/Unused
 10) 	Port 6		: Disabled/Unused
 11) 	Port 7		: Disabled/Unused
 12) 	Port 8		: Disabled/Unused
 13) 	Port 9		: Disabled/Unused
 14) 	Submit and restart

Select an item to modify, or submit config:
 1) 	Model		: ion 200v
 2) 	ION Key	: xxxxxxxxx-yyyyyyyy-zzz-1234-1234-abcdefghijkl
 3) 	Secret Key	: abcde12345
 4) 	Controller 1	: Controller - DHCP
 5) 	Port 1		: PublicWAN - DHCP
 6) 	Port 2		: Disabled/Unused
 7) 	Port 3		: Disabled/Unused
 8) 	Port 4		: Disabled/Unused
 9) 	Port 5		: Disabled/Unused
 10) 	Port 6		: Disabled/Unused
 11) 	Port 7		: Disabled/Unused
 12) 	Port 8		: Disabled/Unused
 13) 	Port 9		: Disabled/Unused
 14) 	Submit and restart
    9. Configure LAN port options.
      1. Select option
        6
         (Port 2).
        Choose a Number or (Q)uit: 
        6
        
Port 2:
 1) 	Role		: Disable
 2) 	Cancel Port changes
 3) 	Apply and return
      2. Select option
        2
         (PrivateWAN).
        Choose a Number or (Q)uit: 
        2
        
Select Port Role:
 1) Internet facing port (PublicWAN)
 2) Private WAN port (PrivateWAN)
 3) Bypass Port Pair 1 (WAN Port)
 4) Bypass Port Pair 1 (LAN Port)
 5) Bypass Port Pair 2 (WAN Port)
 6) Bypass Port Pair 2 (LAN Port)
 7) Bypass Port Pair 3 (WAN Port)
 8) Bypass Port Pair 3 (LAN Port)
 9) Bypass Port Pair 4 (WAN Port)
 10) Bypass Port Pair 4 (LAN Port)
 11) Disabled/Unused
      3. (
        Optional
        ) If you need to set a static IP address, choose option
        2
         and set the IP address, gateway, and DNS server parameters; otherwise, select
        1
        . 
        Choose a Number or (Q)uit: 2
Port 2:
 1) 	Role		: PrivateWAN
 2) 	Config via	: DHCP
 3) 	Cancel Port changes
 4) 	Apply and return
      4. Select option
        4
         to return to the main menu. 
        Choose a Number or (Q)uit: 4
Select an item to modify, or submit config:
 1) 	Model		: ion 200v
 2) 	ION Key	: xxxxxxxxx-yyyyyyyy-zzz-1234-1234-abcdefghijkl
 3) 	Secret Key	: abcde12345
 4) 	Controller 1	: Controller - DHCP
 5) 	Port 1		: PublicWAN - DHCP
 6) 	Port 2		: PrivateWAN - DHCP
 7) 	Port 3		: Disabled/Unused
 8) 	Port 4		: Disabled/Unused
 9) 	Port 5		: Disabled/Unused
 10) 	Port 6		: Disabled/Unused
 11) 	Port 7		: Disabled/Unused
 12) 	Port 8		: Disabled/Unused
 13) 	Port 9		: Disabled/Unused
 14) 	Submit and restart
    10. Save and reboot the connector.
      Choose a Number or (Q)uit: 14
WARNING! After this configuration is submitted, all hardware will be signed,
logged, and permanently tied to the ION Key/Secret Key in the Prisma SDWAN Cloud
Controller.

WHAT THIS MEANS is that hardware cannot be added/removed (disks, network cards)
after this 'SUBMIT' function. If any hardware changes are required beyond this
'SUBMIT', the ION will need to be re-deployed with a new ION Key and Secret
Key.

If there is a need to add or remove hardware, please answer 'N' below and shut
down the ION and make the changes now.

Submit these changes now?[N]: y
Building configuration...
[VFF:CFG] ZeroTouch Config Starting - config file parser
[VFF:CFG] Attempting to load/parse as Config/INI file.
[VFF:CFG] Successfully Loaded config style file.
[VFF:CFG] Controller 1 successfully set to CONTROLLER/DHCP.
[VFF:CFG] Port 1 successfully set to PUBLICWAN/DHCP.
[VFF:CFG] Port 2 successfully set to PRIVATEWAN/DHCP.
[VFF:CFG] WARN: Port 3 had no config section. Defaulting to Disable.
[VFF:CFG] WARN: Port 4 had no config section. Defaulting to Disable.
[VFF:CFG] WARN: Port 5 had no config section. Defaulting to Disable.
[VFF:CFG] WARN: Port 6 had no config section. Defaulting to Disable.
[VFF:CFG] WARN: Port 7 had no config section. Defaulting to Disable.
[VFF:CFG] WARN: Port 8 had no config section. Defaulting to Disable.
[VFF:CFG] WARN: Port 9 had no config section. Defaulting to Disable.
[VFF:CFG] Success with Config/INI file parser.
[VFF:KVM] Menu config end, continuing normal boot...
Reboot-reason: manufacture

    Recommended For You

    © 2024 Palo Alto Networks, Inc. All rights reserved.