Prisma Access
Integrate Prisma Access with Aruba SD-WAN
Table of Contents
Expand All
|
Collapse All
Prisma Access Docs
-
-
- Prisma Access China
- 4.0 & Later
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
-
-
-
- 5.2 Preferred and Innovation
- 5.1 Preferred and Innovation
- 5.0 Preferred and Innovation
- 4.2 Preferred
- 4.1 Preferred
- 4.0 Preferred
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
Integrate Prisma Access with Aruba SD-WAN
Where Can I Use This? | What Do I Need? |
---|---|
|
|
The following table shows the SD-WAN supported by the Aruba SD-WAN. For more detailed
information about supported architectures, see Reference Architectures Supported with the Aruba and Prisma Access Deployment.
Use Case | Architecture | Supported? |
---|---|---|
Securing traffic from each branch site with 1 WAN link (Type 1) | Yes For branch-to-branch traffic, traffic from the
branch first goes to the hub site and then is routed to the other
branch. As of now, direct branch-to-branch isn't
supported. | |
Securing branch and HQ sites with active/backup SD-WAN connections | Yes | |
Securing branch and HQ sites with active/active SD-WAN connections | Yes | |
Securing branch and HQ sites with SD-WAN edge devices in HA mode | Yes Active-active HA is supported at the branch, and
there can be active uplinks between both HA gateways and Prisma
Access. | |
Securing SD-WAN deployments with Regional Hub/POP architecture (Type 2) | Yes |
Integrate Prisma Access with Aruba SD-WAN (Strata Cloud Manager)
Configure the Aruba SD-WAN with Prisma Access by completing the following
workflow.
To configure the remote network connection, complete the following task.
- Connect a remote network to Prisma Access.When configuring the remote network, use the validated settings.Choose a Prisma Access Location that is close to the remote network location that you want to onboard.Select IPSec Advanced Options and Create New to create a new IPSec Crypto profile for the remote network tunnel using the recommended settings.Select IKE Advanced Options and Create New to create a new IKE cryptographic profile for the remote network tunnel.Be sure to use the crypto values that are supported with Aruba and make a note of the values you use.Set up routing for the remote network.Set Up Routing and Add the IP subnets for Static Routing.Push your configuration changes.
- Return to ManageService SetupRemote Networks and select Push ConfigPush.Select Remote Networks.Push your changes.Make a note of the Service IP of the Prisma Access side of the tunnel. To find this address in Prisma Access (Managed by Strata Cloud Manager), select ManageService SetupRemote Networks, click the Remote Networks. Look for the Service IP field corresponding to the remote network configuration you created.In the Aruba Branch Gateway, set up the tunnel to Prisma Access.
- Select VPNCloud SecurityPalo Alto Networks - GPCS.Enter values in the fields.
- Name—Enter an administrative name for the tunnel. The system will append _gpcs at the end.
- Priority—Enter a numeric identifier for the tunnel.
- Transform—Select default-aes, which uses AES256 encryption with SHA1 Hash.
- Source FQDN—Enter the user ID created in Prisma Access (santaclara.branch in the following screenshot).
- Tunnel destination IP—Enter the Service IP Address from the remote network connection that you got when you configured the remote network connection in Prisma Access
- Uplink VLAN—Select the Uplink VLAN to be used to bring up tunnels to Prisma Access (in the case of BGWs) or the source VLAN in the case of VPNCs.
- IKE Shared Secret—Set the same value created in the Prisma Access configuration.
The solution can set up multiple tunnels and determine which traffic is sent through each one using PBR policy rules; therefore, you can configure active-active and active-backup redundancy.Even though the source FQDN has to be unique on a per-branch basis, you should configure the remaining parts of the tunnel configuration at the group level whenever possible. This hierarchical configuration model greatly streamlines configuration efforts. The following screenshot shows a specific Source FQDN configured for the local configuration and a generic Source FQDN specified for the group-level configuration.Create one or more next-hop lists with the tunnels.After you create the tunnels, next-hop lists group them together to be used inside PBR policy rules.- Select NextHop ConfigurationRouting.Create a NextHop.Add Site-to-Site IPSec maps.Enter different priorities for the different tunnels.Prisma Access does not support load-balancing.Select Preemptive-failover.Add the next hop to a routing policy by selecting RoutingPolicy-Based Routing.In the following example, the policy is sending all the traffic to private subnets (an alias representing 10.0.0.0/8 and 172.16.0.0/12) through the regular path, and it’s sending the rest of the traffic through the Prisma Access nodes.Apply policy rules to the roles or VLANs.After you create the routing policy, the last step you perform is to apply it to the role or VLAN that you want to send through Prisma Access.If there is a conflict between PBR policy rules applied to a role and VLAN, policy rules applied to the role take precedence.The following screen shows a PBR policy being applied to a VLAN.The following screen shows a PBR policy being applied to a role.(Optional) Verify the status of the remote network tunnel and troubleshoot when needed.
Verify the Aruba Remote Network
To verify the status of the remote network tunnel, perform one or more of the following steps.- Check the state of the tunnel from the interface of Aruba Central from the gateway monitoring page, in the tunnels section:
- Use CLI from the BGWs, either through SSH or through the remote console provided in Aruba central.
- You can also use CLI to verify if the user is in the correct role.
Troubleshoot the Aruba Remote Network
Prisma Access provides logs and widgets that provide you with the status of remote tunnels and the status of each tunnel.- Go to ManageService SetupRemote Networks and check the Status of the tunnel.
- Go to ActivityLog Viewer and check the Common/System logs for IPSec- and IKE-related messages.To view VPN-relates messages, set the filter to sub_type.value = vpn.The message ignoring unauthenticated notify payload indicates that the route has not been added in the crypto map on the other side of the IPSec tunnel after the IPSec negotiation has already occurred.
- Check the Firewall/Traffic logs and view the messages that are coming from the zone that has the same name as the remote network.In the logs, the remote network name is used as the source zone.
Integrate Prisma Access with Aruba SD-WAN (Panorama)
You manage and configure Prisma Access using the same Panorama appliance that you use to manage on-premises firewalls. To configure the remote network connection, complete the following task.- Create a new IPSec crypto profile in Panorama.The IKE and IPSec Crypto profiles you create in these steps are common to all branches and you only need to create them once.
- Select NetworkNetwork ProfilesIPSec Crypto.Add a new IPSec Crypto profile using the following recommended settings:
- Encryption: aes-256-cbc
- Authentication: sha1
- DH Group: group14
- Lifetime: 2 Hours
Create a new IKE crypto profile for the remote network tunnel.Be sure to use crypto values that are supported with Aruba and make a note of the values you use.Create a new IKE gateway in Panorama.- Select NetworkNetwork ProfilesIKE Gateways.Add a new IKE gateway.Enter the following parameters:
- In the General tab, leave the Local Identification IP address blank, because you don't know what this address is at the time of configuration. You can, however, enter in the Peer Identificaiton of a type of FQDN (hostname) and enter the FQDN of the BGW.
- In the Advanced Options tab, enter the fields as shown in the following screenshot. Be sure to specify the IKE Crypto Profile you created in step 1
Create an IPSec tunnel configuration.After you create the IKE gateway, you can apply it to the IPSec tunnel you create.- Select NetworkIPSec Tunnels.Add a new IPSec tunnel.In the General tab, specify the IKE Gateway and IPSec Crypto Profile you created in earlier steps.Create a remote network connection in Panorama.Specify the following parameters:
- Choose a Region that is close to the remote network location that you want to onboard.
- Specify the IPSec Tunnel you created.
- If a secondary gateway is in place in the branch, specify this secondary gateway as a secondary by selecting Enable Secondary WAN and selecting the tunnel between the secondary BGW andPrisma Access.
Retrieve the Service IP Address of the Prisma Access side of the tunnel by selecting PanoramaCloud ServicesStatusNetwork Details, clicking the Remote Networks radio button, and copying the address in the Service IP Address field.You need the Service IP Address to the IPSec tunnel for the Aruba SD-WAN.Configure the Aruba BGW
The configuration required for the BGWs is straightforward and can apply Aruba Central’s group-based configuration to reuse as much configuration as possible across branches.- In the Aruba Branch Gateway, set up the tunnel to Prisma Access.
- Select VPNCloud SecurityPalo Alto Networks - GPCS.Enter values in the fields.
- Name—Enter an administrative name for the tunnel. The system will append _gpcs at the end.
- Priority—Enter a numeric identifier for the tunnel.
- Transform—Select default-aes, which uses AES256 encryption with SHA1 Hash.
- Source FQDN—Enter the User-ID created in Prisma Access (santaclara.branch in the following screenshot).
- Tunnel destination IP—Enter the Service IP Address from the remote network connection that you got when you configured the remote network connection in Prisma Access
- Uplink VLAN—Select the Uplink VLAN to be used to bring up tunnels to Prisma Access (in the case of BGWs) or the source VLAN in the case of VPNCs.
- IKE Shared Secret—Set the same value created in the Prisma Access configuration.
The solution can set up multiple tunnels and determine which traffic is sent through each one using PBR policy rules; therefore, you can configure active/active and active-backup redundancy.Even though the source FQDN has to be unique on a per-branch basis, you should configure the remaining parts of the tunnel configuration at the group level whenever possible. This hierarchical configuration model greatly streamlines configuration efforts. The following screenshot shows a specific Source FQDN configured for the local configuration and a generic Source FQDN specified for the group-level configuration.Create one or more next-hop lists with the tunnels.After you create the tunnels, next-hop lists group them together to be used inside PBR policy rules.- Select RoutingNextHop Configuration.Create a NextHop.Add Site-to-Site IPSec maps.Enter different priorities for the different tunnels.Prisma Access does not support load-balancing.Select Preemptive-failover.Add the next hop to a routing policy by selecting RoutingPolicy-Based Routing.In the following example, the policy is sending all the traffic to private subnets (an alias representing 10.0.0.0/8 and 172.16.0.0/12) through the regular path, and it’s sending the rest of the traffic through the Prisma Access nodes.Apply policy rules to the roles or VLANs.After you create the routing policy, the last step you perform is to apply it to the role or VLAN that you want to send through Prisma Access.If there is a conflict between PBR policy rules applied to a role and VLAN, policy rules applied to the role take precedence.The following screen shows a PBR policy being applied to a VLAN.The following screen shows a PBR policy being applied to a role.Continue to verify the status and troubleshoot the remote network tunnel.
Verify the Aruba Remote Network
To verify the status of the remote network tunnel, perform one or more of the following steps.- Check the state of the tunnel from the interface of Aruba Central from the gateway monitoring page, in the tunnels section:
- Check the state of the tunnel from Prisma Access by selecting PanoramaCloud ServicesStatusMonitorRemote Networks.
- Use CLI from the BGWs, either through SSH or through the remote console provided in Aruba central.
- You can also use CLI to verify if the user is in the correct role.
Troubleshoot the Aruba Remote Network
Prisma Access provides logs that provide you with the status of remote tunnels and the status of each tunnel. To view these logs in Panorama, select MonitorLogsSystem.To debug tunnel issues, you can filter for tunnel-specific logs by using the object identifier corresponding to that tunnel. The following figures show errors related to tunnel misconfiguration and negotiation issues.