Prisma Access
Cloud Management
Table of Contents
Expand All
|
Collapse All
Prisma Access Docs
-
- Prisma Access China
- 4.0 & Later
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
-
-
-
- 5.0 Preferred and Innovation
- 4.2 Preferred
- 4.1 Preferred
- 4.0 Preferred
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
Cloud Management
Cloud Management
Configure the Aruba SD-WAN with Prisma Access by completing the following
workflow.
To configure the remote network connection, complete the following task.
- When configuring the remote network, use the validated settings.Choose aPrisma Access Locationthat is close to the remote network location that you want to onboard.
- SelectIPSec Advanced OptionsandCreate Newto create a new IPSec Crypto profile for the remote network tunnel using the recommended settings.
- SelectIKE Advanced OptionsandCreate Newto create a new IKE cryptographic profile for the remote network tunnel.Be sure to use the crypto values that are supported with Aruba and make a note of the values you use.
- Set up routing for the remote network.Set UpRouting andAddthe IP subnets for Static Routing.
- Push your configuration changes.
- Return toand selectManageService SetupRemote Networks.Push ConfigPush
- SelectRemote Networks.
- Pushyour changes.
- Make a note of theService IPof the Prisma Access side of the tunnel. To find this address inPrisma Access (Cloud Management), select, click theManageService SetupRemote NetworksRemote Networks. Look for theService IPfield corresponding to the remote network configuration you created.
- In the Aruba Branch Gateway, set up the tunnel to Prisma Access.
- Select.VPNCloud SecurityPalo Alto Networks - GPCS
- Enter values in the fields.
- Name—Enter an administrative name for the tunnel. The system will append_gpcsat the end.
- Priority—Enter a numeric identifier for the tunnel.
- Transform—Selectdefault-aes, which uses AES256 encryption with SHA1 Hash.
- Source FQDN—Enter the user ID created in Prisma Access (santaclara.branch in the following screenshot).
- Tunnel destination IP—Enter theService IP Addressfrom the remote network connection that you got when you configured the remote network connection in Prisma Access
- Uplink VLAN—Select the Uplink VLAN to be used to bring up tunnels to Prisma Access (in the case of BGWs) or the source VLAN in the case of VPNCs.
- IKE Shared Secret—Set the same value created in the Prisma Access configuration.
The solution can set up multiple tunnels and determine which traffic is sent through each one using PBR policy rules; therefore, you can configure active-active and active-backup redundancy.Even though the source FQDN has to be unique on a per-branch basis, you should configure the remaining parts of the tunnel configuration at the group level whenever possible. This hierarchical configuration model greatly streamlines configuration efforts. The following screenshot shows a specificSource FQDNconfigured for the local configuration and a genericSource FQDNspecified for the group-level configuration.
- Create one or more next-hop lists with the tunnels.After you create the tunnels, next-hop lists group them together to be used inside PBR policy rules.
- SelectNextHop ConfigurationRouting.
- Create aNextHop.
- AddSite-to-SiteIPSec maps.
- Enter different priorities for the different tunnels.Prisma Access does not support load-balancing.
- SelectPreemptive-failover.
- Add the next hop to a routing policy by selecting.RoutingPolicy-Based RoutingIn the following example, the policy is sending all the traffic to private subnets (an alias representing 10.0.0.0/8 and 172.16.0.0/12) through the regular path, and it’s sending the rest of the traffic through the Prisma Access nodes.
- Apply policy rules to the roles or VLANs.After you create the routing policy, the last step you perform is to apply it to the role or VLAN that you want to send through Prisma Access.If there is a conflict between PBR policy rules applied to a role and VLAN, policy rules applied to the role take precedence.The following screen shows a PBR policy being applied to a VLAN.The following screen shows a PBR policy being applied to a role.
Verify the Aruba Remote Network
To verify the status of the remote network tunnel, perform one or more of the
following steps.
- Check the state of the tunnel from the interface of Aruba Central from thegateway monitoringpage, in thetunnelssection:
- Check the state of the tunnel from Prisma Access by selecting.InsightsTunnels
- Use CLI from the BGWs, either through SSH or through the remote console provided in Aruba central.
- You can also use CLI to verify if the user is in the correct role.
Troubleshoot the Aruba Remote Network
Prisma Access provides logs and widgets that provide you with the status of
remote tunnels and the status of each tunnel.
- Go toand check theManageService SetupRemote NetworksStatusof the tunnel.
- Go toand check theActivityLog ViewerCommon/Systemlogs for IPSec- and IKE-related messages.To view VPN-relates messages, set the filter tosub_type.value = vpn.The messageignoring unauthenticated notify payloadindicates that the route has not been added in the crypto map on the other side of the IPSec tunnel after the IPSec negotiation has already occurred.
- Check theFirewall/Trafficlogs and view the messages that are coming from the zone that has the same name as the remote network.In the logs, the remote network name is used as the source zone.