Focus

Prisma Access

Integrate Prisma Access with HPE Aruba Networking EdgeConnect SD-WAN

Table of Contents

Filter

Expand All | Collapse All

Prisma Access Docs

Release Notes
Select a Document
- 6.0 Preferred and Innovation
- 5.2 Preferred and Innovation
- 5.1 Preferred and Innovation
- 5.0 Preferred and Innovation
- 4.2 Preferred
- 4.1 Preferred
- 4.0 Preferred
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
Activation & Onboarding
Administration
Select a Document
- 4.0 & Later
- Prisma Access China
Integrations
Incidents & Alerts

HPE Aruba Networking EdgeConnect SD-WAN Solution Guide

Integrate Prisma Access with HPE Aruba Networking EdgeConnect SD-WAN (Manual Integration)

Integrate Prisma Access with HPE Aruba Networking EdgeConnect SD-WAN

Learn how to integrate Prisma Access with HPE Aruba Networking EdgeConnect SD-WAN (Siver Peak)

Where Can I Use This?	What Do I Need?
Prisma Access (Managed by Strata Cloud Manager)	Prisma Access license HPE Aruba Networking EdgeConnect SD-WAN Orchestrator (minimum version 9.3.1.40717)

Organizations using HPE Aruba Networking EdgeConnect SD-WAN (formerly Silver Peak) can seamlessly integrate with Prisma Access to strengthen security for branch internet traffic. This integration streamlines the onboarding of Remote Networks—with aggregate bandwidth—by establishing IPSec tunnels between EdgeConnect SD-WAN devices and Prisma Access, encouraging broader adoption.

Our solution leverages the Service Orchestration feature in HPE Aruba Networking EdgeConnect SD-WAN Orchestrator to define a custom Service within the Orchestrator, for tunnel deployment across multiple devices. It ensures consistent configurations, and automates the selection of IPSec termination nodes—enabling secure, scalable connectivity without manual effort.

This automated approach supports various tunnel topologies, making integration seamless, reliable, and easier to scale.

The integration supports tunnel formation from up to two user-selected WAN links per SD-WAN device to a maximum of two Prisma Access compute locations.

To onboard the HPE Aruba Networking EdgeConnect SD-WAN devices manually, see Integrate Prisma Access with HPE Aruba Networking EdgeConnect SD-WAN (Manual Integration).

Ensure you meet the following requirements before you integrate Prisma Access with HPE Aruba Networking EdgeConnect SD-WAN:

Product	Requirement
Prisma Access	Update Prisma Access to the (minimum version 5.0). Migrate Remote Networks to the aggregate bandwidth model. Activate bandwidth license per compute location.
HPE Aruba Networking EdgeConnect SD-WAN	An active HPE Aruba Networking EdgeConnect SD-WAN Orchestrator (minimum version 9.3.1.40717). Devices configured with at least one eligible (primary) Interface for tunnel formation with Prisma Access. Only the following Interface Labels are eligible for the integration: Labels with type WAN Labels marked as Primary or Backup

HPE Aruba Networking EdgeConnect SD-WAN Topologies

This section outlines several topology options for integrating HPE Aruba Networking EdgeConnect SD-WAN with Prisma Access. The integration supports a range of deployment scenarios—from simple single-tunnel setups to complex high-availability configurations—allowing you to select the most suitable design based on your network architecture, redundancy requirements, and performance goals.

Use Case	Architecture
Single Device; Single Link (Primary); Single RN-SPN HPE SD-WAN: Single device with a single primary Internet link. Single IPSec tunnel to the closest RN-SPN over the primary WAN link. Prisma Access: Single RN-SPN with single tunnel per device.
Single Device; Single Link (Primary); Dual RN-SPNs HPE SD-WAN: Single device with a single primary Internet link. Two IPSec tunnels to the closest Prisma Access RN-SPN over the primary WAN link. Prisma Access: Two RN-SPNs, each with a single tunnel to and from the WAN interface of the device. RN-SPNs may be in the same region or in different regions.
Single Device; Dual Links (Primary/Primary); Single RN-SPN HPE SD-WAN: Single device with two Primary Internet links. Two IPSec tunnels to the same closest Prisma Access RN-SPN over different WAN links. Prisma Access: Single RN-SPN with two tunnels to the same device.
Single Device; Dual Links (Primary/Primary); Dual RN-SPNs HPE SD-WAN: Single device with two Primary Internet links. Four IPsec tunnels to the closest RNs-SPN over different WAN links. Prisma Access: Two RN-SPNs, each with two tunnels to and from the two WAN interfaces of the device. RN-SPNs may be in the same region or in different regions.
Single Device; Dual Links (Primary/Backup); Single RN-SPN HPE SD-WAN: Single device with two Internet links (one Primary and one Backup). Two IPSec tunnels to the closest Prisma Access RN-SPN over different WAN links. Prisma Access: Single RN-SPN with two tunnels to the same device.
Single Device; Dual Links (Primary/Backup); Dual RN-SPNs HPE SD-WAN: Single device with two Internet links (one Primary and one Backup). Four IPSec tunnels to the closest RN-SPNs. Prisma Access: Two RN-SPNs, each with two tunnels to and from two WAN interfaces (Primary and Backup) of the device. RN-SPNs may be in the same region or in different regions.
Dual Devices; Dual Links (Primary/Primary); Single RN-SPN HPE SD-WAN: Dual devices in HA mode. Each device with an Internet link (Primary) – two primary links in total. Four IPSec tunnels to the nearest RN-SPN. Two tunnels originating from the Primary link – one directly to the Internet, the other from the HA link through the Secondary Node. Two tunnels originating from the Secondary link – one directly to the Internet, the other from the HA link through the Primary Node Prisma Access: Single RN-SPN with four tunnels to and from the two primary interfaces of the dual device in HA mode. RN-SPNs may be in the same region or in different regions.
Dual Devices; Dual Links (Primary/Primary); Dual RN-SPNs HPE SD-WAN: Dual devices in HA mode. Each device with an Internet link (Primary) – two primary links in total. Eight IPSec tunnels to two nearest RN-SPNs. Four tunnels originating from the Primary link – two directly to the Internet, the other two from the HA link through the Secondary link. Four tunnels originating from the Secondary link – two directly to the Internet, the other two from the HA link through the Primary link. Prisma Access: Two RN-SPNs, each sees 4 tunnels to and from the two Primary Interfaces of dual device in HA mode. RN-SPNs may be in a single region or in two different regions.

The HPE Aruba Networking EdgeConnect SD-WAN with Prisma Access integration automatically assigns a Device Interface (link), nearest Prisma Access location, and IPSec termination nodes, however you can manually select different interfaces (links), locations or nodes, if needed. Based on the topology redundancy type and selected IPSec Termination nodes, the corresponding tunnels will be created. For topologies requiring a single IPSec Termination node, ensure that the same node is selected for both rows displayed in the UI.

Redundancy Type	Number of Interface Labels on Device	Number of IPSec Termination Nodes Selected	Number of Tunnels
Single WAN	1	1	After you enable the device, the integration creates 1 tunnel to the IPSec termination node.
Single WAN	1	2 (same or different regions).	After you enable the device, the integration creates 2 tunnels to 2 IPSec termination nodes.
Primary/Primary	2 (both Interfaces are active)	1	After you enable the device, the integration creates 2 tunnels to the IPSec termination node.
Primary/Primary	2 (both Interfaces are active)	2 (same or different regions).	After you enable the device, the integration creates 4 tunnels to 2 IPSec termination nodes.
Primary/Backup	2 (1 active and 1 backup Interface)	1	After you enable the device, the integration creates 2 tunnels to the IPSec termination node.
Primary/Backup	2 (1 active and 1 backup Interface)	2 (same or different regions).	After you enable the device, the integration creates 4 tunnels to 2 IPSec termination nodes.
Device HA	2 (1 active Interface in each device)	1	After you enable the device, the integration creates 4 tunnels to the IPSec termination node.
Device HA	2 (1 active Interface in each device)	1 or 2 (same or different regions).	After you enable the device, the integration creates 8 tunnels to 2 IPSec termination nodes.

Integrate HPE Aruba Networking EdgeConnect SD-WAN with Prisma Access

Configure Interface labels in HPE Aruba Orchestrator.
1. Configure valid LAN and WAN type interface labels to form IPSec tunnels to Prisma Access.
2. Deploy the devices with appropriate labels, the integration application will later determine the topology for the device based on the WAN type Interface labels added on to the device deployment page.
Configure the HPE Aruba Networking EdgeConnect integration settings in Strata Cloud Manager.
1. Go to Workflows IntegrationsPrisma Access.
2. Locate HPE Aruba Networking EdgeConnect SD-WAN with Prisma Access.
3. Click the Settings icon and add the following values on the HPE Aruba Networking EdgeConnect SD-WAN with Prisma Access page.
  Orchestrator IP: Enter the HPE Aruba Networking EdgeConnect Orchestrator IP address (Ex: 172.16.3.22).
  API Key: In HPE Aruba Networking EdgeConnect SD-WAN Orchestrator, generate an API key with the role set to SuperAdmin.
  IPSLA Interface Label: Enter the LAN Interface label (case sensitive) from step1 for IPSLA configurations.
  Primary Interface Label: Specify the Interface Labels to be marked as Primary in the HPE Service Orchestrator as comma separated values (case-sensitive). Example: Label1, Label2.
  Backup Interface Labels (Optional): Specify the interface labels to be marked as Backup in the HPE Service Orchestrator as comma separated values (case-sensitive). Example: Label1, Label2.
  PSK Seed: Enter the PSK seed, which is a string used to derive pre-shared keys (PSKs) per tunnel.
  This is a required input as the PSK is typically used to automatically generate PSKs for the IPSec tunnels.
  Admin State: Select the Admin state to Enabled.
  Enabled: Enables the integration to discover new devices on HPE Aruba Networking EdgeConnect SD-WAN Orchestrator that are eligible for tunnel formation with Prisma Access
  Paused: In the paused state, all integration activity is temporarily stopped. However, the configurations that have already been set up by the integration remain intact. This means that existing connections and policies are not affected, but no new changes will be made.
  Disabled: Disable the integration to remove all configurations created in Prisma Access as well as in HPE Aruba Networking EdgeConnect SD-WAN Orchestrator, when a tunnel was set up between them.
  
  Disabling the integration will bring down all tunnel formations and delete all Remote Endpoints created for the Service by the Integration Application in the HPE Aruba Networking EdgeConnect SD-WAN Orchestrator. It must be done with caution.
4. Check Connectivity to verify the connection and Save the changes.
  
  You can save changes only after you check connectivity each time you change the settings or configurations.
  
  This triggers a discovery process which finds eligible devices from HPE Aruba Networking EdgeConnect SD-WAN and creates a Service named PaloAltoNetworks_<PA_TSG_ID> (with a PAN prefix), where PA_TSG_ID is the Prisma Access TSG ID along with other configurations.
After the discovery (periodic/on-demand) run of SD-WAN devices, the integration identifies the nearest Prisma Access location based on each device's geographic location, selects an appropriate location, and determines the device's redundancy type based on the supported topologies.
In Strata Cloud Manager, establish the tunnel setup between Prisma Access and HPE Aruba Networking EdgeConnect SD-WAN devices.
1. Select the site count to view the discovered HPE Aruba Networking EdgeConnect SD-WAN devices and their information.
  
  The integration regularly checks for new HPE Aruba Networking EdgeConnect SD-WAN devices. You can also initiate an On-Demand Site Discovery.
2. (Optional) Select the Interface for the device.
3. (Optional) Select the nearest Prisma Access Location for the devices.
4. (Optional) Select IPSec Termination Node for each site.
  If you select the same Prisma Access location for multiple devices, make sure to allocate bandwidth equally by choosing different IPSec termination nodes for each device sharing that location.
5. Select the HPE Aruba Networking EdgeConnect SD-WAN device and toggle the Enable option to establish tunnel formation with Prisma Access.
6. Update the changes.
  You can view the Enabled Sites and Configured Sites in the HPE Aruba Networking EdgeConnect SD-WAN with Prisma Access system settings page.
  
  When you click a site count, the hyperlink opens a filtered list of sites based on that count.
Verify the changes in Prisma Access.
1. In Strata Cloud Manager, go to WorkflowsPrisma Access SetupRemote Networks. .
2. Alternatively, select Remote Networks - HPE Aruba Networking EdgeConnect SD-WAN with Prisma Access.
3. Verify the tunnel status. The integration creates remote networks automatically. Such remote networks generally have names with the prefix AUTO-HPE in the following syntax: AUTO-HPE-<Device_Name>.
  
  The configuration status of HPE Aruba Networking EdgeConnect SD-WAN devices may take some time to show as In Sync.
4. Select the remote network site to view the IPSec Tunnel, IKE gateway, IKE Crypto profile, and IPSec Crypto profile details.
5. Select Incidents and AlertsLog ViewerCommonAudit to view HPE Aruba Networking EdgeConnect SD-WAN with Prisma Access integration logs.
  
  The logs specify if the changes were made in Prisma Access or in the HPE Aruba Networking Networking EdgeConnect SD-WAN.
6. Go to the HPE Aruba Networking EdgeConnect SD-WAN integration app, to view information, errors, or warnings in the Messages section.
  
  See Troubleshoot Integration Errors to see more error scenarios.
Verify the HPE Aruba Networking Networking EdgeConnect SD-WAN configurations.
1. In EdgeConnect Orchestrator, go to ConfigurationCloud ServicesService Orchestration.
  The integration creates a custom service named PaloAltoNetworks_<PA_TSG_ID>, which stores IPSec tunnel details, IKE values, and IPSLA information. Do not update this service manually.
2. Verify the Remote Endpoint configuration and association.
  After you enable the device in Strata Cloud Manager, the integration automatically associates the appropriate Remote Endpoints with the device. You can verify the configuration and associations under the Remote Endpoint Configuration and Remote Endpoint Association tabs in the PaloAltoNetworks_<PA_TSG_ID> service.
3. After associations of remote endpoints to the device, verify the IPSec tunnel details.
Verify the tunnel status in HPE Aruba Networking Networking EdgeConnect SD-WAN.
1. Log in to the HPE Aruba Networking EdgeConnect Orchestrator and navigate to the Tunnels tab in the service created by the integration application.
2. Verify the status in the Status column of the passthrough tunnels tab.

On-Demand Site Discovery

You can initiate network discovery at any time to view newly added devices in HPE Aruba or to resolve misconfigurations in integration-created objects. To start an on-demand network discovery, follow these steps:

In Strata Cloud Manager, locate HPE Aruba Networking EdgeConnect SD-WAN with Prisma Access.
View the discovered HPE Aruba Networking EdgeConnect SD-WAN devices and their information by clicking the site count.
Select Discover Sites to identify new eligible HPE Aruba Networking EdgeConnect SD-WAN devices when required.
Review and Confirm the on-demand discovery pop-up.

Configure Routing in HPE Aruba EdgeConnect

All routing configurations are managed by the HPE Aruba Orchestrator based on the policies defined in Business Intent Overlays. To ensure appliance traffic breaks out to the internet through passthrough tunnels instead of using local internet, follow the steps below:

Navigate to ConfigurationsOverlays & SecurityBusiness Intent Overlays.
Select the required Overlay and browse to Breakout Traffic to Internet & Cloud Services tab, find the PaloAltoNetworks_<PA_TSG_ID> service created by the integration under the Available Policies section.
Drag and drop the Service into the Preferred Policy Order section to enable passthrough tunnel routing for appliance traffic.

If the service is not moved to the Preferred Policy Order, traffic will default to local internet breakout instead of using passthrough tunnels.

Troubleshoot Integration Errors

Here are some common error scenarios you might encounter during the integration, along with their causes and solutions. Additionally, you can review messages in the integration settings for more information, errors, and warnings.

Scenario: No Devices Seen in Summary Dashboard
After verifying and saving the application configuration, it triggers a discovery operation, but no SD-WAN devices appear in the summary dashboard.
The discovery process, which identifies devices eligible for tunnel formation with Prisma Access, is not yielding any results. This can be due to various underlying issues, often related to API communication or configuration errors.
If no devices are seen in the summary dashboard, review the following:
- Navigate to the Messages tab within the Strata Cloud Manager and review for any errors or warnings related to SD-WAN APIs or configuration issues, which may provide specific details on why devices are not being discovered or displayed.
- Configuration on the Integration application settings could be incomplete: the initial discovery could not be completed due to missing or incorrect entries in the Primary and Backup Interface Label fields.
- The device is not eligible for any of the eight topologies, possibly due to:
  - Device may not have any interface labels added in the deployment page.
  - Device may not have any primary interface labels.
- Discovery is not complete yet.
Scenario: Specific Device Not Appearing on Discovery Screen
Not all devices on the HPE Aruba Service Orchestrator are eligible for tunnel formation with Prisma Access. If a particular device 'x' does not show up on the discovery screen, even though other devices are visible, it could be the device does not meet the necessary criteria.
If device 'x' is not seen in the summary dashboard, review the following:
- Verify the eligibility criteria by ensuring the device is configured with an eligible WAN interface and that its configuration aligns with one of the supported topologies for tunnel formation with Prisma Access.
- Contact the Palo Alto support team in case the issue persists.
Scenario: Configurations not Visible on HPE Aruba Orchestrator
After a discovery run and an Enable device operation, expected resources (Service, Remote Endpoint Configuration, Remote Endpoint Association) are not visible on the HPE Aruba Orchestrator.
The integration solution is designed to create specific resources on the HPE Aruba Orchestrator, including a service named PaloAltoNetworks_<TSG_ID> under ConfigurationService Orchestrator. If these resources are not created or visible, it indicates a problem with the integration's ability to provision configurations on the Orchestrator.
If no configurations are visible on the HPE Aruba Orchestrator, review the following:
- Navigate to ConfigurationCloud ServicesService Orchestrator and confirm that a service named PaloAltoNetworks_<TSG_ID> has been created.
- Within the PaloAltoNetworks_<TSG_ID> service, verify that the Remote Endpoint Configuration and Remote Endpoint Association tabs contain resources corresponding to the discovered and enabled device.
- If these resources are not seen, look into the Messages tab in Strata Cloud Manager or to check the logs further, contact the Palo Alto support team.
Scenario: Tunnel Configuration not Visible in Strata Cloud Manager
After enabling a device for tunnel formation, expected tunnel-related objects (Remote Networks, IPsec Tunnels, IKE Gateways, IKE Crypto Profile, IPsec Crypto Profile) are not visible in Strata Cloud Manager. The integration solution is responsible for creating these specific resources in Strata Cloud Manager. Their absence indicates a failure in the provisioning process on the Prisma Access side.
As a general troubleshooting step for all issues, review the Status tab in the Configuration tile within Strata Cloud Manager or contact the Palo Alto support team.
Review to ensure the naming conventions for Strata Cloud Manager objects follow the below format:
- Objects related to the network (Remote Networks, IPsec Tunnels, IKE Gateways): AUTO-HPE-<device_name>.
- IKE Crypto Profile and IPsec Crypto Profile: AUTO-HPE-<PROF_NAME>.
Scenario: Commit Failure in Strata Cloud Manager
Strata Cloud Manager commit failures can stem from various issues, some of which may be unrelated to this integration. However, if AUTO-HPE- objects are involved, the failure could be due to manual tampering or deletion of these objects.
If you see a commit failure in Strata Cloud Manager, review the following:
- For errors not involving AUTO-HPE- objects, address them based on the validation error message. For AUTO-HPE- objects, check if they were manually modified or deleted.
- Ensure there was no attempt to manually correct configurations managed by the integration solution.
- The Discovery stage of the integration automatically re-mediates most misconfigurations during its regular scanning intervals. To expedite this process, navigate to the Discovery Summary page and trigger an on-demand discovery to verify that the integration resolves the issues.
Scenario: Configurations are Correct; No Tunnel Established
The issue where the tunnel does not establish, even though configurations on both the HPE Aruba SD-WAN and Prisma Access appear to be correct, can arise from various discrepancies or failures in the underlying infrastructure or configuration synchronization, even if the visible settings seem accurate.
If you see no tunnel established, review the following:
- Confirm that the Prisma Access config push job, responsible for spinning up the Prisma Access SPNs was successful. A failure here would prevent the tunnel from forming.
- Ensure that the Service IP from Prisma Access was successfully attached to the devices on the SD-WAN side.
- Verify that the remote and local identifiers configured on the SD-WAN device precisely match the local and remote identifiers on the corresponding Prisma Access Remote Networks. Any mismatch in these identifiers will prevent tunnel establishment.
The integration solution is responsible for configuration management only. Troubleshooting connectivity issues beyond configuration alignment may require deeper network diagnostics.
Scenario: Enabled Device Manually Tampered, and Topology Changed
A previously discovered and enabled device has been manually tampered with, resulting in a change to its topology.
Once a device is discovered and enabled from Strata Cloud Manager, the integration creates corresponding objects on both the Prisma Access and SD-WAN sides. This error occurs when the interface labels are modified either in the device deployment within the Orchestrator or in the application settings (Primary/Backup) labels resulting in a change of the expected topology.

A warning appears in the status box for the affected device (as shown above), and the Topology Sync Status of the affected device shows Out of Sync, however no existing configurations are deleted. If the device was not enabled for the tunnel formation, its entry in Strata Cloud Manager automatically updated with the correct topology type (based on the modified labels) after a successful discovery run.

If the device was enabled, review the label changes. If they are valid, you must disable the device and run an on-demand discovery from the Integration Application dashboard to sync the updated labels.

HPE Aruba Networking EdgeConnect SD-WAN Solution Guide

Integrate Prisma Access with HPE Aruba Networking EdgeConnect SD-WAN (Manual Integration)

Prisma Access Docs

Integrate Prisma Access with HPE Aruba Networking EdgeConnect SD-WAN

Prisma Access Docs

Integrate Prisma Access with HPE Aruba Networking EdgeConnect SD-WAN

HPE Aruba Networking EdgeConnect SD-WAN Topologies

Integrate HPE Aruba Networking EdgeConnect SD-WAN with Prisma Access

On-Demand Site Discovery

Configure Routing in HPE Aruba EdgeConnect

Troubleshoot Integration Errors

Activation & Onboarding

SASE

Cloud-Delivered Security Services

Network Security

Endpoints

Visibility & Monitoring

Best Practices

Experts Corner

Translated Documents