Prisma Access
Cloud Management
Table of Contents
Expand All
|
Collapse All
Prisma Access Docs
-
- Prisma Access China
- 4.0 & Later
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
-
-
-
- 5.0 Preferred and Innovation
- 4.2 Preferred
- 4.1 Preferred
- 4.0 Preferred
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
Cloud Management
Cloud Management
Use this workflow to configure Silver Peak EdgeConnect with Prisma Access.
Silver Peak recommends that you configure two tunnels in an active-backup
configuration between Silver Peak EdgeConnect and Prisma Access, because there are
some restrictions for accessing resources at other network locations when you
configure the tunnels in an active/active configuration because of the overlapping
subnets.
Before you start this workflow, determine your remote tunnel capacity. Silver
Peak bases the tunnel capacity on licensing and the capacity of the device
model. For example, the base Silver Peak license supports up to 200 Mbps WAN
uplink, and the EC-XS supports 200 Mbps. Prisma Access bases a location’s
bandwidth on the bandwidth you specify for its compute location.
- Follow the steps to Connect a remote network to Prisma Access.
- Choose aPrisma Access Locationthat is close to the remote network location that you want to onboard.
- When creating the IPSec tunnel, use aBranch Device TypeofSilverPeak.
- SelectIPSec Advanced Optionsand select an IPSec Crypto profile ofSilverPeak-IPSec-Crypto-Default.
- SelectIKE Advanced Optionsand select an IKEv1 crypto profile ofSilverPeak-IKE-Crypto-Default.
- Set up routing for the remote network.Set UpRouting andAddthe IP subnets for Static Routing.
- Push your configuration changes.
- Return toand selectManageService SetupRemote Networks.Push ConfigPush
- SelectRemote Networks.
- Pushyour changes.
- Make a note of theService IPaddress of the Prisma Access side of the tunnel. To find this address inPrisma Access (Cloud Management), select, click theManageService SetupRemote NetworksRemote Networks, and look for theService IPfield corresponding to the remote network configuration you created.
- From the Silver Peak orchestrator, create a tunnel configuration.
- SelectConfiguration.
- SelectTunnelsPassthrough
- SelectAdd Tunnel.
- Select aName,Local IP,Remote IP, andMode.
- In theAdvanced Optionsarea, enter the IKE and IPSec parameters.The parameters must be the same as the parameters that you specified on Prisma Access. Silver Peak recommends the following IKE and IPSec encryption settings:
- IKE encryption settings:
- Encryption—AES-256-CBC
- Authentication—SHA512
- IKE Lifetime—8 hours
- Dead Peer Detection—Delay time:300 secondsRetry:3
- IKE Identifier—IP address (leave blank - public IP is auto-detected)
- DH—Group 14
- Mode—Aggressive
- IPSec encryption settings:
- Encryption—AES-25-CBC
- Authentication—SHA512
- Lifetime—60 minutes
- PFS—DH - Group 14
- Create two tunnels to Prisma Access: one Active and the other Backup.The following example creates two tunnels namedGlobalProtect-1andGlobalProtect-2.Specify the Prisma AccessService IPaddress in theRemote IPfield.Select theLocal IPaddress from the list of WAN interface IP addresses.
- Use the 3rd party IPSec tunnels in a Business Intent overlay policy by selectingBusiness Intent Overlayand configuring thePeer/Servicein thePoliciesarea.
- Order theGlobalProtect-1GlobalProtect-2service to thePreferred Policy Orderfield in the internet Traffic area.Defining the order in thePreferred Policy Orderconfigures the GlobalProtect-1 tunnel to automatically failover to the GlobalProtect-2 if the GlobalProtect-1 goes down. When both tunnels from the branch to GPCS are down, Silver Peak uses any other defined path such as local breakout or backhaul using the Overlay.
Support for Two Active-Active Connections
Two connections from a branch as active-active on Prisma Access are implemented
as two separate remote network connections. Onboard the connections in two
separate locations using one of the following methods:
- Configure two separate remote networks in two different compute locations and specify subnets that overlap (overlapping subnets) for each remote network.
- Onboard both remote networks to the same compute location, making sure that the bandwidth for that compute location is sufficient to support two tunnels.The Silver Peak SD-WAN manually injects branch subnets into Prisma Access, but return traffic might not travel through the same tunnel if you use the same branch subnets for both tunnels. To avoid asymmetric traffic paths, configure different branch subnets for each primary tunnel.
- To load balance between the two tunnels, use identical names under Peer/Service. For example, if you use a Peer/Service nameGlobalProtectfor the tunnels PrismaAccess-1 and PrismaAccess-2, traffic will load balance between the two tunnels.The following figure shows the different branch subnets configured in Prisma Access for the load-balanced tunnels.The following figure shows Prisma Access in two locations in theRemote IParea and the peer service configured asGlobalProtectin thePeer/Servicearea.The following figure showsSend to GlobalProtectconfigured in thePreferred Policy Orderfield.
Troubleshoot the Silver Peak Remote Network
Prisma Access provides logs and widgets that provide you with the status of
remote tunnels and the status of each tunnel.
- Go toand check theManageService SetupRemote NetworksStatusof the tunnel.
- Go toand check theActivityLog ViewerCommon/Systemlogs for IPSec- and IKE-related messages.To view VPN-relates messages, set the filter tosub_type.value = vpn.The messageignoring unauthenticated notify payloadindicates that the route has not been added in the crypto map on the other side of the IPSec tunnel after the IPSec negotiation has already occurred.
- Check theFirewall/Trafficlogs and view the messages that are coming from the zone that has the same name as the remote network.In the logs, the remote network name is used as the source zone.