Prisma Access
Cloud Management
Table of Contents
Expand All
|
Collapse All
Prisma Access Docs
-
- Prisma Access China
- 4.0 & Later
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
-
-
-
- 5.1 Preferred and Innovation
- 5.0 Preferred and Innovation
- 4.2 Preferred
- 4.1 Preferred
- 4.0 Preferred
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
Cloud Management
Cloud Management
To begin configuration of a VeloCloud-Prisma Access deployment, create the Prisma
Access remote network connection and configure IKE and IPSec parameters for the
IPSec tunnel between Prisma Access and VeloCloud.
- Connect a remote network site to Prisma Access.
- Choose aPrisma Access Locationthat is close to the remote network location that you want to onboard.
- When creating the IPSec tunnel, use aBranch Device TypeofOther Devices.
- Enter aStatic IPaddress that matches the VeloCloud SD-WAN device’s IP address.You obtain this address from the VMware SD-WAN Orchestrator.
- Enter aPre-shared keyfor symmetric authentication across the tunnel.
- Choose aLocal IdentificationofNoneand anIKE Peer IdentificationofFQDN (hostname); then, enter an FQDN.Make a note of the of thePre-Shared keyandFQDNthat you use for thePeer Identification; you match these settings when you configure the VeloCloud cloud gateway.
- SelectIPSec Advanced OptionsandCreate Newto create a new IPSec crypto profile for the remote network tunnel using the recommended settings.
- SelectIKE Advanced OptionsandCreate Newto create a new IKE cryptographic profile for the remote network tunnel.
- Be sure to use crypto values that are supported with Velocloud and make a note of the values you use.
- EnableIKE NAT Traversal(Enabled by default).
- Set up routing for the remote network.Set UpRouting andAddthe IP subnets for Static Routing.AddaBranch IP SubnetChoose Static Routing andAdda subnet you have reserved for this remote network connection.
- Push your configuration changes.
- Return toand selectManageService SetupRemote Networks.Push ConfigPush
- SelectRemote Networks.
- Pushyour changes.
- Make a note of theService IPof the Prisma Access side of the tunnel. To find this address inPrisma Access (Cloud Management), select, click theManageService SetupRemote NetworksRemote Networks. Look for theService IPfield corresponding to the remote network configuration you created.
Configure the Remote Network Connection for VeloCloud Edge Devices
Use the following procedure to configure the IPSec tunnel on the VeloCloud edge
device to complete the remote network connection.
- Log in to the Enterprise customer account on the VeloCloud Orchestrator (VCO).
- Select.ConfigureNetwork Services
- In theCloud Security Servicesarea, clickNewto create a new service.
- Enter the following values in the New Cloud Security Provider window that displays:
- Enter aService Nameto identify this configuration.
- Select aService TypeofGeneric Cloud Security Service.
- For thePrimary Point-of-Presence, enter theService IPyou retrieved from Prisma Access.
- ClickAddto save and add the configuration.
- Selectand setConfigureProfileCloud Security ServicetoOn; then, select theHash,Encryption, andKey Exchange Protocolto the settings you configured for the remote network tunnel in Prisma Access.
- Selectand complete the following steps:ConfigureEdge
- SetCloud Security ServicetoOn.
- Select the radio button toRedirect all internet bound traffic to Cloud Security Service.
- Select theHash,Encryption, andKey Exchange Protocolto match the settings you configured for the remote network tunnel in Prisma Access.
- Enter theFQDNand pre-shared key (PSK) to match the FQDN and PSK you entered in Prisma Access.
- Verify the status of the remote network tunnel.
- To view tunnel status in the VMware SD-WAN Orchestrator, selectin the VMware SD-WAN Orchestrator and viewing the information in the fields that display.MonitorEdge
- To view traffic and application statistics, select theTransport and Applicationstab, then select.MonitorEdge
Configure the Remote Network Connection for VeloCloud Gateways
Use the following procedure to configure the IPSec tunnel on the VeloCloud edge
gateway to enable the remote network connection.
- Establish connectivity from the VeloCloud gateway to Prisma Access.
- Log in to the Enterprise customer account on the VeloCloud Orchestrator (VCO).
- Select.ConfigureNetwork Services
- SelectNewin theNon-VeloCloud Sitesto create a new site.
- Enter aNamefor the site and select aTypeofPalo Alto.
- For thePrimary VPN Gateway, enter theService IPyou retrieved from Prisma Access.
- ClickNext.VeloCloud creates the site and generates the IKE and IPSec configuration (including pre-shared key) for the site.
- ClickAdvancedand update the IKE and IPSec parameters and add theSite Subnetsthat you will protect with Prisma Access.
- Make sure that you have selectedEnable Tunnel(s); then,Save Changes.To view the detailed IKE and IPSec parameters and the public IP address used by the VeloCloud gateway, clickView IKE IPSec Template. The public IP address displays in theLocal Identification : IP address :area.
- Verify the status of the remote network connection between the VeloCloud gateway and Prisma Access by selecting. AMonitorNetwork ServicesStatusin green indicates that the connection has been successfully established.
- Configure the customer profile to service-chain the Non-VeloCloud site to the customer’s SD-WAN.
- SelectConfigureProfilesProfile-Name, whereProfile-Nameis the customer’s profile, then click theDevicetab.
- Enable theCloud VPNfeature to turn on VPN connectivity from the Branch and Data Center sites.
- In theBranch to Non-VeloCloud Sitesection, selectEnable; then, select the Prisma Access site you created in Step 1.
- Save your changes.
Troubleshoot the VeloCloud SD-WAN Remote Network
Use the following resources to troubleshoot issues with VeloCloud-Prisma Access
deployments.
- Prisma Access troubleshooting—Check the status and the logs in Prisma Access.
- Go toand check theManageService SetupRemote NetworksStatusof the tunnel.
- Go toand check theActivityLog ViewerCommon/Systemlogs for IPSec- and IKE-related messages.To view VPN-relates messages, set the filter tosub_type.value = vpn.The messageignoring unauthenticated notify payloadindicates that the route has not been added in the crypto map on the other side of the IPSec tunnel after the IPSec negotiation has already occurred.
- Check theFirewall/Trafficlogs and view the messages that are coming from the zone that has the same name as the remote network.In the logs, the remote network name is used as the source zone.
- VeloCloud troubleshooting—In the VMware SD-WAN Orchestrator, select. The following example shows a timeout error; this type of error can indicate mismatching proposals or a gateway connectivity error. The values to check are provided in the message text.MonitorEvents