Focus

Prisma Access

Cloud Management

Table of Contents

Filter

Expand All | Collapse All

Prisma Access Docs

Administration
Version
- Prisma Access China
- 4.0 & Later
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
Integrations
Incidents & Alerts
Release Notes
Version
- 5.1 Preferred and Innovation
- 5.0 Preferred and Innovation
- 4.2 Preferred
- 4.1 Preferred
- 4.0 Preferred
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred

Cloud Management

To begin configuration of a VeloCloud-Prisma Access deployment, create the Prisma Access remote network connection and configure IKE and IPSec parameters for the IPSec tunnel between Prisma Access and VeloCloud.

Connect a remote network site to Prisma Access.

Choose a

Prisma Access Location

that is close to the remote network location that you want to onboard.

When creating the IPSec tunnel, use a

Branch Device Type

Other Devices

Enter a

Static IP

address that matches the VeloCloud SD-WAN device’s IP address.

You obtain this address from the VMware SD-WAN Orchestrator.

Enter a

Pre-shared key

for symmetric authentication across the tunnel.

Choose a

Local Identification

None

and an

IKE Peer Identification

FQDN (hostname)

; then, enter an FQDN.

Make a note of the of the

Pre-Shared key

and

FQDN

that you use for the

Peer Identification

; you match these settings when you configure the VeloCloud cloud gateway.

Select

IPSec Advanced Options

and

Create New

to create a new IPSec crypto profile for the remote network tunnel using the recommended settings.

Select

IKE Advanced Options

and

Create New

to create a new IKE cryptographic profile for the remote network tunnel.

Be sure to use crypto values that are supported with Velocloud and make a note of the values you use.

Enable

IKE NAT Traversal

(Enabled by default).

Set up routing for the remote network.

Set Up

Routing and

Add

the IP subnets for Static Routing.

Add

Branch IP Subnet

Choose Static Routing and

Add

a subnet you have reserved for this remote network connection.

Push your configuration changes.

Return to

Manage

Service Setup

Remote Networks

and select

Push Config

Push

Select

Remote Networks

Push

your changes.

Make a note of the

Service IP

of the Prisma Access side of the tunnel. To find this address in Prisma Access (Cloud Management), select

Manage

Service Setup

Remote Networks

, click the

Remote Networks

. Look for the

Service IP

field corresponding to the remote network configuration you created.

Configure the Remote Network Connection for VeloCloud Edge Devices

Use the following procedure to configure the IPSec tunnel on the VeloCloud edge device to complete the remote network connection.

Select

Configure

Network Services

In the

Cloud Security Services

area, click

New

to create a new service.

Enter the following values in the New Cloud Security Provider window that displays:

Enter a

Service Name

to identify this configuration.

Select a

Service Type

Generic Cloud Security Service

For the

Primary Point-of-Presence

, enter the

Service IP

you retrieved from Prisma Access.

Click

Add

to save and add the configuration.

Select

Configure

Profile

and set

Cloud Security Service

; then, select the

Hash

Encryption

, and

Key Exchange Protocol

to the settings you configured for the remote network tunnel in Prisma Access.

Select

Configure

Edge

and complete the following steps:

Set

Cloud Security Service

Select the radio button to

Redirect all internet bound traffic to Cloud Security Service

Select the

Hash

Encryption

, and

Key Exchange Protocol

to match the settings you configured for the remote network tunnel in Prisma Access.

Enter the

FQDN

and pre-shared key (

PSK

) to match the FQDN and PSK you entered in Prisma Access.

Verify the status of the remote network tunnel.

To view tunnel status in the VMware SD-WAN Orchestrator, select

Monitor

Edge

in the VMware SD-WAN Orchestrator and viewing the information in the fields that display.

To view traffic and application statistics, select the

Transport and Applications

tab, then select

Monitor

Edge

Configure the Remote Network Connection for VeloCloud Gateways

Use the following procedure to configure the IPSec tunnel on the VeloCloud edge gateway to enable the remote network connection.

Establish connectivity from the VeloCloud gateway to Prisma Access.

Select

Configure

Network Services

Select

New

in the

Non-VeloCloud Sites

to create a new site.

Enter a

Name

for the site and select a

Type

Palo Alto

For the

Primary VPN Gateway

, enter the

Service IP

you retrieved from Prisma Access.

Click

VeloCloud creates the site and generates the IKE and IPSec configuration (including pre-shared key) for the site.

Click

Advanced

and update the IKE and IPSec parameters and add the

Site Subnets

that you will protect with Prisma Access.

Make sure that you have selected

Enable Tunnel(s)

; then,

Save Changes

To view the detailed IKE and IPSec parameters and the public IP address used by the VeloCloud gateway, click

View IKE IPSec Template

. The public IP address displays in the

Local Identification : IP address :

area.

Verify the status of the remote network connection between the VeloCloud gateway and Prisma Access by selecting

Monitor

Network Services

. A

Status

in green indicates that the connection has been successfully established.

Configure the customer profile to service-chain the Non-VeloCloud site to the customer’s SD-WAN.

Select

Configure

Profiles

Profile-Name, where Profile-Name is the customer’s profile, then click the

Device

tab.

Enable the

Cloud VPN

feature to turn on VPN connectivity from the Branch and Data Center sites.

In the

Branch to Non-VeloCloud Site

section, select

Enable

; then, select the Prisma Access site you created in Step 1.

Save your changes.

Troubleshoot the VeloCloud SD-WAN Remote Network

Use the following resources to troubleshoot issues with VeloCloud-Prisma Access deployments.

Prisma Access troubleshooting
—Check the status and the logs in Prisma Access.

Go to

Manage

Service Setup

Remote Networks

and check the

Status

of the tunnel.

Go to

Activity

Log Viewer

and check the

Common/System

logs for IPSec- and IKE-related messages.

To view VPN-relates messages, set the filter to

sub_type.value = vpn

The message

ignoring unauthenticated notify payload

indicates that the route has not been added in the crypto map on the other side of the IPSec tunnel after the IPSec negotiation has already occurred.

Check the

Firewall/Traffic

logs and view the messages that are coming from the zone that has the same name as the remote network.

In the logs, the remote network name is used as the source zone.

VeloCloud troubleshooting
—In the VMware SD-WAN Orchestrator, select

Monitor

Events

. The following example shows a timeout error; this type of error can indicate mismatching proposals or a gateway connectivity error. The values to check are provided in the message text.

Prisma Access Docs

Cloud Management

Prisma Access Docs

Cloud Management

Configure the Remote Network Connection for VeloCloud Edge Devices

Configure the Remote Network Connection for VeloCloud Gateways

Troubleshoot the VeloCloud SD-WAN Remote Network

Recommended For You

Activation & Onboarding

SASE

Cloud-Delivered Security Services

Network Security

Endpoints

Visibility & Monitoring

Best Practices

Experts Corner