Prisma Access Integrations
  • Prisma Access Integrations
  • Prisma Access Documentation
  • All Documentation
>
Configure the Router Instances
Focus
Download PDF
Focus
  1. Home
  2. Prisma Access
  3. Onboard Mobile Users and Branch Offices in Mainland China
  4. Onboard Mobile Users in Mainland China to Prisma Access
  5. Configure the Router Instances
Download PDF
Prisma Access

Configure the Router Instances

Table of Contents

Configure the Router Instances

Where Can I Use This?What Do I Need?
  • Prisma Access (Managed by Panorama)
After you create the VPCs and router instances, configure the router instances you created by completing the following steps.
  1. Configure the Router 2 instance.
    1. Open a secure CLI session with the router 2 instance by entering the ssh -i key-file root@instance-ip, where key-file is the file location where you saved the key and instance-ip is the IP address of the router 2 instance.
    2. Using an editing program such as vi, edit the /etc/sysctl.conf file and add the following line to the file, then save and close the file:
      net.ipv4.ip_forward = 1
    3. Enter sysctl -p to load the new configuration.
    4. Add an iptables rule to allow this instance to accept and forward IPSec tunnel packets by creating a shell script with the name iptables-rule.sh and adding the following lines to the file, substituting prisma-access-service-connection-ip-address with the Service IP Address of the Prisma Access service connection (PanoramaCloud ServicesStatusNetwork DetailsService Connection), router-1-private-ip-address with the private IP address of Router 1, and router-2-private-ip-address with the private IP address of Router 2.
      #!/bin/sh
      iptables -t filter -A FORWARD -i eth0 -j ACCEPT
      iptables -t filter -A FORWARD -o eth0 -j ACCEPT
      iptables -t nat -A PREROUTING -s router-1-private-ip-address/32 -i eth0 -p udp -m udp --dport 500 -j DNAT --to-destination prisma-access-service-connection-ip-address
      iptables -t nat -A PREROUTING -s router-1-private-ip-address/32 -i eth0 -p udp -m udp --dport 4500 -j DNAT --to-destination prisma-access-service-connection-ip-address
      iptables -t nat -A POSTROUTING -d prisma-access-service-connection-ip-address/32 -o eth0 -p udp -m udp --dport 500 -j SNAT --to-source router-2-private-ip-address
      iptables -t nat -A POSTROUTING -d prisma-access-service-connection-ip-address/32 -o eth0 -p udp -m udp --dport 4500 -j SNAT --to-source router-2-private-ip-address
    5. Save and close the file.
    6. Enter the chmod +x iptables-rule-sh command to make the file executable.
    7. Enter the ./iptables-rule.sh shell script to execute the iptables rule.
    8. Enter the iptables-save command to verify that the rules have been added.
  2. Configure the VM-series firewall (Router 1).
    If you want to configure an additional GlobalProtect gateway for redundancy, configure two VM-series firewalls; you configure the redundant GlobalProtect gateway in a later task.
    1. Log in to the VM-series firewall.
      Set a secure password for the admin account, if you have not done so already.
    2. Activate the VM-series license.
    3. Select NetworkInterfaces and create two interfaces, and assign security zones and IP addresses to them.
      • Create an ethernet1/1 interface and assign this interface to the Internet zone.
        Create an ethernet1/2 interface and assign this interface to the Trust zone.
      Set an Interface Type of Layer 3 for the interfaces and assign Static private IP addresses on the interfaces for the ENIs.
      The following screenshots show the configuration for the ethernet1/1 interface.
      The following screenshots show the configuration for ethernet1/2 interface.
    4. Select PoliciesNAT and Add a NAT policy rule that enables source NAT (SNAT) on internet-bound traffic.
    5. Select PoliciesSecurity and Add policies that allow the following traffic:
      • Allow DNS and LDAP from the Trust to the Untrust zone.
      • Allow HTTP and HTTPS traffic from the Trust to the Untrust zone.
      • Allow all traffic in the Trust zone.
    6. Select NetworkTunnel and create two new tunnel interfaces (tunnel.1 and tunnel.51).
      You use tunnel.1 as a site-to-site IPSec tunnel between GlobalProtect and the GlobalProtect gateway; you use tunnel.51 as a site-to-site tunnel between GlobalProtect and the Prisma Access service connection.
    7. Add static routes to the default virtual router.
      • Add a default route, specifying the gateway from the ENI-Untrust interface you configure as the Elastic IP interface when you created elastic IP addresses in Alibaba Cloud for the next hop.
      • Add a route to the private subnet of VPC 2 (outside China), specifying the gateway from ENI-Untrust as the next hop.
      • Add routes to the headquarters or data center networks on the other side of the service connection, specifying the next hop as the site-to-site tunnel tunnel.51.
    8. Assign an IP address to the tunnel.1 interface from the mobile user IP address pool (192.168.200.0/24 for the example used in the following screenshot). This IP address becomes the gateway for GlobalProtect clients.
  3. Configure an IPSec tunnel between the VM-series firewall and Prisma Access.
    1. In the Panorama that manages Prisma Access, select NetworkNetwork ProfilesIKE CryptoAdd and Add an IKE crypto profile for the IPSec tunnel.
      Select the template you want to use for the connection. If you are creating a service connection, select Service_Conn_Template; if you are creating a remote network connection, select Remote_Network_Template.
    2. Give the profile a name and specify IKE settings.
      Make a note of these settings; you specify the same settings on the other side of the IPSec tunnel.
    3. Select NetworkNetwork ProfilesIPSec Crypto and create a new IPSec crypto profile in Panorama, making a note of the settings you specify.
      Skip this step if you have already created an IPSec crypto profile.
    4. Select NetworkNetwork ProfilesIKE Gateways and Add a new IKE gateway, specifying the private IP address of router 2 in VPC 2 as the Peer Address.
      Make sure to specify User FQDN (email address) for Local Identification and Peer Identification, and match the Pre-Shared Key, Local Identification, and Peer Identification values that you used when you created the service connection.
    5. Select NetworkIPSec Tunnels and Add an IPSec tunnel with the interface tunnel.51.
  4. Save and Commit your changes to the VM-series firewall.
  5. Check the status of the IPSec tunnel.
    If the tunnel status does not show up, the cause might be that there is no interesting traffic. The firewall will attempt to establish the tunnel when mobile users connect to the GlobalProtect gateway.
  6. Set up new certificates.
    To use your own public key infrastructure (PKI), create a server certificate and key pair and have the certificate signed by the organization’s root certification authority (CA); then, import this key pair along with the root CA to the firewall instance. The examples in this section use self-signed certificates.
    1. Select DeviceCertificate ManagementCertificates and Generate a CA certificate.
    2. Select the certificate you generated and edit the certificate information.
      Use the public IP address of the ENI-Untrust elastic IP as the common name (CN) of the certificate. Do not use FQDN as a common name in the certificate.
    3. Select DeviceCertificate ManagementSSL/TLS Service Profile and Add a new SSL/TLS service profile.
    4. Select DeviceServer ProfilesLDAP and Add a new LDAP server profile.
      The following screen uses an LDAP server authentication. This LDAP server is located in the headquarters location outside of mainland China, and Prisma Access can reach this headquarters location over another service connection.
    5. Select DeviceAuthentication Profile and Add an authentication profile, specifying the LDAP server profile you created in the previous step.

Technical Documentation

Company

Legal Notices

© 2025 Palo Alto Networks, Inc. All rights reserved.