>
    Strata Copilot
    Determine IPSec Termination Nodes (Panorama Managed CloudBlade)
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma SD-WAN
    3. Prisma SD-WAN CloudBlades Integration with Prisma Access
    4. Prisma Access for Networks Aggregate Bandwidth Licensing
    5. Determine IPSec Termination Nodes
    6. Determine IPSec Termination Nodes (Panorama Managed CloudBlade)
    Download PDF
    Prisma SD-WAN

    Determine IPSec Termination Nodes (Panorama Managed CloudBlade)

    Table of Contents

    Determine IPSec Termination Nodes (Panorama Managed CloudBlade)

    Determine IPSec Termination Nodes (Panorama Managed CloudBlade) Method 1 and Method 2 to begin configuration of a Remote Networking on-boarding.
    In our example, the first method to determine the IPSec termination nodes, we use US East as the location, which has two nodes behind it.
    1. Click the IPSec Termination Node drop-down to view the list of IPSec termination nodes.
      These node names are listed in the order they are deployed on the backend, not alphabetically.
      The order of appearance of the two IPSec termination nodes is:
      • us-east-charlock
      • us-east-banyan

    Determine IPSec Termination Nodes Method #2

    The second method to obtain the IPSec Termination Nodes within Prisma Access for Networks is through the Panorama API. Within the API, you will see the abbreviation of SPN, which is the reference for the IPSec Termination Nodes.
    Using Panorama, navigate to the following subtree in the API within Panorama, clicking on each item listed in bullets (notice the variation for single-tenant versus multitenant).
    Single Tenant Environment
    https://panorama/api
    • config
    • devices
    • localhost.localdomain (or appropriate name)
    • plugins
    • cloud_services
    • remote-networks
    • agg-bandwidth
    Multi-Tenant Environment
    https://panorama/api
    • Configuration Commands
    • devices
    • localhost.localdomain (or appropriate name)
    • plugins
    • cloud_services
    • multi-tenant
    • tenants
    • default-tenant
    • remote-networks
    • agg-bandwidth
    The output of the API is similar to the following:
    <response status="success" code="19"><result total-count="1" count="1"><agg-bandwidth><enabled>yes</enabled><region><entry name="europe-central"><allocated-bw>100</allocated-bw><spn-name-list><member>europe-central-aspen</member></spn-name-list></entry><entry name="us-east"><allocated-bw>600</allocated-bw><spn-name-list><member>us-east-charlock</member><member>us-east-banyan</member></spn-name-list></entry><entry name="canada-central"><allocated-bw>100</allocated-bw><spn-name-list>
    A sample from the web interface would also look similar to the above. The us-east appears first in the list, followed by the node names underneath.
    The IPSec Termination Node names are listed below the entry named spn-name-list with indentation. The order seen here’s the same order as the Panorama interface shown in the previous section.

    IPSec Termination Node Conventions and Tag Nomenclature

    With the information obtained above from our nodes for us-east, the tagging methodology for the CloudBlade can now be determined. The tag constructs for the CloudBlade with Aggregate Bandwidth licensing would look as follows:
    Prisma_region: <<region name>>:<<IPSec Termination Node Name or Number>>
    With this construct, the tags for the interfaces will look similar to the following:
    prisma_region:us-east-1:us-east-charlock
    prisma_region:us-east-1:us-east-banyan
    OR
    prisma_region:us-east-1:1
    prisma_region:us-east-1:2
    The node name (us-east-charlock) or order that the node appears in the list (1) can both be used in the naming convention for the interface tags.
    To assist with the automation of the scripts and deployments, the Prisma SD-WAN Tagger Utility Script can be used to help create or configure the tags.

    © 2026 Palo Alto Networks, Inc. All rights reserved.