>
    Configure and Integrate Prisma Access CloudBlade
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma SD-WAN
    3. Configure and Integrate Prisma Access CloudBlade
    Download PDF
    Prisma SD-WAN

    Configure and Integrate Prisma Access CloudBlade

    Table of Contents

    Configure and Integrate Prisma Access CloudBlade

    Learn to configure and integrate the Prisma SD-WAN CloudBlades to prepare the Prisma SD-WAN controller for integration.
    Where Can I Use This?What Do I Need?
    • Prisma Access CloudBlade (Panorama Managed).
    • Prisma Access CloudBlade (Cloud Managed).
    • Prisma SD-WAN License.
    • Prisma Access for Networks Subscription.
    • Supported Cloud Plugin Versions.
    • Prisma Access CloudBlade (Cloud Managed) version 3.x.x and later.
    • Prisma Access CloudBlade (Panorama Managed) versions 3.x.x and 4.x.x.
    Learn to configure and integrate the Prisma SD-WAN CloudBlades to prepare the Prisma SD-WAN controller for integration.

    Configure and Integrate Prisma Access CloudBlade (Panorama Managed CloudBlade)

    Configure and Integrate Prisma Access CloudBlade (Panorama Managed CloudBlade) by entering all the parameters to enable remote networks in Prisma Acces.
    1. From the Prisma SD-WAN web interface, select CloudBlades.
    2. In CloudBlades, locate the Prisma Access for Networks Integration (managed by Panorama) CloudBlade, and select Configure. If this CloudBlade does not appear in the list, contact Prisma SD-WAN support.
    3. In the Prisma Access for Networks (managed by Panorama) CloudBlade configuration screen, enter the following information in the fields shown below and change where appropriate:
      1. VERSION: Select the version of the CloudBlade to use.
      2. ADMIN STATE: For admin state, select or retain Enabled.
      3. PANORAMA SERIAL NUMBER: Enter the comma separated serial numbers of the Panorama API endpoint.
      4. PANORAMA AUTHORIZATION KEY: Enter the same key that set in the Panorama console for the Prisma SD-WAN integration.
      5. ION PEERING DEFAULT LOCAL AS NUMBER: The BGP Local AS number defined to onboard ECMP sites. This can be any 16-bit AS number, but private BGP AS numbers are recommended.
      6. TUNNEL IDENTIFIER, PRISMA ACCESS FOR NETWORKS SIDE: Enter an FQDN IKE identifier in name@domain.com format. Prisma Access uses this identifier to identify remote tunnel connections.
      7. TUNNEL IDENTIFIER TEMPLATE, PRISMA SD-WAN SIDE: Enter an FQDN IKE identifier in name@domain.com format. This identifier should be different from the Prisma Access identifier. This identifier will be used as a template to generate a unique ID per tunnel.
      8. TUNNEL INNER IP POOL: Specify an Internet Protocol pool using an IP address or Mask notation. This Internet Protocol Pool should be unused or unique across the entire network and should not be used by the Palo Alto Service Infrastructure subnet.
        If you wish to change the IP prefix specified here, first disable the CloudBlade and ensure all service links are cleared. Now, change the IP CIDR to the required value and enable the CloudBlade to allocate Tunnels based on the new IP CIDR.
        The number of tunnels created in the Prisma SD-WAN Fabric to Prisma Access are directly limited by this configuration. Each tunnel will use a /31 subnet from this pool.
      9. TUNNEL PSK SEED: Specify a string of text, which will be used to derive the unique pre-shared keys (PSKs) used per tunnel.
      10. Optional PANORAMA TENANT NAME: Specify the Tenant Name that will be used for Remote Networks with the CloudBlade.
      11. ENFORCE DEFAULT PRISMA SD-WAN LIVELINESS PROBES: For Prisma Access, the default is to leverage an ICMP probe to the last Prisma Access Infrastructure IP address. This can be reconfigured to probe non-default tunnel monitor IP address, which were configured during Prisma Access integration.
      12. ENABLE DRY RUN EXECUTIONS: In CloudBlade versions 4.0.0 and later, when enabled, the CloudBlade logs the changes made on and the CloudBlade in the Logs and Status Monitor. You can use this option to check the changes required by the CloudBlade.
    4. Click Install after the configuring the settings.
      If you select and change the version of the CloudBlade, you must reenter all the configuration values for that particular CloudBlade version.
      In CloudBlade version 3.1.6, you must delete all existing tunnels before updating the sub-tenant name in the CloudBlade configuration to change an associated sub-tenant on Panorama used for the integration. The CloudBlade behavior is undefined if you change the tenant name without first clearing the existing tunnels. Modifying any values may cause all tunnels to be recreated if you change the tunnel CIDR.

    Integrate Panorama with Prisma SD-WAN CloudBlade

    To complete the integration:
    1. In the Cloud Service plugin for Prisma Access configuration, under Service SetupPrisma SD-WAN Integration Status, click the Integrate with Prisma SD-WAN link.
    2. Select Yes to proceed with the confirmation.
      A confirmation message indicates that the integration is successfully completed.
    3. In Panorama, go to the Monitor tab to verify that the Prisma Access CloudBlade is activated.

    Migration Support from On-Premises CloudBlade to Panorama

    Use the following workflow to migrate tunnels between on-premises Prisma Access CloudBlade versions 2.x or 3.x versions to Panorama Integration Container (PIC) 4.x versions.
    1. Upgrade the Panorama cloud plug-in version to supported version.
    2. Change the Prisma Access CloudBlade version from 3.x to the required 4.x version on the Prisma SD-WAN web interface.
    3. Stop the 2.x.x or 3.x.x Panorama Integration Container.
    4. Enable the Prisma SD-WAN integration in the Panorama web interface (if not already enabled).
    5. Check the Messages tab in the CloudBlade tile to validate if the migration is complete.

    Configure and Integrate Prisma Access CloudBlade (Cloud Managed CloudBlade)

    Configure and Integrate Prisma Access CloudBlade (Cloud Managed CloudBlade) by entering all the parameters to enable remote networks in Prisma Acces.
    1. From the Prisma SD-WAN web interface, select CloudBlades.
    2. In CloudBlades, locate the Prisma Access for Networks (Cloud Managed) CloudBlade and click Configure. If this CloudBlade does not appear in the list, contact Palo Alto Networks Support.
    3. Enter the following information in the fields shown below. Change where appropriate:
      1. VERSION: Select the version of the CloudBlade to use.
      2. ADMIN STATE: For the admin state, select or retain Enabled.
      3. ION PEERING DEFAULT LOCAL AS NUMBER: The BGP Local AS number is defined to quickly onboard ECMP sites. This can be any 16-bit AS number, but private BGP AS numbers are recommended.
      4. TUNNEL IDENTIFIER, PRISMA ACCESS FOR NETWORKS SIDE: Enter an FQDN IKE identifier in name@domain.com format. This identifier will be used by Prisma Access to identify remote tunnel connections.
      5. TUNNEL IDENTIFIER TEMPLATE, PRISMA SD-WAN SIDE: Enter an FQDN IKE identifier in name@domain.com format. This identifier should be different from the Prisma Access identifier. This identifier will serve as a template for generating a unique ID for each tunnel.
      6. TUNNEL INNER IP POOL: Specify an IP pool, using IP address or Mask notation. This IP Pool should be unused or unique across the entire network and should not be used by the Palo Alto Service Infrastructure subnet.
        If you want to change the IP Prefix specified here, start by disabling the CloudBlade and ensuring all service links are updated. Now, change the IP CIDR to the required value and enable the CloudBlade to allocate Tunnels based on the new IP CIDR.
        The number of tunnels created in the Prisma SD-WAN Fabric to Prisma Access are directly limited by this configuration. Each tunnel will use a /31 subnet from this pool.
      7. TUNNEL PSK SEED: Specify a string of text, which will be used to derive the unique pre-shared keys (PSKs) used per tunnel.
      8. ENFORCE DEFAULT PRISMA SD-WAN LIVELINESS PROBES: For Prisma Access, the default is to leverage an ICMP probe to the last Prisma Access Infrastructure IP address. You can reconfigure this to probe non-default tunnel monitor IP addresses that were configured during Prisma Access integration.
      9. ENABLE DRY RUN EXECUTIONS: When enabled, the CloudBlade logs the changes made on Prisma SD-WAN and the CloudBlade in the Logs and Status Monitor. You can use this option to check the changes required by the CloudBlade.
    4. Click Install after configuring the settings.

    © 2024 Palo Alto Networks, Inc. All rights reserved.