Onboard a Service Connection or Remote Network Connection Using Predefined Templates

In Panorama, perform configuration so that the templates display in Panorama.
When you upgrade the Cloud Services plugin, the new templates do not automatically display. Complete this step once after upgrading to have the templates permanently display. New installations perform this initial configuration as part of their first-time setup and this extra step is not required.
You can also complete this step if you delete these templates and need to retrieve them.
For service connections, select
Panorama
Cloud Services
Configuration
Service Setup
, click the gear icon in the
Settings
area to open the
Settings
, then click
OK
.
For remote network connections, select
Panorama
Cloud Services
Configuration
Remote Networks
, click the gear icon in the
Settings
area to open the
Settings
, then click
OK
.
Select
Network
, then select the correct
Template
(either
Remote_Network_Template
if you are creating a remote network connection or
Service_Conn_Template
if you are creating a service connection).
Determine the type of device that is used to terminate the service connection or remote network connection, and find a template to use with that device.
If your SD-WAN or IPSec device is not on the list, use the generic profiles.
Select
Network
Network Profiles
IKE Gateways
and make the following changes to the IKE gateway profile for your device:
You can use the IPSec crypto and IKE crypto profiles with no changes; however, you must make specific changes to the IKE gateway profile to match the network settings.
(
Optional
) If you know the public IP address of the on-premises device that will be used to set up the IPSec tunnel with Prisma Access, set a static IP address by specifying a
Peer IP Address Type
of
IP
and enter the
Peer Address
for the IPSec tunnel.
If using a pre-shared key for the IPSec tunnel, specify a
Pre-shared Key
.
Specify a
Peer Identification
of either
IP Address
or
User FQDN
.
Be sure that you match the settings you specify here when you configure the device used to terminate the other side of the IPSec tunnel.

Onboard the service connection or remote network connection, specifying the
IPSec tunnel
configuration that matches the device on the other side of the IPSec tunnel.
(
Optional
) If you need to add a backup tunnel (Secondary WAN) for a service connection or remote connection, perform the following additional configuration steps.
Configuring a Secondary WAN is not supported in the following deployments:
If your secondary WAN is set up in active-active mode with the Primary IPSec tunnel.
If your customer premises equipment (CPE) is set up in an Equal Cost Multipath (ECMP) configuration with the Primary and Secondary IPSec tunnel.
Create a new IKE Gateway for the backup tunnel, copying the settings from the predefined template you want to duplicate.

The following example creates a backup tunnel configuration for generic networking devices.



Under

Advanced Options

, specify the

IKE Crypto Profile

for the predefined template you want to use.

Palo Alto Networks recommends that you use GCM ciphers instead of CBC ciphers for IPSec tunnels.

If you are onboarding a Prisma SD-WAN, select

Enable Passive Mode

.



Create a new IPSec Tunnel, specifying the new IKE gateway you created, but copying all the other settings from the default template.



When you onboard the service connection or remote network connection,

Enable Secondary WAN

and specify the tunnel you created for the backup WAN.


Complete the configuration of the service connection or remote network connection by matching the cryptos, pre-shared key, and Peer identifiers on the device that is used to terminate the other side of the IPSec tunnel.
(
Optional
) If you need to onboard multiple remote network connections that use the same types of networking devices,
Export
the configuration of the remote network, edit the settings, then
Import
that configuration.
See Onboard Multiple Remote Network Connections of the Same Type for details.