Onboard a Service Connection or Remote Network Connection Using
Predefined Templates
To onboard a service connection or remote
network connection using the templates provided by Prisma Access,
complete the following task.
In Panorama, perform configuration so that the
templates display in Panorama.
When you upgrade the Cloud Services plugin, the new templates
do not automatically display. Complete this step once after upgrading
to have the templates permanently display. New installations perform
this initial configuration as part of their first-time setup and
this extra step is not required.
You can
also complete this step if you delete these templates and need to
retrieve them.
Determine the type of device that is used to terminate
the service connection or remote network connection, and find a
template to use with that device.
If your SD-WAN or IPSec device is not
on the list, use the generic profiles.
Select
Network
Network Profiles
IKE Gateways
and
make the following changes to the IKE gateway profile for your device:
You can use the IPSec crypto and IKE crypto profiles with
no changes; however, you must make specific changes to the IKE gateway
profile to match the network settings.
(
Optional
)
If you know the public IP address of the on-premises device that
will be used to set up the IPSec tunnel with Prisma Access, set
a static IP address by specifying a
Peer IP Address Type
of
IP
and
enter the
Peer Address
for the IPSec tunnel.
If using a pre-shared key for the IPSec tunnel, specify a
Pre-shared
Key
.
Specify a
Peer Identification
of either
IP
Address
or
User FQDN
.
Be
sure that you match the settings you specify here when you configure
the device used to terminate the other side of the IPSec tunnel.
configuration
that matches the device on the other side of the IPSec tunnel.
(
Optional
) If you need to add a backup tunnel
(Secondary WAN) for a service connection or remote connection, perform
the following additional configuration steps.
Configuring a Secondary WAN is not supported in the following
deployments:
If your secondary WAN is set up in active-active
mode with the Primary IPSec tunnel.
If your customer premises equipment (CPE) is set up in an
Equal Cost Multipath (ECMP) configuration with the Primary and Secondary
IPSec tunnel.
Create a new IKE Gateway for the backup
tunnel, copying the settings from the predefined template you want to
duplicate.
The following example creates a backup tunnel configuration
for generic networking devices.
Under
Advanced Options
, specify
the
IKE Crypto Profile
for the predefined
template you want to use.
Palo Alto Networks recommends that you use GCM ciphers
instead of CBC ciphers for IPSec tunnels.
If you are onboarding
a Prisma SD-WAN, select
Enable Passive Mode
.
Create a new IPSec Tunnel, specifying
the new IKE gateway you created, but copying all the other settings
from the default template.
When you onboard the service connection or remote
network connection,
Enable Secondary WAN
and
specify the tunnel you created for the backup WAN.
Complete the configuration of the service connection
or remote network connection by matching the cryptos, pre-shared
key, and Peer identifiers on the device that is used to terminate
the other side of the IPSec tunnel.
(
Optional
) If you need to onboard multiple remote
network connections that use the same types of networking devices,
Export
the
configuration of the remote network, edit the settings, then