Learn how to implement service connections in a Prisma
Access deployment.
If you use the service connection to access information
from your headquarters or data center, gather the following information
for each of your HQ/data center sites that you want to connect to
Prisma Access:
IPSec-capable firewall, router,
or SD-WAN device connection.
IPSec settings for terminating the primary VPN tunnel from
Prisma Access to the IPSec-capable device on your corporate network.
IPSec settings for terminating the secondary VPN tunnel from
Prisma Access to the IPSec-capable device on your corporate network.
If you have an existing template that contains
IPSec tunnel,
Tunnel Monitoring, and
IPSec Crypto Profile configurations, you
can add that template to the template stack to simplify the process
of creating the IPSec tunnels. Or, you can edit the Service_Conn_Template
that gets created automatically and create the IPSec configurations required
to create the IPSec tunnel back to the corporate site. Prisma Access
also provides you with a set of
predefined IPSec templates for
some commonly-used network devices, and a generic template for any
device that is not included in the predefined templates.
List of IP subnetworks at the site.
List of internal domains that the cloud service will need
to be able to resolve.
IP address of a node at your network’s site to which Prisma
Access can send ICMP ping requests for IPSec tunnel monitoring.
Make
sure that this address is reachable by ICMP from the entire Prisma
Access infrastructure subnet.
Service account for your authentication service, if required
for access.
Network reachability settings for the service infrastructure
subnet.
We recommend that you make the entire service infrastructure
subnet reachable from the HQ or Data Center site. Prisma Access
uses IP addresses for all control plane traffic, including tunnel monitoring,
LDAP, User-ID, and so on from this subnet.
The routing type (either static or dynamic (BGP)) to use
with service connections.
In order for Prisma Access to route
users to the resources they need, you must provide the routes to
the resources. You can do this in one or more of the following ways:
Define a static route to each subnetwork or specific resource
that you want your users to be able to access.
Configure BGP between your service connection locations and
Prisma Access.
Use a combination of both methods.
If you
configure both static routes and enable BGP, the static routes will
take precedence. While it might be convenient to use static routes
if you have just a few subnetworks or resources you want to allow
access to, in a large data center/HQ environment where you have
routes that change dynamically, BGP will enable you to scale easier.
Dynamic routing also provides redundancy for your service connections.
If one service connection tunnel is down, BGP can dynamically route
mobile user and remote network traffic over the operational service
connection tunnel.