Plan a Service Connection
Focus
Focus
Prisma Access

Plan a Service Connection

Table of Contents

Plan a Service Connection

Gather the following information to start planning your service connection with
Prisma Access
.
Where Can I Use This?
What Do I Need?
  • Prisma Access (Cloud Management)
  • Prisma Access (Panorama Managed)
Create service connections to allow
Prisma Access
to perform the following tasks:
  • Allow access to the resources in your HQ or data center.
    If you have corporate resources that your remote networks and mobile users need to access, you must enable
    Prisma Access
    to access the corresponding corporate network.
  • Allow remote networks and mobile users to communicate with each other.
    Even if you do not need your
    Prisma Access
    users to connect to your HQ or data center, you might need to allow your mobile users to access your remote network sites. Service connections are required for this use case because, while all remote network sites are fully meshed, the mobile user infrastructure is not. Minimally configuring a service connection establishes the hub-and-spoke network mobile users need to access a branch network.
    To improve network efficiency, place service connections close to the remote network or networks that mobile users access most frequently.

Gather this HQ or Data Center Information

Before you begin to configure a service connection, gather the following information for each of your HQ or data centers to which you want
Prisma Access
to be able to connect.
No need to gather this information if you are creating a service connection only to allow mobile users to access remote network locations.
For
Prisma Access (Cloud Management)
and
Prisma Access (Panorama Managed)
Service Connections:
  • IPSec-capable firewall, router, or SD-WAN device connection at your corporate site.
  • IPSec settings for terminating the primary VPN tunnel from Prisma Access to the IPSec-capable device on your corporate network.
  • IPSec settings for terminating the secondary VPN tunnel from
    Prisma Access
    to the IPSec-capable device on your corporate network.
    If you have an existing template that contains IPSec tunnel, Tunnel Monitoring, and IPSec Crypto Profile configurations, you can add that template to the template stack to simplify the process of creating the IPSec tunnels. Or, you can edit the Service_Conn_Template that gets created automatically and create the IPSec configurations required to create the IPSec tunnel back to the corporate site.
    Prisma Access
    also provides you with a set of predefined IPSec templates for some commonly-used network devices, and a generic template for any device that is not included in the predefined templates.
  • List of IP subnetworks at the site.
  • List of internal domains that
    Prisma Access
    must be able to resolve.
  • IP address of a corporate access node at your network’s site to which
    Prisma Access
    can send ICMP ping requests for IPSec tunnel monitoring.
    Make sure that this address is reachable by ICMP from the entire
    Prisma Access
    infrastructure subnet.
  • Network reachability settings for the service infrastructure subnet.
    Make the entire service infrastructure subnet reachable from the HQ or data center.
    Prisma Access
    uses IP addresses for all control plane traffic from this subnet.
For
Prisma Access
Panorama
Service Connections Only:
This information is only required when planning Service Connections in
Prisma Access (Panorama Managed)
.
  • The service account for your authentication, if required for access.
  • The routing type (either static or dynamic (BGP)) to use with service connections.
    In order for
    Prisma Access (Panorama Managed)
    to route users to the resources they need, you must provide the routes to the resources. You can do this in one or more of the following ways:
    • Define a static route to each subnetwork or specific resource that you want your users to be able to access.
    • Configure BGP between your service connection locations and Prisma Access.
    • Use a combination of both methods

Recommended For You