Configure and Install Prisma Access for Networks (Panorama managed)

From the
Prisma SD-WAN
web interface, select
CloudBlades
.
In
CloudBlades
, locate the
Prisma Access for Networks Integration (managed by Panorama)
CloudBlade and click
Configure
. If this CloudBlade does not appear in the list, contact Prisma SD-WAN Support.

In the
Prisma Access for Networks (managed by Panorama)
CloudBlade configuration screen, enter the following information in the fields shown below and change where appropriate:
VERSION
: Select the version of the Prisma Access for Networks (managed by Panorama) CloudBlade.
ADMIN STATE
: For Admin State, select or retain Enabled.
PANORAMA SERIAL NUMBER
: Enter comma separated serial number(s) of the Panorama API endpoint.
PANORAMA AUTHORIZATION KEY
: Enter the same key that was set in the Panorama console for the Prisma SD-WAN integration.
ION PEERING DEFAULT LOCAL AS NUMBER
: Starting with version 2.0.3 and higher, a BGP Local AS number is defined to quickly onboard ECMP sites. This can be any 16-bit AS number, but private BGP AS numbers are recommended.
TUNNEL IDENTIFIER, PRISMA ACCESS FOR NETWORKS SIDE
: Enter an FQDN IKE identifier in name@domain.com format. This identifier will be used by Prisma Access to identify remote tunnel connections.
TUNNEL IDENTIFIER TEMPLATE, PRISMA SD-WAN SIDE
: Enter an FQDN IKE identifier in name@domain.com format. This identifier should be different from the Prisma Access identifier. This identifier will be used as a template to generate a unique ID per tunnel.
TUNNEL INNER IP POOL
: Specify an Internet Protocol pool using IP/Mask notation. This Internet Protocol Pool should be unused or unique across the entire network and should not be used by the Palo Alto Service Infrastructure subnet.
If you wish to change the IP prefix specified here, first disable the CloudBlade and ensure all service links are cleared. Now change the IP CIDR to the required value and enable the CloudBlade to allocate Tunnels based on the new IP CIDR.
The number of tunnels that can be created in the Prisma SD-WAN Fabric to Prisma Access are directly limited by this configuration. Each tunnel will use a /31 subnet from this pool.
TUNNEL PSK SEED
: Specify a string of text, which will be used to derive the unique pre-shared keys (PSKs) used per tunnel.
Optional
PANORAMA TENANT NAME
: Specify the Tenant Name that will be used for Remote Networks with the CloudBlade.
ENFORCE DEFAULT PRISMA SD-WAN LIVELINESS PROBES
: For Prisma Access, the default is to leverage an ICMP probe to the last Prisma Access Infrastructure IP address.
ENABLE DRY RUN EXECUTIONS
: If enabled, the CloudBlade logs the changes made on Prisma SD-WAN and Panorama in the Logs and Status Monitor. This option can be used to check what changes need to be done by the CloudBlade.
Click
Install
after the settings are configured.

If you select and change the version of the CloudBlade, you must reenter all the configuration values for that particular CloudBlade version.
To change the associated Sub-Tenant on Panorama used for the integration, delete all existing tunnels on the current Sub Tenant before updating the Sub Tenant name on the CloudBlade configuration. The behaviour of the CloudBlade is undefined in case the tenant name changes without clearing existing tunnels first.