Configure the Silver Peak Remote Network

Configure the remote network between the Silver Peak SD-WAN and the GlobalProtect cloud service by completing the steps in the following workflows:

Configure the Remote Network Tunnel

Use this workflow to configure Silver Peak EdgeConnect with the GlobalProtect cloud service.
Silver Peak recommends that you configure two tunnels in an active-backup configuration between Silver Peak EdgeConnect and the GlobalProtect cloud service, because there are some restrictions for accessing resources at other network locations when you configure the tunnels in an active-active configuration, as noted in Dual ISPs in Active-Active Mode. See Support for Two Active-Active Connections to configure two tunnels in an active-active configuration.
Before you start this workflow, complete the following tasks:
  • Configure the GlobalProtect Cloud Service for remote networks for the tunnels you create in this section, and make a note of the IKE and IPSec crypto profiles you used for the remote network tunnel. You also need the Service IP address of the GlobalProtect cloud service side of the tunnel to complete this configuration. To find this address in Panorama, select PanoramaCloud ServicesStatusNetwork Details, click the Remote Networks radio button, and find the address in the Service IP Address field.
  • Determine your remote tunnel capacity. Silver Peak bases the tunnel capacity on licensing and the capacity of the device model. For example, the base Silver Peak license supports up to 200 Mbps WAN uplink, and the EC-XS supports 200 Mbps. The GlobalProtect cloud service bases its tunnel capacity on what you specify when you create the remote network and the amount of bandwidth in the GlobalProtect cloud service license.
  1. From the Silver Peak orchestrator, create a tunnel configuration.
    1. Select Configuration.
    2. Select TunnelsPassthrough
    3. Select Add Tunnel.
    4. Select a Name, Local IP, Remote IP, and Mode.
    5. In the Advanced Options area, enter the IKE and IPSec parameters.
      The parameters must be the same as the parameters that you specified on the GlobalProtect cloud service. Silver Peak recommends the following IKE and IPSec encryption settings:
      • IKE encryption settings:
        • Encryption—AES-256 (by default it is CBC)
        • Authentication—SHA1 (HMAC)
        • IKE Lifetime—8 hours
        • Dead Peer DetectionDelay time: 300 seconds Retry: 3
        • IKE Identifier —IP address (leave blank - public IP is auto-detected)
        • DH—Group 14
        • Mode—Main
      • IPSec encryption settings:
        • Encryption—AES-256 (by default it is CBC)
        • Authentication—SHA1 (HMAC)
        • Lifetime—60 minutes
        • PFS—DH - Group 14
  2. Create two tunnels to the GlobalProtect cloud service: one Active and the other Backup.
    The following example creates two tunnels named GlobalProtect-1 and GlobalProtect-2.
    Specify the GlobalProtect cloud service Service IP Address in the Remote IP field.
    Select the Local IP address from the list of WAN interface IP addresses.
  3. Use the 3rd party IPSec tunnels in a Business Intent overlay policy by selecting Business Intent Overlay and configuring the Peer/Service in the Policies area.
  4. Order the GlobalProtect-1GlobalProtect-2 service to the Preferred Policy Order field in the Internet Traffic area.
    Defining the order in the Preferred Policy Order configures the GlobalProtect-1 tunnel to automatically fail over to the GlobalProtect-2 if the GlobalProtect-1 goes down. When both tunnels from the branch to GPCS are down, Silver Peak uses any other defined path such as local breakout or backhaul using the Overlay.

Support for Two Active-Active Connections

Two connections from a branch as active-active on the GlobalProtect cloud service are implemented as two separate remote network connections. You must onboard the connections in two separate regions using one of the following methods:
  • Onboard the two remote networks in two separate regions. See Dual ISPs in Active-Active Mode for more information.
  • Onboard both remote networks to the same region, but specify the bandwidth for one of the connections to the maximum bandwidth that is licensed and supported for the GlobalProtect cloud service. Select PanoramaLicensesGlobalProtect Cloud Service for Remote Networks to see the maximum bandwidth.
    The Silver Peak SD-WAN manually injects branch subnets into GlobalProtect cloud service, but return traffic might not travel through the same tunnel if you use the same branch subnets for both tunnels. To avoid asymmetric traffic paths, configure different branch subnets for each primary tunnel.
  1. To load balance between the two tunnels, use identical names under Peer/Service. For example, if you use a Peer/Service name GlobalProtect for the tunnels GPCS1 and GPCS2, traffic will load balance between the two tunnels.
    The following figure shows the different branch subnets configured in GlobalProtect cloud service for the load-balanced tunnels.
    The following figure shows the GlobalProtect cloud service in two regions in the Remote IP area and the peer service configured as GlobalProtect in the Peer/Service area.
    The following figure shows Send to GlobalProtect configured in the Preferred Policy Order field.

Related Documentation