Prisma Access Hub Support

Description and brief steps to configure Prisma Access Hub Support.
With SD-WAN plugin 2.2 and later releases, PAN-OS Secure SD-WAN provides you with Prisma Access hub support to give you full control of how and where applications are secured. Prisma Access Hub support allows PAN-OS firewalls to connect to Prisma Access compute nodes (CNs) to achieve cloud-based security in an SD-WAN hub-and-spoke topology. This support enables a seamless link failover from on-premises security to Prisma Access and the ability to mix both to meet your security needs.
In a mixed topology with both PAN-OS SD-WAN firewalls and Prisma Access hubs, the SD-WAN hubs are Prisma Access CNs (IPSec Termination Nodes) and the SD-WAN branches are PAN-OS firewalls. SD-WAN automatically creates IKE and IPSec tunnels that connect the branch to the hub. Using Traffic Distribution profiles, you can create SD-WAN policies to match specific internet applications and redirect them to a PAN-OS firewall or Prisma Access deployment of your choice. With Prisma Access hub support, on-premises and cloud security platforms work together to provide a complete solution with consistent security policies managed by Panorama.
The minimum PAN-OS and SD-WAN plugin versions required for Prisma Access Hub support are:
Minimum Release
Prisma Access Compute Node
Prisma Access Cloud Configuration Plugin
SD-WAN Plugin
Before you connect SD-WAN to Prisma Access, you must have a branch firewall with an interface that has SD-WAN enabled. You must also have performed the Prisma Access prerequisites.
  1. Specify the BGP local address pool for loopback addresses.
    1. Select
      VPN Clusters
    2. Select
      BGP Prisma Address Pool
    3. Add
      an unused private subnet (prefix and netmask) for the local BGP addresses for Prisma Access.
    4. Click
    5. Commit
  2. Select the SD-WAN branch firewall to connect to the Prisma Access hub and configure the connection.
    1. Select
    2. Select the branch firewall on which you enabled SD-WAN, whose name then populates the
    3. Select the
      of device as
    4. Select the
      Virtual Router Name
    5. Enter the
      All SD-WAN devices must have a unique Site name.
    6. Select
      Prisma Access Onboarding
    7. Select a local, SD-WAN-enabled
      on the firewall to connect to the Prisma Access hub.
    8. Select a Prisma Access
      for a single tenant environment).
      All SD-WAN interfaces on a branch firewall must use the same Prisma Access tenant.
    9. Add
      a compute node to a
      by selecting the region where the CN (Prisma Access hub) is located.
      There can be multiple regions per interface.
    10. Select an
      IPSec Termination Node
      (GP gateway) from the list of nodes; the list is based on the nodes that Prisma Access spun up for the region earlier. You are choosing the hub to which this branch connects. SD-WAN Auto VPN configuration builds IKE and IPSec relationships and tunnels with this node.
    11. Enable
      BGP for communication between the branch and hub (Enable is the default).
    12. Complete the configuration for the connection.
    13. Click
  3. Commit and Push
    the configuration to the cloud, where Prisma Access spins up the correct number of IPSec Termination Nodes based on requested bandwidth.
  4. Synchronize the branch firewall to Prisma Access to retrieve the service IP address(es) of the CNs.
  5. Commit
    to Panorama.
  6. Push to Devices
    to push to the local branch firewall.
    Edit Selections
    to select the Push Scope Selection. Select the correct
    Device Group
  7. On the branch firewall, select
    and see the new interface; Verify the IPSec tunnel and IKE gateway are up.
  8. Create an SD-WAN policy rule to generate monitoring data.
  9. Commit
    Commit and Push
    to branch firewalls.

Recommended For You