Prisma Access Hub Support

Description and brief steps to configure Prisma Access Hub Support.
With SD-WAN plugin 2.2 and later releases, PAN-OS Secure SD-WAN provides you with Prisma Access hub support to give you full control of how and where applications are secured. Prisma Access Hub support allows PAN-OS firewalls to connect to Prisma Access compute nodes (CNs) to achieve cloud-based security in an SD-WAN hub-and-spoke topology. This support enables a seamless link failover from on-premises security to Prisma Access and the ability to mix both to meet your security needs.
In a mixed topology with both PAN-OS SD-WAN firewalls and Prisma Access hubs, the SD-WAN hubs are Prisma Access CNs (IPSec Termination Nodes) and the SD-WAN branches are PAN-OS firewalls. SD-WAN automatically creates IKE and IPSec tunnels that connect the branch to the hub. Using Traffic Distribution profiles, you can create SD-WAN policies to match specific internet applications and redirect them to a PAN-OS firewall or Prisma Access deployment of your choice. With Prisma Access hub support, on-premises and cloud security platforms work together to provide a complete solution with consistent security policies managed by Panorama.
The minimum PAN-OS and SD-WAN plugin versions required for Prisma Access Hub support are:
Minimum Release
PAN-OS
10.0.8
Prisma Access Compute Node
10.0.7
Prisma Access Cloud Configuration Plugin
2.1
SD-WAN Plugin
2.2
Panorama
10.1.0
Before you connect SD-WAN to Prisma Access, you must have a branch firewall with an interface that has SD-WAN enabled. You must also have performed the Prisma Access prerequisites.
  1. Specify the BGP local address pool for loopback addresses.
    1. Select
      Panorama
      SD-WAN
      VPN Clusters
      .
    2. Select
      BGP Prisma Address Pool
      .
    3. Add
      an unused private subnet (prefix and netmask) for the local BGP addresses for Prisma Access.
    4. Click
      OK
      .
    5. Commit
      .
  2. Select the SD-WAN branch firewall to connect to the Prisma Access hub and configure the connection.
    1. Select
      Panorama
      SD-WAN
      Devices
      .
    2. Select the branch firewall on which you enabled SD-WAN, whose name then populates the
      Name
      field.
    3. Select the
      Type
      of device as
      Branch
      .
    4. Select the
      Virtual Router Name
      .
    5. Enter the
      Site
      .
      All SD-WAN devices must have a unique Site name.
    6. Select
      Prisma Access Onboarding
      and
      Add
      .
    7. Select a local, SD-WAN-enabled
      Interface
      on the firewall to connect to the Prisma Access hub.
    8. Select a Prisma Access
      Tenant
      (select
      default
      for a single tenant environment).
      All SD-WAN interfaces on a branch firewall must use the same Prisma Access tenant.
    9. Add
      a compute node to a
      Region
      by selecting the region where the CN (Prisma Access hub) is located.
      There can be multiple regions per interface.
    10. Select an
      IPSec Termination Node
      (GP gateway) from the list of nodes; the list is based on the nodes that Prisma Access spun up for the region earlier. You are choosing the hub to which this branch connects. SD-WAN Auto VPN configuration builds IKE and IPSec relationships and tunnels with this node.
    11. Enable
      BGP for communication between the branch and hub (Enable is the default).
    12. Complete the configuration for the connection.
    13. Click
      OK
      .
  3. Commit and Push
    the configuration to the cloud, where Prisma Access spins up the correct number of IPSec Termination Nodes based on requested bandwidth.
  4. Synchronize the branch firewall to Prisma Access to retrieve the service IP address(es) of the CNs.
  5. Commit
    to Panorama.
  6. Push to Devices
    to push to the local branch firewall.
    Edit Selections
    to select the Push Scope Selection. Select the correct
    Template
    and
    Device Group
    .
  7. On the branch firewall, select
    Network
    Interfaces
    SD-WAN
    and see the new interface; Verify the IPSec tunnel and IKE gateway are up.
  8. Create an SD-WAN policy rule to generate monitoring data.
  9. Commit
    and
    Commit and Push
    to branch firewalls.

Recommended For You