>
    Onboarding Workflow for Site-Based Remote Networks
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma Access
    3. Prisma Access Activation and Onboarding
    4. Prisma Access Onboarding Workflow
    5. Onboarding Workflow for Site-Based Remote Networks
    Download PDF
    Prisma Access

    Onboarding Workflow for Site-Based Remote Networks

    Table of Contents

    Onboarding Workflow for Site-Based Remote Networks

    Deploy your Prisma Access branch sites using site-based bandwidth allocation.
    Where Can I Use This?What Do I Need?
    • Prisma Access (Managed by Strata Cloud Manager) (new deployments only)
      If you have an existing Remote Network deployment; use the onboarding workflow for Remote Networks—High Performance.
    As your business scales and your office locations become geographically distributed, Prisma Access remote networks enable you to quickly onboard your branch sites and deliver best-in-class security for your users and devices.
    Starting with Prisma Access 6.0, you onboard a site by specifying the location and the site type. The site type enables you to allocate your sites with predefined bandwidth capacities, ranging from 25 Mbps to 2.5 Gbps. By moving away from aggregate bandwidth-based licensing, you can more easily estimate and allocate resources for your remote locations.
    To onboard a remote network, you specify the branch site's location, and Prisma Access recommends the location that’s closest to the site. Prisma Access also recommends a secondary location in a separate compute location that you can optionally set up for redundancy and resiliency.
    You then select the site type based on its bandwidth (from 25 Mbps up to 2.5 Gbps).
    You can begin the configuration process, which includes onboarding the site-based remote network to Prisma Access and enabling QoS and routing at a per-site level.
    A site-based remote network provides you with the following core capabilities:
    • Up to 3 Gbps aggregate bandwidth per node in a compute region
    • Up to 2.5 Gbps bandwidth per remote network tunnel from a remote site
    When configuring a site-based remote network for a branch site, be aware of the following guidelines and differences between sites and remote networks:
    • Branch Site Planning and Enforcement—Before you secure your branch site with Prisma Access, determine the bandwidth that's required for your site and specify one of the site types:
      • Very Small (up to 25 Mbps)
      • Small (up to 50 Mbps)
      • Medium (up to 250 Mbps)
      • Large (up to 1 Gbps)
      • X-Large (up to 2.5 Gbps)
      Prisma Access enforces the bandwidth based on the site type. For example, if you choose a Very Small site type, Prisma Access caps the throughput at 25 Mbps. These sites don’t support oversubscription.
    • Prisma Access Locations—Remote Networks—High Performance support a subset of Prisma Access locations.
    • Quality of Service (QoS)—For branch sites, Prisma Access supports QoS at a per-site level, and the QoS Profile you select applies to the entire site.
    • IPSec Termination Nodes No Longer Needed—Unlike traditional remote networks, you don't need to select an IPSec termination node during onboarding for Prisma Access (Managed by Strata Cloud Manager) deployments. Prisma Access automatically load-balances the remote network connections to maximize the bandwidth allocation to the sites.
    • Service Endpoint Address Allocation Based on Deployment Type—The number of Service Endpoint addresses that you receive depends on if you have set up your site-based remote networks in a single location or if you have set them up using two different locations in a primary and secondary deployment.
      You use the Service Endpoint address as the peer IP or FQDN address on your CPE to terminate the IPSec tunnel.
      As a best practice, specify the FQDN instead of the IP address.
      • If you have set up your site-based remote network in a single location with no secondary location, Prisma Access provides you with a single Service Endpoint address.
      • If you set up compute location redundancy in a primary and secondary configuration, Prisma Access provides you with two Service Endpoint addresses (one each for the primary and secondary location).
      If you set up IPSec tunnels in an Active/Passive configuration, Prisma Access provides you with a single Service Endpoint address for both tunnels (the same as a standard Prisma Access remote network configuration).
      Remote networks use one Service Endpoint address for every 3 Gbps of bandwidth, removing the complexity in configuring and managing multiple IPSec devices at every remote location.
    • User-ID Redistribution and SSL Decryption—If you configure an SSL decryption profile on your tenant, User-ID redistribution from the Remote Networks—High Performance node to service connections is not supported.
    • Unsupported Configurations— The following features and configurations are not supported:
    • Tunnel Modes and Circuit Settings—A site-based remote network lets you configure both location and IPSec redundancy.
      • Location redundancy (specifying a Primary location in one compute location and specifying a Secondary location in a separate compute location).
        Configuring a secondary location is optional.
      • IPSec tunnel redundancy (specifying tunnels as Active/Active or Active/Passive).
      Before you begin setup, it's important to understand how you specify circuits and tunnels. Set up circuits and tunnels in the following configurations:
      • Active/Passive—Set up either one circuit (the default) or two circuits.
        If you specify one circuit (ISP in the diagram), configure two tunnels (one for the primary remote network location and one for the secondary remote network location). Prisma Access uses this circuit for the tunnels for both the primary and secondary locations. If the primary location is unreachable (for example, if the tunnels experienced an ISP failure or CPE failure, or if the tunnels couldn't be established for any other reason), Prisma Access fails over from Tunnel 1 to Tunnel 2 and switches from the primary to the secondary remote network location.
        If you specify two circuits, configure four tunnels (two for the primary remote network location and one for the secondary remote network location).
        If the primary location is unreachable by Tunnel 1, then Tunnel 2 becomes active. If both Tunnel 1 and Tunnel 2 primary tunnels go down, Prisma Access switches from the primary to the secondary location and Tunnel 3 becomes active. If Tunnel 3 to the secondary location goes down, then Tunnel 4 becomes active.
      • Active/Active—Set up either two circuits (the default), three circuits or four circuits.
        If you specify two circuits, configure four tunnels. If Tunnel 1 and Tunnel 2 to the primary remote network location go down, Tunnels 3 and 4 to the secondary remote network location become active. All active tunnels to the primary location must go down before Prisma Access fails over to the secondary location.
        If you specify three circuits, configure six tunnels. Each ISP has one active tunnel to the primary location and one passive tunnel to the secondary location. If all active tunnels to the primary location go down, the standby tunnels to the secondary location become active.
        If you specify four circuits, configure eight tunnels. Each ISP has one active tunnel to the primary location and one passive tunnel to the secondary location. If all active tunnels to the primary location go down, the standby tunnels to the secondary location become active.
    To configure site-based remote networks, complete one of the following tasks.

    Strata Cloud Manager

    Here’s how to add a site-based remote network using Strata Cloud Manager.
    1. From Strata Cloud Manager, go to WorkflowsOnboardingOnboard Branch Sites and Configure a site.
      You might not see the same choices in your Prisma Access deployment; the choices you see in the UI depend on the licenses you have. For example, if you don't have a site-based remote network license, you don't see a choice to onboard branch sites.
    2. In the Third-Party Branch Site area, Create a site.
    3. Add Site and give the remote network a descriptive Site name.
    4. Select the City and Country of the site.
      For more precise searches, add an address.
    5. Click Next.
    6. Select a location and a site type.
      1. Select a Site Type.
        The types are based on bandwidth.
        Some locations don't support X-Large sites; in this case, that choice is grayed out.
      2. Select a Primary Prisma Access Location.
        If multiple locations are Recommended in the list; select the location that works best for your deployment.
    7. (Optional) To create a secondary (backup) site, select Allow connection to a secondary Prisma Access Location as backup when necessary and then select a Secondary Prisma Access Location.
      If you select this choice, Prisma Access prepopulates the best secondary location or locations that are in a different compute location than the primary location. If multiple locations are Recommended; select the location that works best for your deployment.
      You can toggle between Map View and List View to see the best location for your site.
    8. Select a QoS Profile to use for this site, or Add a new one.
      Prisma Access uses a single QoS Profile per site.
      If you have not yet created a QoS Profile, Add a QoS Profile, specifying the following values:
      • Enter a unique QoS Profile Name.
      • Select a Class Bandwidth Type of Percentage. Prisma Access does not support bandwidth types of Mbps in site-based QoS profiles.
      • (Optional) Enter an Egress Guaranteed (Mbps) value that represents the guaranteed bandwidth for this profile in Mbps.
      • Enter a Class Bandwidth Type of either Percentage or Mbps.
      • In the Classes section, Add Class and specify how to mark up to eight individual QoS classes.
        • Enter a Class Name.
        • Select the Priority for the class (either real-time, high, medium, or low).
        • (Optional) Enter an Egress Max that represents the maximum throughput (in Mbps) for traffic leaving the service connection or remote network connection.
        • (Optional) Enter an Egress Guaranteed value that represents the guaranteed bandwidth for this profile (in Mbps).
      • Save your changes, Save your QoS profile, and go to the Next step.
    9. Define Tunnel & Circuit Settings.
      1. Select a Tunnel Mode: either Active/Active or Active/Passive.
        The tunnel mode specifies how many of your ISP circuits you want to utilize for the remote network. Specify a minimum of one circuit and a maximum of four circuits.
        • If you select Active/Passive (the default setting), Prisma Access utilizes either one or two ISP circuits to create two active tunnels. If the active tunnel goes down, the passive tunnel becomes active.
        • If you select Active/Active, Prisma Access Prisma Access utilizes either two or four ISP circuits to create either two or four active tunnels, respectively.
      2. Select the Number of circuits to use.
        Prisma Access assigns tunnels based on the number of circuits you specify here, and whether your deployment is Active/Active or Active/Passive, as shown in the following table.
      3. (Optional) Configure your IPSec tunnel settings.
        Prisma Access provides you with default IPSec tunnel settings. These settings determine the IPSec and IKE crypto settings for the remote network tunnel. If you want to change them, select the Primary Tunnel and Edit your settings.
        If you specify a secondary location, Prisma Access autopopulates the values from the primary tunnel to the secondary tunnel; to edit the secondary tunnel, select that tunnel and Edit the settings.
        Make a note of these settings; you must match the settings on the customer premises equipment (CPE) that terminates the IPSec tunnel at your site.
        • Give the Active tunnel a unique Tunnel Name.
        • Specify IPSec Settings.
          • Specify an Authentication type (either Pre-Shared Key or Certificate).
            If you specify Pre-Shared Key, enter and confirm the Pre-Shared Key.
            If you specify a Certificate, enter the Local Certificate to use. This certificate must already exist in Strata Cloud Manager.
          • (Required for Dynamic Branch IP Addresses Only) Specify the IKE Local Identification (either IP Address, Distinguished Name (Subject), User FQDN (email address), or FQDN (hostname) .
          • (Required for Dynamic Branch IP Addresses Only) Specify the IKE Peer Identification (either IP Address, Distinguished Name (Subject), User FQDN (email address), or FQDN (hostname).
            If you specifya Dynamic branch IP address, specify either the IKE Local Identification, IKE Peer Identification, or both; at least one of those IPSec settings are required.
        • Specify the type of Peer ID Check:
          • Exact—Ensures that the local setting and peer IKE ID payload match exactly.
          • Wildcard—Allows the peer identification to match as long as every character before the wildcard (*) matches. The characters after the wildcard don't need to match.
        • (Optional) Permit peer identification and certificate payload identification mismatch to allow a successful IKE security association (SA) even when the peer identification does not match the peer identification in the certificate.
        • Choose a Certificate Profile. A certificate profile contains information about how to authenticate the peer gateway.
        • (Optional) Enable strict validation of peer’s extended key use to control strictly how the key can be used.
        • Choose the Branch Device IP Address (Static or Dynamic).
          • If you select Static, enter the Static IP Address to use for the IPSec tunnel.
          • If you specify Dynamic, which obtains the IP address automatically, specify either the IKE Local Identification, IKE Peer Identification, or both; at least one of those IPSec settings are required.
        • (Optional, Recommended) Enable IKE Passive Mode to have Prisma Access respond to IKE connections but not initiate them.
          While not required, IKE Passive Mode is the recommended setting.
        • (Optional) Turn on Tunnel Monitoring.
          Enter a Tunnel Monitoring Destination IP address on the remote network for Prisma Access to determine whether the tunnel is up and, if your branch IPSec device uses a policy-based VPN, enter the associated Proxy ID as the Monitored Proxy ID.
        • (Optional) If you need a proxy ID:
          • Add Proxy ID and enter the Proxy ID.
          • Optionally, enter the Local Proxy ID and Remote Proxy ID.
          • Enter the Protocol to use for the proxy ID. Enter a Number, TCP, or UDP.
          • Specify a Local Port and Remote Port for TCP or UDP.
          • Save your changes.
        • (Optional) Specify IKE Advanced Options.
          • Select an IKE Protocol Version.
          • Select an IKEv1 Crypto Profile.
            To add a crypto profile, Add IKE. To manage an existing IKE profile, Manage IKE and select the profile to edit.
          • Select an IKEv2 Crypto Profile.
            To add a crypto profile, Add IKE. To manage an existing IKE profile, Manage IKE and select the profile to edit.
        • (Optional) Specify IPSec Advanced Options.
          • Select an IPSec Crypto Profile.
            To add a crypto profile, Add IPSec. To manage an existing IPSec profile, Manage IPSec and select the profile to edit.
        • Choose your routing settings.
          • Select the Routing Type (either Static or Dynamic).
            If you select Static, Add the IP subnets or IP addresses that you want to secure at the site.
            If you select Dynamic:
            • Enter the Peer As (the autonomous system (AS) for your network).
              Use an RFC 6996-compliant BGP Private AS number.
            • Enter the Peer IP Address assigned as the Router ID of the eBGP router on the HQ or data center network.
            • (Optional) Enter a Shared Secret password to authenticate BGP peer communications.
            • Enter the Local IP Address that Prisma Access uses as its Local IP address for BGP.
            • (Optional) Summarize Mobile User Routes before advertising to reduce the number of mobile user IP subnet advertisements over BGP to your CPE by having Prisma Access summarize the subnets before it advertises them.
            • (Optional) Advertise Default Route to have Prisma Access originate a default route advertisement for the remote network using eBGP. Be sure that your network does not have another default route advertised by BGP, or you could introduce routing issues in your network.
            • (Optional) Don't Export Routes to prevent Prisma Access from forwarding routes into the HQ or data center.
      4. Save your IPSec tunnel changes.
    10. Save & Exit.
    11. Push Configuration to save your configuration changes, making sure to select Remote Networks in the Push Scope.
    12. Find the Service Endpoint address (the IP or FQDN address you use on your CPE to terminate the IPSec tunnel).
      As a best practice, specify the FQDN instead of the IP address.
      1. Go to WorkflowsPrisma Access SetupBranch SitesPrisma Access.
      2. Find the Service Endpoint address.

    Panorama

    Configure a Prisma Access remote network deployment that allocates bandwidth by compute location.
    Here’s how to add a site-based remote network in Prisma Access (Managed by Panorama).
    Before you start, you can check that your license includes site-based licensing by going to PanoramaLicenses and view your Sites Capacity and check how many sites you have remaining per site type. You can onboard any site types that are remaining in your license.
    . To check:
    1. Define tunnel settings and, optionally, QoS settings for your remote network.
      During setup, you select an IPSec tunnel and a QoS profile, so you need to define those settings before you begin.
      1. Define IPSec tunnel settings for your remote networks by creating a new IPSec Tunnel and configuring the IKE Gateway, IPSec Crypto Profile, and Tunnel Monitoring settings.
        Make a note of these settings; you must match the settings on the customer premises equipment (CPE) that terminates the IPSec tunnel at your site.
        Be sure that you create the tunnel settings in the Remote_Network_Template.
        You can also use one of the predefined IPSec templates in the Remote_Network_Template; in this case, you don’t need to create a new tunnel.
      2. (Optional) Decide whether you want to add QoS settings to your remote network deployment; if you do; create a QoS Profile for your site-based remote network.
        Be sure that you create the profile in the Remote_Network_Template.
    2. From the Panorama that manages Prisma Access, go to Cloud ServicesConfigurationRemote Networks and Add a site.
    3. Give the remote network a descriptive Site Name.
    4. Enter the site's City and Country.
      For more precise searches, add an address.
    5. Go to the Next screen.
    6. Select a site type, a primary location, and, optionally, a secondary location.
      1. Select a site type (License Type).
        The types are based on bandwidth.
        Some locations don't support X-Large sites; in this case, that choice isn’t selectable.
      2. Select a Primary Prisma Access Location.
        If multiple locations are Recommended in the list; select the location that works best for your deployment.
      3. (Optional) To create a secondary (backup) site, select Allow connection to a secondary Prisma Access Location as backup when necessary and then select a Secondary Prisma Access Location.
        If you select this choice, Prisma Access prepopulates the best secondary location or locations that are in a different compute location than the primary location. If multiple locations are Recommended; select the location that works best for your deployment.
      4. (Optional) If you want to enable QoS for your site, select the QoS Profile you created at the start of this procedure and go to the Next step.
    7. Define Tunnel & Circuit Settings.
      1. Select a Tunnel Mode: either Active/Active or Active/Passive.
        The tunnel mode specifies how many of your ISP circuits you want to utilize for the remote network. Specify a minimum of one circuit and a maximum of four circuits.
        • If you select Active/Passive (the default setting), Prisma Access utilizes either one or two ISP circuits to create two active tunnels. If the active tunnel goes down, the passive tunnel becomes active.
        • If you select Active/Active, Prisma Access Prisma Access utilizes either two or four ISP circuits to create either two or four active tunnels, respectively.
      2. Select the Number of circuits to use.
        Prisma Access assigns tunnels based on the number of circuits you specify here, and whether your deployment is Active/Active or Active/Passive, as shown in the following table.
      3. Select the IPSec tunnels to use for your primary and secondary sites by selecting either:
      4. Go to the Next step.
    8. Choose your Routing Settings.
      • Choose your Routing Settings.
        • Select the Routing Type (either Static or Dynamic).
          If you select Static routing, Add the IP subnets or IP addresses that you want to secure at the site.
          If you select Dynamic routing:
          • Enter the Peer As (the autonomous system (AS) for your network).
            Use an RFC 6996-compliant BGP Private AS number.
          • Enter the Peer IP Address assigned as the Router ID of the eBGP router on the HQ or data center network.
          • (Optional) Enter a Shared Secret password to authenticate BGP peer communications.
          • Enter the Local IP Address that Prisma Access uses as its Local IP address for BGP.
          • (Optional) Select Summarize Mobile User Routes before advertising to reduce the number of mobile user IP subnet advertisements over BGP to your CPE by having Prisma Access summarize the subnets before it advertises them.
          • (Optional) Select Advertise Default Route to have Prisma Access originate a default route advertisement for the remote network using eBGP. Be sure that your network does not have another default route advertised by BGP, or you could introduce routing issues in your network.
          • (Optional) Select Don't Export Routes to prevent Prisma Access from forwarding routes into the HQ or data center.
        If you have a secondary tunnel, the BGP settings copy over; you can use the copied-over settings for the secondary tunnel or modify those settings.
    9. Click OK to save your changes.
    10. Go to CommitCommit and Push and Commit and Push your changes.
    11. Find the Service Endpoint address (the IP or FQDN address you use on your CPE to terminate the IPSec tunnel).
      As a best practice, specify the FQDN instead of the IP address.
      1. Go to Cloud ServicesConfigurationRemote NetworksPrisma Access.
      2. Find the Service Endpoint address.

    © 2025 Palo Alto Networks, Inc. All rights reserved.