| Where Can I Use This? | What Do I Need? |
|---|
|
|
- Prisma Access license
- A minimum of two Colo-Connect add-on licenses and service
connection licenses dependent on number of users or site
bandwidth
- Prisma Access 4.1: up to 20 Gbps per compute region (minimum
dataplane version of 10.2.4 required).
- Prisma Access 5.2: GRE keepalive disablement enhancements
added for Prisma Access (Managed by Panorama) deployments (added in the October
2025 release for Prisma Access (Managed by Strata Cloud Manager) deployments).
- Prisma Access 6.1: up to 100 Gbps per compute region, the
use of non-GRE tunnels, and MACsec support (minimum dataplane
version of 11.2.7 required). If you use a plugin version of 6.1
or later, purchasing a Colo-Connect 100 Gbps license
automatically enables the feature. If you’re running an earlier
plugin version, upgrade to version 6.1 or later and reach out to
your Palo Alto Networks account representative, who will submit
an SRE submit a ticket to enable Colo-Connect 100 Gbps.
- Prisma Access 6.1.1: MACsec support for Prisma Access (Managed by Strata Cloud Manager)
deployments.
|
Before you start Colo-Connect onboarding and configuration, be aware of the required
information and prerequisites by following this checklist.
- Make sure that you have access to the Colo facility provider (for example, you
have access to the Equinix Customer Portal).
- Make sure that your CPE can support BGP. For deployments between 1 Gbps and 20
Gbps in bandwidth, make sure that your CPE can support GRE tunnels as well as
BGP.
- After you create a new tenant in Strata Cloud Manager, wait at least four hours
before starting Colo-Connect configuration. The option to configure Colo-Connect
is not visible in the Strata Cloud Manager UI for the first four hours after
the tenant is created.
- License Requirements—You need both Private Application add-on licenses
and Colo-Connect add-on licenses to allocate bandwidth for Colo-Connect.
For the Colo-Connect add-on license, there are two different
license types, one for 10 Gbps and one for 100 Gbps.
- The 10 Gbps license provides you with a link of up to 10Gbps capacity.
- The 100 Gbps license provides you with a link of up to 100 Gbps
capacity.
For new Prisma Access deployments that use this
license, connections of 20 GB and above don't require the use of GRE
tunnels.
100 Gbps deployments support only active/backup
mode.
If you're using a Colo-Connect
100G license and are onboarding a Colo-Connect service connection
10G bandwidth in an active/backup mode, Prisma Access utilizes a
single Colo-Connect service connection and attaches 2 connections
(VLAN attachments). Therefore, you only need to configure one
multihop eBGP session from the Colo to one available Colo-Connect
service connection, because the second connection/VLAN attachment is
expected to be unutilized.
Use the following table to see the Colo-Connect add-on
licenses required for various deployments in a single compute location. The
number of Private Application Add-On Licenses required depends on the total
number of mobile users allocated in the PAN-PRISMA-ACCESS-MU-PRIVAPP
license, and equals the total amount of Mbps in the
PAN-PRISMA-ACCESS-NET-PRIVAPP or PAN-PRISMA-ACCESS-SITE-PRIVAPP license.
| Deployment Type | Number of Colo-Connect Add-On Licenses Required |
|---|
| 1 * 1 Gbps Active/1 Gbps Active pair | Two 10G licenses |
| Up to 8 * 1 Gbps Active/1 Gbps Active pairs (new in Prisma Access 6.2) | Up to sixteen 10G Licenses (two 10G licenses for each
pair) |
| 1 * 1 Gbps Active/1 Gbps Backup pair | Two 10G licenses |
| Up to 8 * 1 Gbps Active/1 Gbps Backup pairs (new in Prisma Access 6.2) | Up to sixteen 10G Licenses (two 10G licenses for each
pair) |
| 1 * 2 Gbps Active/ 2 Gbps Active pair | Two 10G licenses |
| Up to 8 * 2 Gbps Active/2 Gbps Active pairs (new in Prisma Access 6.2) | Up to sixteen 10G Licenses (two 10G licenses for each
pair) |
| 1 * 2 Gbps Active/2 Gbps Backup pair | Two 10G licenses |
| Up to 8 * 2 Gbps Active/2 Gbps Backup pairs (new in Prisma Access 6.2) | Up to sixteen 10G Licenses (two 10G licenses for each
pair) |
| 1 * 5 Gbps Active/5 Gbps Active pair | Four 10G licenses |
| Up to 8 * 5 Gbps Active/5 Gbps Active pairs (new in Prisma Access 6.2) | Up to sixteen 10G Licenses (two 10G licenses for each
pair) |
| 1 * 5 Gbps Active/5 Gbps Backup pair | Two 10G licenses |
| Up to 8 * 5 Gbps Active/5 Gbps Backup pairs (new in Prisma Access 6.2) | Up to sixteen 10G Licenses (two 10G licenses for each
pair) |
| 1 * 10 Gbps Active/10 Gbps Active pair | Two 10G licenses |
| Up to 8 * 10 Gbps Active/10 Gbps Active pairs (new in Prisma Access 6.2) | Up to sixteen 10G Licenses (two 10G licenses for each
pair) |
| 1 * 10 Gbps Active/10 Gbps Backup pair | Two 10G licenses |
| Up to 8 * 10 Gbps Active/10 Gbps Backup pairs (new in Prisma Access 6.2) | Up to sixteen 10G Licenses (two 10G licenses for each
pair) |
| 1 * 20 Gbps Active/20 Gbps Backup pair | Four 10G licenses |
| Up to 4 * 20 Gbps Active/20 Gbps Backup pairs (new in Prisma Access 6.2) | Up to sixteen 10G Licenses (four 10G licenses for each
pair) |
| 1 * 50 Gbps Active/50 Gbps Active pair | Two 100G licenses |
| Up to 8 * 50 Gbps Active/50 Gbps Active pairs (new in Prisma Access 6.2) | Up to sixteen 100G Licenses (two 100G licenses for each
pair) |
| 1 * 50 Gbps Active/50 Gbps Backup pair | Two 100G licenses |
| Up to 8 * 50 Gbps Active/50 Gbps Backup pairs (new in Prisma Access 6.2) | Up to sixteen 100G Licenses (two 100G licenses for each
pair) |
| 1 * 100 Gbps Active/100 Gbps Backup pair | Two 100G licenses |
| Up to 8 * 100 Gbps Active/100 Gbps Backup pairs (new in
Prisma Access 6.2) | Up to sixteen 100G Licenses (two 100G licenses for each
pair) |
- Interconnect Types—Decide which interconnect type you will use for
Colo-Connect (a partner or dedicated interconnect).
- Partner Interconnect—A pairing key from Prisma Access is
required for partner interconnects. You receive this key during Prisma Access onboarding.
If you create a partner interconnect,
make sure that the service provider (SP) is an
approved SP with GCP and
the connectivity between the SP and GCP is already established.
Dedicated Interconnect—
- Determine the location of the Colo
where the cross-connect cable will be connected before you begin
onboarding in Prisma Access. The Colo location is required
for Palo Alto Networks to order the dedicated
link
Be familiar with the basic network
interconnections
so that you can configure the circuits.
After you provision the dedicated interconnect, you must
test it.
Subnet Requirements—Determine the RFC-1918 IPv4 subnets you will use
for each Colo-Connect connection per region. Prisma Access uses these
subnets for internal communication and networking.
Make the subnets unique among all Colo-Connect regions in a given tenant. The
Colo-Connect subnet can't overlap with the Prisma Access infrastructure
subnet and mobile users IP address pool. Use a minimum subnet size of
/28.
Do not use a Link Local IP subnet in the
169.254.0.0/16 range for either BGP or GRE configuration in
Colo-Connect.
- Link (Interconnect) Requirements—Follow these guidelines when configuring
links:
- Onboard two links for each Colo-Connect instance. Starting with Prisma Access 6.2, since you can configure 8 Colo-Connects in each
region, you can configure up to 16 links per region.
Each
link configured per Colo-Connect instance should be in different
availability zones (edge domains).
(Dedicated
interconnect deployments only) If you want to onboard more
than six links in a tenant, reach out to your Palo Alto Networks
account representative or partner, who will contact the Site
Reliability Engineering (SRE) team and submit a request to increase
the quota for a given tenant.
- Connection Requirements—
- Colo-Connect Service Connection Requirements—
- Starting with Prisma Access 6.2, you can configure up to 8
Colo-Connect service connections in a single compute region.
- Each connection for a given service connection must be on a different
link and a different edge domain.
Make a note of the BGP and, for GRE tunnel deployments, GRE
peer IP addresses needed to configure service connections. The BGP
Peer IP is the BGP local address of the Colo router, while the GRE
Peer IP should be the router's physical IP address.
BGP Local Addresses for service connections are
optional.
- A single Colo-Connect Service Connection can use only one of either
Partner Interconnect links or Dedicated Interconnect links.
- Interoperability with existing IPSec-Based Service Connections—Palo Alto
Networks strongly recommends that you deploy Colo-Connect and IPSec tunnel-based
service connections in different regions. In addition, if you're migrating from
an IPSec tunnel-based service connection to a Colo-Connect service connection,
you must schedule a maintenance window. After you have migrated from an IPSec
tunnel-based service connection to a Colo-Connect service connection, remove the
IPSec-based service connection after the Colo-Connect service connection is up
and running and before the maintenance window expires.
