Plan a Service Connection

Prisma Access

Plan a Service Connection

Table of Contents

Plan a Service Connection

Gather the following information to start planning your service connection with Prisma Access.
Where Can I Use This?
What Do I Need?
  • Prisma Access (Cloud Management)
  • Prisma Access (Panorama Managed)
Create service connections to allow Prisma Access to perform the following tasks:
  • Allow access to the resources in your HQ or data center.
    If you have corporate resources that your remote networks and mobile users need to access, you must enable Prisma Access to access the corresponding corporate network.
  • Allow remote networks and mobile users to communicate with each other.
    Even if you do not need your Prisma Access users to connect to your HQ or data center, you might need to allow your mobile users to access your remote network sites. Service connections are required for this use case because, while all remote network sites are fully meshed, the mobile user infrastructure is not. Minimally configuring a service connection establishes the hub-and-spoke network mobile users need to access a branch network.
    To improve network efficiency, place service connections close to the remote network or networks that mobile users access most frequently.

Gather this HQ or Data Center Information

Before you begin to configure a service connection, gather the following information for each of your HQ or data centers to which you want Prisma Access to be able to connect.
No need to gather this information if you are creating a service connection only to allow mobile users to access remote network locations.
Prisma Access Cloud Management
Prisma Access Panorama Managed
Service Connections:
  • IPSec-capable firewall, router, or SD-WAN device connection at your corporate site.
  • IPSec settings for terminating the primary VPN tunnel from Prisma Access to the IPSec-capable device on your corporate network.
  • IPSec settings for terminating the secondary VPN tunnel from Prisma Access to the IPSec-capable device on your corporate network.
    If you have an existing template that contains IPSec tunnel, Tunnel Monitoring, and IPSec Crypto Profile configurations, you can add that template to the template stack to simplify the process of creating the IPSec tunnels. Or, you can edit the Service_Conn_Template that gets created automatically and create the IPSec configurations required to create the IPSec tunnel back to the corporate site. Prisma Access also provides you with a set of predefined IPSec templates for some commonly-used network devices, and a generic template for any device that is not included in the predefined templates.
  • List of IP subnetworks at the site.
  • List of internal domains that Prisma Access must be able to resolve.
  • IP address of a corporate access node at your network’s site to which Prisma Access can send ICMP ping requests for IPSec tunnel monitoring.
    Make sure that this address is reachable by ICMP from the entire Prisma Access infrastructure subnet.
  • Network reachability settings for the service infrastructure subnet.
    Make the entire service infrastructure subnet reachable from the HQ or data center. Prisma Access uses IP addresses for all control plane traffic from this subnet.
Prisma Access Panorama
Service Connections Only:
This information is only required when planning Service Connections in
Panorama Managed Prisma Access
  • The service account for your authentication, if required for access.
  • The routing type (either static or dynamic (BGP)) to use with service connections.
    In order for Panorama Managed Prisma Access to route users to the resources they need, you must provide the routes to the resources. You can do this in one or more of the following ways:
    • Define a static route to each subnetwork or specific resource that you want your users to be able to access.
    • Configure BGP between your service connection locations and Prisma Access.
    • Use a combination of both methods

Recommended For You