Gather this HQ or Data Center Information
Before you begin to
configure a service
connection, gather the following information for each of your HQ or data
centers to which you want
Prisma Access to be able to connect.
No need to gather this information if you are creating
a service connection only to allow mobile users to access remote
network locations.
For Prisma Access (Managed by Strata Cloud Manager) and Prisma Access (Managed by Panorama) Service
Connections:
- IPSec-capable firewall, router,
or SD-WAN device connection at your corporate site.
- IPSec settings for terminating the primary VPN tunnel from Prisma Access to the
IPSec-capable device on your corporate network.
- IPSec settings for terminating the secondary VPN tunnel from
Prisma Access to the IPSec-capable device on your corporate network.
If
you have an existing template that contains IPSec tunnel, Tunnel
Monitoring, and IPSec Crypto Profile configurations, you can add
that template to the template stack to simplify the process of creating the
IPSec tunnels. Or, you can edit the Service_Conn_Template that gets
created automatically and create the IPSec configurations required
to create the IPSec tunnel back to the corporate site. Prisma Access
also provides you with a set of predefined IPSec templates for some
commonly-used network devices, and a generic template for any device
that is not included in the predefined templates.
- List of IP subnetworks at the site.
- List of internal domains that Prisma Access must be able to
resolve.
- IP address of a corporate access node at your network’s site
to which Prisma Access can send ICMP ping requests for IPSec tunnel
monitoring.
Make sure that this address is reachable by ICMP from
the entire Prisma Access infrastructure subnet.
- Network reachability settings for the service infrastructure
subnet.
Make the entire service infrastructure subnet reachable
from the HQ or data center. Prisma Access uses IP addresses for
all control plane traffic from this subnet.
For
Prisma Access Panorama Service Connections Only:
This information is only required when planning Service Connections in
Prisma Access (Managed by Panorama).
The service account for your authentication, if required for access.
The routing type (either static or dynamic (BGP)) to use with service
connections.
In order for Prisma Access (Managed by Panorama) to route users to the resources
they need, you must provide the routes to the resources. You can do this in
one or more of the following ways:
Define a static route to each subnetwork or specific resource that
you want your users to be able to access.
Configure BGP between your service connection locations and Prisma Access.
Use a combination of both methods
After you create the service connection and commit and push your changes,
you set up the IPSec tunnel between Prisma Access and the IPSec-capable
device (CPE) in your headquarters or data center. Prisma Access provides you
with a Service Endpoint Address, which is either an FQDN
or an IP address. Use this FQDN or IP address as the peer address for your CPE.
