Focus
Prisma Access

Strata Cloud Manager

Table of Contents


Strata Cloud Manager

To create and configure a SASE Private Location in Prisma Access (Managed by Strata Cloud Manager), complete the following workflow.
  1. Create a hypervisor resource profile.
    You use this profile with the ESXi instance you created to create an environment for SASE Private Location.
    Optionally, you can create this profile during SASE Private Location setup instead of creating it now.
  2. From Strata Cloud Manager, go to ConfigurationNGFW and Prisma Access and select the Prisma Access configuration scope.
  3. Configure the Prisma Access Infrastructure.
  4. Click the gear to configure the Prisma Access Private Locations settings and Add Private Location.
  5. Enter the location details.
    • Enter a unique Name for the private location.
      Don’t use spaces or dashes. Make sure that each SASE Private Location has a unique name, even across multiple tenants. You can’t change the name after you perform a Config Push.
    • (Optional) Enter a Description for this location.
    • Enter the Country, State, and City, and, optionally, the Zip/Postal Code closest to the area where this location will be deployed.
    Prisma Access populates the Latitude and Longitude based on the geographic information you enter.
    Save and Next to save your changes and go to the next section.
  6. Enter the estimated number of users for your local inspection node, mobile users, or both.
    For the local inspection node, enter the number of users at your branch office. Don't enter a number the exceeds the licensed number.
  7. (Local Inspection Node Deployments Only) Configure settings for Local Inspection Nodes.
    1. Specify the Hypervisor Profile to use, or Create New and create a hypervisor resource profile based on your VMware ESXi environment.
    2. Specify the DNS Server IP address assignment (either DHCP or Static).
      If you want to use a static DNS server, enter the primary server and the secondary server.
    3. Enter the Load Balancer Configuration.
      Use the same IP addresses that you configured for the ESXi environment.
      • Enter the two IP addresses used for the Virtual Public IP Address.
      • Enter the load balancer data plane and management IP settings.
    4. Configure your VM instances.
      You need to configure 2 VMs, one for Trust and one for Untrust. Use the Data Plane IP Trust settings for internal traffic and the Data Plane IP Untrust settings for internet traffic.
      • If you specified a Static IP address assignment, enter the Primary IP, Secondary IP, Netmask, and Gateway for the two VMs you configure.
    5. Go to the Next step when complete.
  8. (Mobile Users Deployments Only) Configure settings for mobile users.
    1. Specify the Hypervisor Resource Profile to use, or Create New and create a hypervisor resource profile based on your VMware ESXi environment.
    2. Specify the DNS Server IP address assignment (either DHCP or Static).
      If you want to use a static DNS server, enter the primary server and the secondary server.
    3. Enter the Load Balancer Configuration.
      Use the same IP addresses that you configured for the ESXi environment.
      • Enter the two IP addresses used for the Virtual Public IP Address.
      • Enter the load balancer data plane and management IP settings.
        The wizard populates the IP assignment type (either DHCP or Static) from the IP Assignment you specified under DNS Server settings.
        • If you specified DHCP for IP assignment, enter the Primary IP, Secondary IP, Netmask, and Gateway for the management IP address configuration.
        • If you specified Static for IP assignment, enter the Data Plane IP and Management IP addresses, including the Primary IP, Secondary IP, Netmask, and Gateway.
    4. Configure your VM instances.
      • Enter the Number of instances you have in your VM.
        You can have from two to four VM instances.
      • If you specified a Static IP address assignment, enter the Primary IP, Secondary IP, Netmask, and Gateway for the management IP configuration.
      • If you specified a DHCP IP address assignment enter the Data Plane IP address information, including the Primary IP, Secondary IP, Netmask, and Gateway.
    5. Go to the Next step when complete.
  9. Set up a Bastion Agent.
    Prisma Access uses the bastion host (bastion agent) for remote management, maintenance, and monitoring.
    1. Specify a Hypervisor Resource Profile.
      Palo Alto Networks recommends that you use the same VM instance that you specified for the hypervisor resource profile.
      Go to the Next step when complete.
    2. Specify DNS Server settings.
      If you specified Static for IP assignment, enter the Prisma Server and Secondary Server IP addresses and the Management IP settings, including the Primary IP, Secondary IP, Netmask, and Gateway.
  10. Review your configuration.
    If you need to make any changes to your configuration, Edit your choices; otherwise, Save & Next to save your changes and go to the next screen.
    Prisma Access populated the Load Balancer Instance Name and the VM Instance Name during onboarding.
  11. Onboard your private location to Prisma Access
    1. Perform a Config Push to push your configuration.
    2. Confirm the Config Push operation.
      The Push Status window displays. Wait for the job to complete successfully before moving to the next step.
    3. (Optional) to check the status of your pending job, click Job Status.
      To get more details about the status of your job, click the down arrow on the left side of the screen to see the status of the job types.
    4. Wait for the Config Push to display with a green check mark.
  12. (Mobile Users Deployments Only) Set up your mobile users deployment in Prisma Access.
    1. Select Mobile Users Configuration.
    2. Select a Prisma Access region.
      Select the region where you deployed the SASE Private Location.
    3. Select the SASE Private Location you created and Save your changes.
      Switch from the Map view to a List view to find the location you created; then select the location.
    4. Click the arrow to the left of Prisma Access Locations.
    5. Select the GlobalProtect App tab and select the gear to edit the GlobalProtect settings.
    6. Select Manual Gateway Selection, select the SASE Private Location you created, and Save your changes.
      This step enables your mobile users to manually select this gateway from the GlobalProtect app.
    7. Wait for the second push to complete; then, go to the Next step.
      When a green check mark displays next to Configure Mobile Users, the second push is complete.
  13. (Local Inspection Node Deployments Only) Set up your Local Inspection Node settings.
    1. Go to ConfigurationNGFW and Prisma AccessConfiguration ScopeRemote Networks and select the Local Inspection Node tab.
    2. Add a Local Inspection Node, select, the SASE Private Location you created, and go to the Next step.
    3. Add a static route.
      Only static routes are supported.
      • Provide a unique Name for the route.
      • Enter a Destination IP address and subnet the local inspection node can reach.
      • Select a Next Hop type of IP Address.
      • Enter a Next Hop IP Address, which is the IP address of the device at the next hop toward the Destination network. A next hop of 0.0.0.0 indicates the default route.
      • Enter a Metrics.
        This field is the metric for the route. When a routing protocol has more than one route to the same destination network, it prefers the route with the lowest metric value. Each routing protocol uses a different type of metric; for example, BGP uses the Multi Exit Discriminator (MED) Attribute. Prisma Access considers the metric when making routing decisions; for example, given the same route, Prisma Access prefers a static route with a lower metric over a BGP route with a higher metric.
      • Enter an Admin dist.
        The administrative distance number is used by routers to find out which route is better. A lower number is preferred over a higher number.
  14. Push Config to save your GlobalProtect configuration changes.
    Make sure that you select GlobalProtect n the push scope for mobile users and Remote Networks for a Local Inspection Node.
  15. Deploy the SASE Private Location to your on-premises environment.
    1. From the onboarding workflow, Generate Authentication Key and copy its contents.
      You use this key in the Terraform template. This authentication key is valid for one hour.
    2. Download Terraform Template and save it to your local device.
      The Terraform template provides you with access to upgrade your Prisma Access dataplane.
    3. Open the Terraform file in a text editing program and edit the following parameters:
      • Replace <vcenter_hostname> with your ESXi hostname.
      • Replace <vcenter_username> with the ESXi username.
      • Replace <vcenter_password> with the ESXi password.
      • Replace <prismasase_deployment_token> with the authentication key you just downloaded.
    4. Initialize the Terraform environment by entering the terraform-init command to initialize Terraform and download the required provider.
    5. Generate a plan to review the resources that will be created by entering the terraform plan command.
    6. Apply the configuration to deploy the SASE Private Location components by entering the terraform apply command.
    7. Confirm the deployment when prompted.
      After successful deployment, the SASE Private Location components are provisioned in your VMware ESXi environment. The components will register with the Prisma Access cloud service and become available for configuration through the Prisma Access management interface.
      You can verify the deployment status in the Prisma Access management interface, where the newly deployed SASE Private Location will appear as an available region for your tenant.
  16. Verify that the SASE Private Location deployment was successfully completed.
    1. Go to ConfigurationNGFW and Prisma Access, select the Prisma Access configuration scope, and then select Prisma Access Setup
    2. Check the Prisma Access Private Locations
      • On-Prem Onboarding Status—Shows the progress of the SASE Private Location onboarding. Onboarding is complete when this field displays Complete.
      • On-Prem Deployment Status—Shows the progress of the SASE Private Location deployment. Deployment is complete when this field displays Complete.
  17. Configure security policy rules specific to your SASE Private Location using tags.