Integrate Prisma Access with Cisco Catalyst SD-WAN (Site Based Licensing)

Where Can I Use This?	What Do I Need?
Prisma Access (Managed by Strata Cloud Manager)	Prisma Access license Minimum Required Prisma Access Version: 2.1 Preferred or a later version Cisco Catalyst cEdge devices managed by Cisco Catalyst SD-WAN Manager Required Cisco Catalyst SD-WAN Manager Release: 20.9.x or 20.14.x

Prisma Access's site-based licensing model simplifies how you onboard and manage remote sites when integrating with Cisco Catalyst SD-WAN. This model is designed for Cloud Managed (SCM-based) tenants and replaces the older, consumption-based Aggregated Bandwidth Remote Networks - SPN licensing.

When enabling a Catalyst device for Prisma Access connectivity, instead of selecting an IPSec termination node (SPN), you will now select the appropriate site type from the available options based on your licensing. The integration service automatically handles the creation and orchestration of the necessary objects on the Prisma Access side, including the Prisma Site object (which acts as the container for the site), Remote Network (RN), IKE Gateway, and IPsec Tunnel configurations.

Site-based licensing introduces the concept of site types with predefined bandwidth tiers. This model allows you to purchase licenses for the number of sites you need, categorized by these bandwidth tiers, without having to pre-allocate bandwidth to specific PA compute regions.

• Very Small (25 Mbps)
• Small (50 Mbps)
• Medium (250 Mbps)
• Large (1 Gbps)
• X-Large (2.5 Gbps)

Ensure you meet the following requirements before you integrate Prisma Access with Cisco Catalyst SD-WAN in a site-based licensing model:

Product	Requirement
Prisma Access	Migrate remote networks to the aggregate bandwidth model. Activate bandwidth license per compute location.
Cisco Catalyst	Active cloud-hosted Cisco Catalyst SD-WAN Instance. Active subscription to Cisco Catalyst SD-WAN Manager, formerly known as Cisco vManage, dashboard to manage the Cisco Catalyst SD-WAN devices. Cisco Catalyst cEdge devices present on Cisco Catalyst SD-WAN Manager. Device templates with devices assigned to the template. At least one eligible interface in the device for tunnel formation with Prisma Access. Only the following interfaces are eligible for the integration: Interfaces with VPN ID 0 Interfaces with valid IP address Interface type of iana-iftype-ethernet-csmacd Configure service VPNs on the device templates for non-VPN 0 and non-VPN 512 ports.

Cisco Catalyst SD-WAN supports the following deployment architectures for use with Prisma Access.

Use Case	Architecture
Securing traffic from each branch site with 1 WAN link (Type 1)
Securing branch and HQ sites with active/backup SD-WAN connections.
Securing branch and HQ sites with active/active SD-WAN connections
Securing branch and HQ sites with SD-WAN edge devices in HA mode
Securing traffic from one device using active/active WAN links, that is, 2 WAN links from the device, both will be active on different compute regions

Before you begin, ensure you configure the Cisco Catalyst SD-WAN devices based on the requirements mentioned above. To secure a Cisco Catalyst SD-WAN with Prisma Access, complete the following steps.

1. In the Cisco vManage dashboard, go to Configuration TemplatesDeviceTemplates.
2. Update the template descriptions of your devices based on the type of redundancy.

   Topology	Devices	WAN Links (VPN 0)	Tunnel Type	License Count
   Single WAN	Single Device	1 WAN Link	1 Tunnel to single Prisma Access region	1
   Active/active tunnels	Single Device	1 WAN Link	2 Tunnels (on the same WAN) to 2 different Prisma Access Regions	2
   		2 WAN Links	Different Prisma Access regions	2
   Active/backup tunnels	Single Device	2 WAN Links	Primary/Secondary on Prisma Access to same remote network	1
   		2 WAN Links	Different regions	1

3. Go to the Cisco Catalyst Integration with Prisma Access settings.

   1. Select System SettingsIntegrations.
   2. Locate the Cisco Catalyst Integration with Prisma Access application.

   Contact your Palo Alto Networks account team if you don’t see this integration option.
4. Enter the information needed to check the connectivity between Prisma Access and Cisco Catalyst SD-WAN by editing the Settings.

   1. Enter the hostname, username, and the password.
   2. Enter the Cisco Catalyst SD-WAN management port number.
   3. Enter the PSK Seed, which is a string used to derive pre-shared keys (PSKs) per tunnel.
   4. (Optional): Enter an FQDN IKE identifier as the Local Identifier in the following syntax: name@domain.com
      This identifier acts as a template to generate a unique ID per tunnel.
   5. (Optional): Enter an FQDN IKE identifier different from the local identifier as the Remote Identifier in the following syntax: name@domain.com
   6. Set the Admin State as Enabled.
      You can set Admin State in the following modes:
      • Enabled: Enables the integration to discover new devices on Cisco Catalyst SD-WAN that are eligible for tunnel formation with Prisma Access. Additionally, this verifies current configurations.
      • Disabled: Disable the integration to remove all configurations created in Prisma Access as well as in Cisco Catalyst SD-WAN, when a connection was set up between them.
      • Paused: When you pause the integration, you can no longer add new devices or remove any unconfigured devices. However, the current configurations don't change.
   7. Check Connectivity to verify the connection.
   8. Save the changes.

   You can Save changes only after you Check Connectivity every time you change settings or configurations.

   After you save the changes, you can see the Cisco Catalyst networks eligible for tunnel formation with Prisma Access in Discovered Sites. Cisco Catalyst networks are displayed as sites here. It might take some time to view the discovered sites.
5. Establish the tunnel setup between Prisma Access and Cisco Catalyst devices.

   1. View the discovered Cisco Catalyst networks and their information by clicking the site count.
      The integration checks every 3 hours for new Cisco Catalyst networks. You can also initiate an on-demand site discovery.

   2. Select the Interface.
      By default, Prisma Access scans for devices and identifies interfaces from the Cisco Catalyst devices that are eligible to form tunnels with Prisma Access.
   3. (Optional) Select the nearest Prisma Access Location for the networks.

   4. Select the appropriate Site Type from the drop-down menu, based on your purchased licenses.

6. Select the Cisco Catalyst SD-WAN device and toggle the Enable option to establish a tunnel formation with Prisma Access.
7. Update the changes.

   You can view all the Enabled Sites and Configured Sites in Cisco Catalyst SD-WAN Integration with Prisma Access.

   When you click a site count, the hyperlink takes you to a filtered list of sites based on the site count you click. For example, if you click the site count of enabled sites, the list shows only the sites that are enabled and not all discovered sites.
8. Verify the changes in Prisma Access.

   1. Go to System SettingsIntegrationsThird Party SD-WANRemote Networks - Cisco Catalyst Integration with Prisma Access.
   2. In the Branch Sites Management screen, you can view the number of site licenses purchased and allocated and verify the tunnel status for sites where the Config Status of Cisco Catalyst networks shows configured.

      The integration creates remote networks automatically. Such remote networks have names in the following syntax: AUTO-CATALYST-Device_Name.

      The configuration status of Cisco Catalyst SD-WAN devices takes some time to be In sync.
   3. View the IPSec Tunnel, IKE gateway, IKE Crypto profile, and IPSec Crypto profile details.

      Select the remote network site to view these details.

      IPSec Tunnel details:
   4. Select Log ViewerCommonAudit to view Cisco Catalyst SD-WAN Integration with Prisma Access logs.

      The logs specify if the changes were made in Prisma Access or in the Cisco Catalyst SD-WAN.
   5. (Optional) In the Cisco Catalyst SD-WAN integration app, view information, errors, or warnings in Messages.
9. Verify the Cisco Catalyst SD-WAN configurations in Cisco vManage.

   1. Log in to the Cisco SD-WAN dashboard, and select MonitorDevices.
   2. Select ConfigurationTemplatesFeature Templates.

      The integration creates secure internet gateway (SIG) templates. The SIG template stores details of the IPSec tunnel and IKE values. Don't update these SIG templates manually.

      If there are multiple devices that are part of a device template, configure all devices for tunnel formation with Prisma Access.
   3. Check the running configuration for the interfaces.

      In Cisco vManage, select Configuration Devices WAN Edge List.

      View the Running Configuration of the corresponding devices.

      When you have multiple devices under a device template, devices that are not enabled will have dummy values.

      To avoid dummy values on other devices, move the devices, for those you want to enable connectivity, to a separate device template and enable the connectivity for each device in this device template. If you enable devices with dummy values, Prisma Access overwrites those dummy values with the tunnel configuration values. Prisma Access populates dummy values for the description, tunnel source interface, tunnel destination, pre-shared secret, and IKE local ID.

      If you add a new device to the device template that has a SIG, configure a few dummy values and attach the device to the device template. After the integration discovers this device, enable it.
10. Verify the tunnel status in Cisco Catalyst SD-WAN Manager.

    Log in to the Cisco SD-WAN dashboard, and select MonitorDevices. Select the device and view the Interface. Verify the admin status and operational status of the tunnel that was auto created for this device.