Prisma Access
Integrate Prisma Access with Cisco Meraki SD-WAN (Manual Integration)
Table of Contents
Expand All
|
Collapse All
Prisma Access Docs
-
- Prisma Access China
- 4.0 & Later
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
-
-
-
- 5.0 Preferred and Innovation
- 4.2 Preferred
- 4.1 Preferred
- 4.0 Preferred
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
Integrate Prisma Access with Cisco Meraki SD-WAN (Manual Integration)
Where Can I Use
This? | What Do I Need? |
---|---|
|
|
To secure a Meraki SD-WAN with Cloud Managed Prisma Access, complete the following
steps.
- Onboard a remote network to use with the Meraki SD-WAN in Cloud Managed Prisma Access.
- If you have not already, allocate bandwidth for the remote network.You allocate bandwidth by selecting bandwidth for the remote network’s compute location. Go toand select anManageService SetupRemote NetworksBandwidth ManagementAssigned Bandwidthfor the remote network’s compute location.
- Go toandManageService SetupRemote NetworksAdd Remote Networks.
- Give the remote network a descriptiveSite Name.
- Select the Prisma AccessLocationfor the remote network.
- Select theIPSec Termination Nodeto use for the remote network.Don’t enableECMP Load Balancing; BGP routing isn’t supported with Meraki integrations. The Meraki SD-WAN can’t share traffic between several different links and you can only have one operational tunnel to the Meraki SD-WAN. However, you can optionally use a secondary tunnel using another WAN as a standby.
- Set up the IPSec tunnel to use with the Meraki SD-WAN.
- Set Upthe primary tunnel.
- Select an existing tunnel, or selectCreate Newto create a new tunnel.
- Give the tunnel a descriptiveName.
- In theBranch Device Type, selectOther Devices.
- Specify aPre-Shared Keyor aCertificateto use for authentication.This example uses a pre-shared key (PSK) for authentication.
- Specify anIKE Peer Identificationmethod.If you select aBranch Device IP AddressofDynamic, you must select an IKE peer identification. This example has IKE Peer Identification set up and uses a method ofUser FQDN (email address). Be sure that you select the same email address on the Meraki SD-WAN side of the IPSec tunnel.
- Specify aBranch Device IP Addressof eitherStatic IPorDynamic IP.Setting up anIKE Peer Identificationis required if you use a dynamic IP address. If you selectStatic IP, enter a static IP address.
- Don’t enterProxy IDinformation.Meraki creates a crypto map with routing and you don’t need to configure proxy IDs.
- Select IKE options for the remote network IPSec tunnel.
- SelectIKE Advanced Options.
- Select anIKE Protocol Version.The IKE version depends on what the Meraki SD-WAN supports. Meraki SD-WAN devices with a firmware version of 15.12 or later support IKEv2 options. If you don’t know which version the Meraki device supports, selectikev2-preferred-mode; in this mode, Prisma Access selects the IKE version to use, with IKEv2 being preferred.
- (IKEv1 or IKEv2 Preferred Deployments Only) Select an existingIKEv1 Crypto Profileor specifyCreate Newto create one.If you create a new profile, specify a descriptiveNamefor it.
- Specify the following IKEv1 options:
- Encryption—Specify the encryption algorithm used in the IKE SA negotiation. The Meraki SD-WAN device supports the following encryption types:
- aes-128-cbc
- aes-128-gcm
- aes-192-cbc
- aes-256-cbc
- aes-256-gcm
- 3DES
You can specify multiple encryption types in a single profile. - Authentication—Specify the authentication algorithm used in the IKE SA negotiation. The Meraki SD-WAN device supports themd5,sha1, orsha256algorithm. You can specify multiple authentication types.
- DH Group—Specify the Diffie-Hellman (DH) groups used to generate symmetrical keys for IKE in the IKE SA negotiation. The Meraki SD-WAN device supports thegroup1,group2,group5,group14groups. You can specify multiple DH group types.For the strongest security, select the group with the highest number. If you don’t want to renew the key that Prisma Access creates during IKE phase 1, selectno-pfs(no perfect forward secrecy). If you select this option, Prisma Access reuses the current key for the IPSec SA negotiation.
- Lifetime—Specify the unit and amount of time for which the IKE Phase 1 key is valid (default is 8 hours).For IKEv1, the security association (SA) isn’t actively re-keyed before the key lifetime expires. The IKEv1 Phase 1 re-key triggers only when the SA expires. For IKEv2, the SA must be re-keyed before the key lifetime expires. If the SA isn’t re-keyed upon expiration, the SA must begin a new Phase 1 key.
- Saveyour changes.
- (IKEv2 or IKEv2 Preferred Deployments only) Select an existingIKEv2 Crypto Profileand selectCreate Newto create one.If you create a new profile, specify a descriptiveNamefor it.
- Specify the following IKEv2 options:
- Encryption—Specify one or more of the following encryption algorithms:
- aes-128-cbc
- aes-128-gcm
- aes-192-cbc
- aes-256-cbc
- aes-256-gcm
- 3DES
You can specify multiple encryption algorithms in a single profile. - Authentication—Specifymd5,sha1, or any combination of these authentication algorithms.
- DH Group—Specifygroup1,group2,group5,group14, or any combination of these DH group types.
- Lifetime—Enter the phase 1 lifetime in hours or seconds (default is 8 hours).
- Select IPSec advanced options for the remote network IPSec tunnel.
- SelectIPSec Advanced Options.
- Select an existingIPSec Crypto Profileand selectCreate Newto create one.If you create a new profile, specify a descriptiveNamefor it.
- Specify the following IPSec crypto options:
- Encryption—Specify one or more or the following encryption algorithms:
- aes-128-cbc
- aes-128-gcm
- aes-192-cbc
- aes-256-cbc
- aes-256-gcm
- 3DES
- Authentication—Specifymd5,sha1,sha256, or any combination of these authentication algorithms.
- DH Group—Specifygroup1,group2,group5,group14, or any combination of these DH group types.
- Lifetime—Enter the phase 1 lifetime in hours or seconds (default is 8 hours).
- Saveyour changes.
- When both tunnels are up, the primary tunnel takes priority over the secondary tunnel. If the primary tunnel for a remote network site goes down, the remote network falls back to the secondary tunnel until the primary tunnel comes back up. It can take at least 30-40 seconds before the secondary tunnel comes up after a failover.
- Configure routing for the remote network.
- Return toandManageService SetupRemote NetworksSet Uprouting for the remote network.
- Addthe IP subnets or IP addresses that you want to secure at the branch. If you make any changes to the IP subnets on your branch, you must manually update the static routes.Dynamic (BGP) routing isn’t supported for use with Meraki SD-WAN devices.
- Saveyour changes.
- Push your configuration changes.
- Return toand selectManageService SetupRemote Networks.Push ConfigPush
- SelectRemote Networks.
- Pushyour changes.
- Find the IP address used on the Prisma Access side of the IPSec tunnel.
- Go toand make a note of theManageService SetupRemote NetworksService IPaddress.You use this IP address as the peer address when you set up the IPSec tunnel on the Meraki SD-WAN.
- Set up the Meraki SD-WAN device.
- From the Meraki SD-WAN device, Go to.Security & SD-WANConfigure> Site-to-site VPN
- Find theOrganization-wide settingsarea.
- UnderNon-Meraki VPN peers,Add a peer.
- Create a peer for Prisma Access.
- Specify theIKE Versionand make sure that it matches the version you specified in Prisma Access.
- (Optional) If required, selectCustomin theIPSec Policiesarea and make sure that the Phase 1 and Phase 2 IPSec tunnel settings match with the IPSec tunnel settings you entered in Prisma Access.
- Enter theService IPaddress from Prisma Access as thePublic IP / Hostname.
- (Optional) if you’re used an IKE Peer Identification ofUser FQDN (email address)in Prisma Access, enter the same email address as theLocal ID.If you’re using a static IP address in the branch, this field will be blank.
- Enter thePrivate subnetsthat will be sent through the IPSec tunnel.Palo Alto Networks recommends that you enter an all-zeros (default) route.
- (Optional) If you’re using PSKs for the IPSec tunnel, enter aPreshared secretthat matches thePre-Shared Keyyou entered in Prisma Access.
- Verify that the IPSec tunnel is up and running.
- Check the IPSec tunnel status from Prisma Access.
- Go toand check theManageService SetupRemote NetworksStatusof the tunnel.It might take some time (10 minutes or longer) for the IPSec tunnel to come up, especially if you’re using the cloud version of the Meraki web interface to configure Meraki.
- Go toand check theActivityLog ViewerCommon/Systemlogs for IPSec- and IKE-related messages.The following messageignoring unauthenticated notify payloadindicates that the route has not been added in the crypto map on the other side of the IPSec tunnel after the IPSec negotiation has already occurred.
- Check theFirewall/Trafficlogs and view the messages that are coming from the zone that has the same name as the remote network.In the logs, the remote network name is used as the source zone.
- From the Meraki web interface, check the status of the non-Meraki VPN and view itsStatus.