>
    Strata Copilot
    Onboard Branch Sites to Prisma Access
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma SD-WAN
    3. Prisma SD-WAN SASE Easy Onboarding
    4. Onboard Branch Sites to Prisma Access
    Download PDF
    Prisma SD-WAN

    Onboard Branch Sites to Prisma Access

    Table of Contents

    Onboard Branch Sites to Prisma Access

    Learn how to connect Prisma SD-WAN branch sites to Prisma Access.
    Onboard Prisma SD-WAN branch sites to Prisma Access.
    Where Can I Use This?What Do I Need?
    • Strata Cloud Manager
    • Prisma SD-WAN
      • Prisma SD-WAN license
      • Prisma SD-WAN AppFabric deployed at one or more locations.
      • Physical and/or virtual ION devices running software versions 5.6.X or higher.
    • Prisma Access Cloud Managed/Panorama Managed
      • Prisma Access with Aggregate Bandwidth; the bandwidth licensing mode must be enabled per compute location on the Prisma Access Cloud Managed portal.
      • Identification of the IPSec Termination Nodes within Prisma Access for connectivity.
    • Ensure that you have Prisma Access (Cloud Managed/Panorama Managed) and Prisma SD-WAN in the same TSG.
    Prisma Access supports two licensing models for remote networks:
    • Aggregate Bandwidth - Bandwidth allocated per compute location.
    • Site-based Licensing - Under the site-based licensing, remote sites are categorized into five distinct, predefined bandwidth tiers:
      • 25 Mbps (Very Small)
      • 50 Mbps (Small)
      • 250 Mbps (Medium)
      • 1 Gbps (Large)
      • 2.5 Gbps (X-Large)
    Prisma Access also offers two types of infrastructure deployments:
    • Remote Networks that offer up to 1 Gbps bandwidth per remote site.
    • Remote Networks High Performance (New Infrastructure) offers:
      • Up to 2 Gbps bandwidth per remote site
      • Prisma SD-WAN per-tunnel LQM visibility (available with ION software version 6.4.2)
      • Prisma SD-WAN packet duplication for enhanced reliability (available with ION software version 6.6.1)
    Customers using the Site-based licensing model are automatically onboarded to the Remote Networks High Performance (RN-HP) infrastructure. If you are use the Aggregate Bandwidth model, there are plans to transition you to the RN-HP infrastructure in the future to align with new SASE capabilities.
    1. Select WorkflowsOnboardingOnboard Branch Sites.
    2. On Branch Site Management, select Add Prisma SD-WAN Branch Site.
    3. On Step 1 Site Information, enter the basic information:
      1. Enter the Site Name for the site.
      2. Enter Description and Tags.
      3. Enable Configure as a Branch Gateway site to convert an existing branch site to a branch gateway site. This provides the policy transit and LQM server capabilities of a data center site, along with the visibility and path selection of a branch site.
      4. Verify the Static SGI value to be between 1 and 65533 for the ION-generated traffic. The Security Group Information option is enabled by default for Static tag configuration.
      5. Enter the Site address (Using address search is recommended).
      6. Enter City, State, and Countryof the site.
      7. Click Next.
    4. On Step 2 Domain & Policies, select a Domain from the drop-down. Or Add a Domain or Manage a Domain.
      By default, a preset domain is displayed for a branch site.
      1. Select Associate Branch With Default Data Center Hub Clusters to associate the newly created branch with the default cluster.
        It will be checked (by default) and unchecked to choose a different cluster from the list.
      2. Configure Policies and click Next.
        Ensure that the default Path Policy Stack, Performance Policy Stack, QoS Policy Stack, Security Policy Stack, and NAT Policy Stack are selected.
    5. On Step 3 WAN Circuits and Devices:
      1. Click Add Circuits to add Internet Circuits and Private WAN Circuits.
        By default, the system includes a few predefined configured circuits that you can use when configuring the site. You can edit these labels or rename any remaining categories through Circuit Categories under Stacked Policies.
      2. On the Devices tab, select Assign Devices, select from the available devices to assign or Create Device Shells to create up to two Device Shells to preprovision and assign to the Data Center site, depending on your requirement.
    6. On Step 4 Prisma Access Location, select a Prisma Access Location for this site to connect to.
      For Aggregate bandwidth:
      1. Enable connection from Prisma SD-WAN Branch site to Prisma Access Location to connect to Prisma Access location, to automatically configure BGP and tunnels.
        You can uncheck the box to create a site without connecting to the Prisma Access remote network. However, you can add the Prisma Access connection later from the Branch Sites page by selecting the Connect to Prisma Access option.
      2. Select the Primary Prisma Access Location and the IPsec Termination Node.
      3. Optionally, select the Secondary Prisma Access Location and the Secondary IPsec Termination Node.
      For Site-Based License:
      1. Enable connection from Prisma SD-WAN Branch site to Prisma Access Location to connect to Prisma Access location, to automatically configure BGP and tunnels.
        You can uncheck the box to create a site without connecting to the Prisma Access remote network. However, you can add the Prisma Access connection later from the Branch Sites page by selecting the Connect to Prisma Access option.
      2. Select Site Type from the available options:
        • 25 Mbps (Very Small)
        • 50 Mbps (Small)
        • 250 Mbps (Medium)
        • 1 Gbps (Large)
        • 2.5 Gbps (X-Large)
      3. Select the Primary Prisma Access Location.
      4. Select the option Allow connection to a secondary Prisma Access Location as backup when necessary to connect to a secondary PA location for backup.
      5. Select the Secondary Prisma Access Location.
    7. Save & Exit.

    © 2025 Palo Alto Networks, Inc. All rights reserved.