>
    Strata Copilot
    Validate the Prisma SD-WAN Configuration
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma SD-WAN
    3. Azure Virtual WAN CloudBlade Integration
    4. Validate the Prisma SD-WAN Configuration
    Download PDF
    Prisma SD-WAN

    Validate the Prisma SD-WAN Configuration

    Table of Contents

    Validate the Prisma SD-WAN Configuration

    Lets see how to validate the Prisma SD-WAN configurations.
    Where Can I Use This?What Do I Need?
    • Prisma SD-WAN (Managed by Strata Cloud Manager)
    • Prisma SD-WAN
    • Azure Virtual WAN CloudBlade
    The Azure vWAN CloudBlade provisions the VPN sites, BGP peering configuration, and vWAN Hub association on Azure. On the Prisma SD-WAN ION device, two Standard IPSEC VPN tunnel interfaces, BGP peer configuration, and a static route to facilitate the BGP peering will be created. In addition, at a Prisma SD-WAN system level a Standard endpoint and service group will be created which can be used in path policies to direct the desired application traffic to Azure.
    The following steps can be used to validate if the CloudBlade is working as intended:
    1. Check the status indicator on the CloudBlade window. Once enabled and deployed correctly, the status indicator should turn green.
    2. If the access credentials are invalid, the status indicator will throw an Azure auth failure error message.
    3. The Monitor tab on the CloudBlade shows the deployment status of the integration.
    4. The below example is from the Azure portal deployment for the Branch site in the previous section. The CloudBlade creates a single VPN site object with the public IP address of the demo Branch ION. This is associated with the vWAN hub in the East US region, which was created earlier when the tag was applied to interface 1. The VPN site has BGP enabled with the AS# configured on the ION, and the peering address is the Standard inner tunnel IP.
      If no previous BGP AS# is available on the ION, a BGP AS number is automatically assigned from the private AS range by the CloudBlade.
    5. The below example is the CloudBlade configuration on Prisma SD-WAN (Standard tunnel interface, static route, BGP peer, Standard endpoint & group).
      Once the configuration is validated and the tunnel and BGP session is up, the administrator can modify the path policy applied to the site to direct the appropriate application traffic toward Azure.

    © 2026 Palo Alto Networks, Inc. All rights reserved.