Use Predefined IPSec Templates to Onboard Service and Remote
Network Connections
Prisma Access includes predefined IPSec templates
for common third-party IPSec and SD-WAN devices. These profiles
expedite and simplify the onboarding of service connections and
remote network connections that use one of these devices to terminate
the connection.
Sharing a common template also allows you
to Onboard Multiple Remote Network Connections of the Same Type with commonly-shared
cryptos, pre-shared keys, and Peer identifiers.
Template Names and Types
Prisma Access provides you with the following
predefined templates that you can use to set up IPSec tunnels between
your on-premises device and Prisma Access:
- IPSec Tunnels () under Remote_Network_Template and Service_Conn_Template.NetworkIPSec Tunnels
- IKE Gateways () under Remote_Network_Template and Service_Conn_Template.NetworkNetwork ProfilesIKE Gateways
- IPSec Crypto Profiles () under Remote_Network_Template and Service_Conn_Template.NetworkNetwork ProfilesIPSec Crypto
- IKE Crypto Profiles () under Remote_Network_Template and Service_Conn_Template.NetworkNetwork ProfilesIKE Crypto
Currently, templates
for the following vendors are available:
In addition
to the following templates, we provide a Generic template that you
can use with any on-premises device that is not listed here.
- Cisco appliances:
- Cisco Integrated Services Routers (ISRs)
- Cisco Adaptive Security Appliances (ASAs)
- Citrix
- Prisma SD-WAN (formerly CloudGenix)
- Riverbed
- Silver Peak
Use
the following workflows to onboard service connections or remote
network connections using the predefined IPSec templates.
Onboard a Service Connection or Remote Network Connection
Using Predefined Templates
To onboard a service connection or remote
network connection using the templates provided by Prisma Access,
complete the following task.
- In Panorama, perform configuration so that the templates display in Panorama.When you upgrade the Cloud Services plugin, the new templates do not automatically display. Complete this step once after upgrading to have the templates permanently display. New installations perform this initial configuration as part of their first-time setup and this extra step is not required.You can also complete this step if you delete these templates and need to retrieve them.
- For service connections, select, click the gear icon in thePanoramaCloud ServicesConfigurationService SetupSettingsarea to open theSettings, then clickOK.
- For remote network connections, select, click the gear icon in thePanoramaCloud ServicesConfigurationRemote NetworksSettingsarea to open theSettings, then clickOK.
- SelectNetwork, then select the correctTemplate(eitherRemote_Network_Templateif you are creating a remote network connection orService_Conn_Templateif you are creating a service connection).
- Determine the type of device that is used to terminate the service connection or remote network connection, and find a template to use with that device.If your SD-WAN or IPSec device is not on the list, use the generic profiles.
- Selectand make the following changes to the IKE gateway profile for your device:NetworkNetwork ProfilesIKE GatewaysYou can use the IPSec crypto and IKE crypto profiles with no changes; however, you must make specific changes to the IKE gateway profile to match the network settings.
- (Optional) If you know the public IP address of the on-premises device that will be used to set up the IPSec tunnel with Prisma Access, set a static IP address by specifying aPeer IP Address TypeofIPand enter thePeer Addressfor the IPSec tunnel.
- If using a pre-shared key for the IPSec tunnel, specify aPre-shared Key.
- Specify aPeer Identificationof eitherIP AddressorUser FQDN.Be sure that you match the settings you specify here when you configure the device used to terminate the other side of the IPSec tunnel.
- Onboard the service connection or remote network connection, specifying theIPSec tunnelconfiguration that matches the device on the other side of the IPSec tunnel.
- (Optional) If you need to add a backup tunnel (Secondary WAN) for a service connection or remote connection, perform the following additional configuration steps.Configuring a Secondary WAN is not supported in the following deployments:
- If your secondary WAN is set up in active-active mode with the Primary IPSec tunnel.
- If your customer premises equipment (CPE) is set up in an Equal Cost Multipath (ECMP) configuration with the Primary and Secondary IPSec tunnel.
- Create a new IKE Gateway for the backup tunnel, copying the settings from the predefined template you want to duplicate.The following example creates a backup tunnel configuration for generic networking devices.
- UnderAdvanced Options, specify theIKE Crypto Profilefor the predefined template you want to use.Palo Alto Networks recommends that you use GCM ciphers instead of CBC ciphers for IPSec tunnels.
- Create a new IPSec Tunnel, specifying the new IKE gateway you created, but copying all the other settings from the default template.
- When you onboard the service connection or remote network connection,Enable Secondary WANand specify the tunnel you created for the backup WAN.
- Complete the configuration of the service connection or remote network connection by matching the cryptos, pre-shared key, and Peer identifiers on the device that is used to terminate the other side of the IPSec tunnel.
- (Optional) If you need to onboard multiple remote network connections that use the same types of networking devices,Exportthe configuration of the remote network, edit the settings, thenImportthat configuration.See Onboard Multiple Remote Network Connections of the Same Type for details.
Onboard Multiple Remote Network Connections of the Same Type
To streamline the process to Onboard and Configure Remote Networks,
you can onboard a single remote network connection that uses a networking
device that is common to your network deployment, then
Export
those
settings to a Comma Separated Value (CSV) text file. The CSV file
includes the values of IPSec tunnel and IKE gateway settings for
the network you selected for export. After you export the common
configuration settings, you can edit these settings and make them
unique for each new remote network you want to onboard, retain the
settings that are common to each device, then Import
that
configuration.For more information, including a description
of all editable fields in the CSV table, see Onboard Remote Networks with Configuration Import.
Supported IKE and IPSec Cryptographic Profiles for Common
SD-WAN Devices
This section provides you with the supported
cryptographic profiles for many common SD-WAN devices. If you are
configuring an SD-WAN device, use these profiles as a guideline
as to what you can configure for the remote network in Prisma Access.
Recommended For You
Recommended Videos
Recommended videos not found.