Plan a Service Connection (Cloud Management)

Prisma Access service connections enable users to access resources in your HQ or data center network. Review these planning guidelines before setting up a service connection.
Create service connections to allow Prisma Access to perform the following tasks:
  • Allow access to the resources in your HQ or data center.
    If you have corporate resources that your remote networks and mobile users need to access, you must enable Prisma Access to access the corresponding corporate network.
  • Allow remote networks and mobile users to communicate with each other.
    Even if you do not need your Prisma Access users to connect to your HQ or data center, you might need to allow your mobile users to access your remote network sites. Service connections are required for this use case because, while all remote network sites are fully meshed, the mobile user infrastructure is not. Minimally configuring a service connection establishes the hub-and-spoke network mobile users need to access a branch network.
    To improve network efficiency, place service connections close to the remote network or networks that mobile users access most frequently.
To learn more about the number of service connections available to you:
  • Go to
    Manage
    Service Setup
    Licenses
    to see what’s included with your license.
  • The number of service connections available to you depends on your license. You can learn more here—while this topic discusses Panorama Managed Prisma Access, the licensing information for service connections is the same for Prisma Access Cloud Management.

Gather this HQ or Data Center Information

Before you begin to configure Prisma Access service connections, gather the following information for each of your HQ or data centers to which you want Prisma Access to be able to connect.
No need to gather this information if you are creating a service connection only to allow mobile users to access remote network locations.
  • IPSec-capable firewall, router, or SD-WAN device connection at your corporate site.
  • IPSec settings for terminating the primary VPN tunnel from Prisma Access to the IPSec-capable device on your corporate network.
  • IPSec settings for terminating the secondary VPN tunnel from Prisma Access to the IPSec-capable device on your corporate network.
  • List of IP subnetworks at the site.
  • List of internal domains that Prisma Access must be able to resolve.
  • IP address of a corporate access node at your network’s site to which Prisma Access can send ICMP ping requests for IPSec tunnel monitoring.
    Make sure that this address is reachable by ICMP from the entire Prisma Access infrastructure subnet.
  • Network reachability settings for the service infrastructure subnet.
    Make the entire service infrastructure subnet reachable from the HQ or data center. Prisma Access uses IP addresses for all control plane traffic from this subnet.

Recommended For You