Set Up the Prisma Access Service Infrastructure
Set up the Prisma Access service infrastructure between your remote network locations and mobile users, and from your service connections to your HQ/data centers.
To enable communication between your remote network locations, mobile users, and the HQ or data centers that you plan on connecting to Prisma Access over service connections, set up the service infrastructure subnet. Prisma Access uses this subnet to create the network backbone for communication between your branch networks, mobile users and the Prisma Access security infrastructure, as well as with the HQ and data center networks you plan to connect to Prisma Access over service connections. If you use dynamic routing for your remote networks or service connections, you must also configure an RFC 6696-compliant BGP Private AS number.
Use the following recommendations and requirements when you add an infrastructure subnet for Prisma Access:
- Use an RFC 1918-compliant subnet. While the use of non-RFC 1918-compliant (public) IP addresses is supported, it is not recommend because of possible conflicts with the internet public IP address space.
- Do not specify any subnets that overlap with 169.254.169.253, 169.254.169.254, and the 100.64.0.0/10 subnet range because Prisma Access reserves those IP addresses and subnets for its internal use.
- This subnetwork is an extension to your existing network and therefore, cannot overlap with any IP subnets that you use within your corporate network or with the IP address pools that you assign for Prisma Access for users or Prisma Access for networks.
- Because the service infrastructure requires a large number of IP addresses, you must designate a /24 subnetwork (for example, 172.16.55.0/24).
- Go to.SettingsPrisma Access SetupShared
- Enter anInfrastructure Subnetthat Prisma Access can use to enable communication between your remote network locations, mobile users, and the HQ or data centers that you plan on connecting to Prisma Access over service connections.Use an RFC 1918-compliant subnet for the infrastructure subnet. While the use of non-RFC 1918-compliant (public) IP addresses is supported, it is not recommend because of possible conflicts with the internet public IP address space.
- Enter theInfrastructure BGP ASyou want to use within the Prisma Access infrastructure.If you want to enable dynamic routing so that Prisma Access can dynamically discover routes to resources in your remote networks and HQ or data center locations, you must use the Border Gateway Protocol (BGP). TheInfrastructure BGP ASis the autonomous system (AS) number that identifies the routes through which BGP can send traffic. If you do not supply an AS number, Prisma Access uses the default AS number (65534).If you want to specify your own AS number, you must use an RFC 6996-compliant private AS number. Accepted formats are 4-Byte AS Plain [64512-65534],[4200000000-4294967294] or AS Dot [0.64512-0.65534], [64086.59904-65535.65534] notation.
- If you enable your users to access applications based on source IP address, you will need to get the list of IP addresses that traffic from Prisma Access uses as the source address so that you can allow them in your application access policies.CopytheEgress IP API Keyto enable use of the Prisma Access Egress IP Address API. Also, because the IP addresses that Prisma Access uses change periodically—for example when you add a new location, when Prisma Access needs to scale resources in an existing location, or when there is an infrastructure upgrade—you need to know when the IP addresses change so that you can update your policy rules, or automate these updates by defining aEgress IP Notification URL. See Retrieve the IP Addresses to Allow for Prisma Access for more details.
- (Optional) Enable the tenant as a pre-production or lab tenant.
- Enablethe tenant asPre-prod or Lab Tenant.
- Agreeto confirm.
- To enable Prisma Access to resolve your internal domains,AddanInternal Domain List.If you plan on configuring service connections to enable access to resources in your corporate network and you also need Prisma Access to resolve your internal domains, you must define the list of internal domains. DNS queries for domains in theInternal Domain Listare sent to your localDNS servers to ensure that resources are available to Prisma Access remote network users and mobile users.
- Enter thePrimary DNSserver andSecondary DNSserver that Prisma Access should use to resolve the internal domain names.
- Addthe internalDomain Namesthat you want Prisma Access to resolve.You can use a wildcard (*) in front of the domains in the domain list, for example *.acme.local or *.acme.com.
- Push Configto save your service infrastructure settings to Prisma Access.
Recommended For You
Recommended videos not found.