1. Home
    2. Prisma
    3. Prisma Access
    4. Prisma Access (Cloud Management)
    5. Service Infrastructure
    6. Set Up the Prisma Access Service Infrastructure

    Set Up the Prisma Access Service Infrastructure

    Set up the Prisma Access service infrastructure between your remote network locations and mobile users, and from your service connections to your HQ/data centers.
    To enable communication between your remote network locations, mobile users, and the HQ or data centers that you plan on connecting to Prisma Access over service connections, set up the service infrastructure subnet. Prisma Access uses this subnet to create the network backbone for communication between your branch networks, mobile users and the Prisma Access security infrastructure, as well as with the HQ and data center networks you plan to connect to Prisma Access over service connections. If you use dynamic routing for your remote networks or service connections, you must also configure an RFC 6696-compliant BGP Private AS number.
    Use the following recommendations and requirements when you add an infrastructure subnet for Prisma Access:
    • Use an RFC 1918-compliant subnet. While the use of non-RFC 1918-compliant (public) IP addresses is supported, it is not recommend because of possible conflicts with the internet public IP address space.
    • Do not specify any subnets that overlap with 169.254.169.253, 169.254.169.254, and the 100.64.0.0/10 subnet range because Prisma Access reserves those IP addresses and subnets for its internal use.
    • This subnetwork is an extension to your existing network and therefore, cannot overlap with any IP subnets that you use within your corporate network or with the IP address pools that you assign for Prisma Access for users or Prisma Access for networks.
    • Because the service infrastructure requires a large number of IP addresses, you must designate a /24 subnetwork (for example, 172.16.55.0/24).
    2. Go to
      Settings
      Prisma Access Setup
      Shared
      .
    3. Enter an
      Infrastructure Subnet
       that Prisma Access can use to enable communication between your remote network locations, mobile users, and the HQ or data centers that you plan on connecting to Prisma Access over service connections.
      Use an RFC 1918-compliant subnet for the infrastructure subnet. While the use of non-RFC 1918-compliant (public) IP addresses is supported, it is not recommend because of possible conflicts with the internet public IP address space.
    4. Enter the
      Infrastructure BGP AS
       you want to use within the Prisma Access infrastructure.
      If you want to enable dynamic routing so that Prisma Access can dynamically discover routes to resources in your remote networks and HQ or data center locations, you must use the Border Gateway Protocol (BGP). The
      Infrastructure BGP AS
       is the autonomous system (AS) number that identifies the routes through which BGP can send traffic. If you do not supply an AS number, Prisma Access uses the default AS number (65534).
      If you want to specify your own AS number, you must use an RFC 6996-compliant private AS number. Accepted formats are 4-Byte AS Plain [64512-65534],[4200000000-4294967294] or AS Dot [0.64512-0.65534], [64086.59904-65535.65534] notation.
    5. If you enable your users to access applications based on source IP address, you will need to get the list of IP addresses that traffic from Prisma Access uses as the source address so that you can allow them in your application access policies.
      Copy
       the
      Egress IP API Key
       to enable use of the Prisma Access Egress IP Address API. Also, because the IP addresses that Prisma Access uses change periodically—for example when you add a new location, when Prisma Access needs to scale resources in an existing location, or when there is an infrastructure upgrade—you need to know when the IP addresses change so that you can update your policy rules, or automate these updates by defining a
      Egress IP Notification URL
      . See Retrieve the IP Addresses to Allow for Prisma Access for more details.
    6. (
      Optional
      ) Enable the tenant as a pre-production or lab tenant.
      1. Enable
         the tenant as
        Pre-prod or Lab Tenant
        .
      2. Agree
         to confirm.
    7. To enable Prisma Access to resolve your internal domains,
      Add
       an
      Internal Domain List
      .
      If you plan on configuring service connections to enable access to resources in your corporate network and you also need Prisma Access to resolve your internal domains, you must define the list of internal domains. DNS queries for domains in the
      Internal Domain List
       are sent to your localDNS servers to ensure that resources are available to Prisma Access remote network users and mobile users.
      1. Enter the
        Primary DNS
         server and
        Secondary DNS
         server that Prisma Access should use to resolve the internal domain names.
      2. Add
         the internal
        Domain Names
         that you want Prisma Access to resolve.
        You can use a wildcard (*) in front of the domains in the domain list, for example *.acme.local or *.acme.com.
    8. Push Config
       to save your service infrastructure settings to Prisma Access.

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2023 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo