Document:Prisma Access (Cloud Management)

Configure the Aruba Remote Network

Filter

Configure the Aruba Remote Network

To configure the Aruba SD-WAN with Prisma Access, complete the following workflow.

Validated IKE and IPSec Cryptographic Profiles

Both the Aruba Branch Gateways and Prisma Access support several options when it comes to setting up VPN tunnels. The following table provides the configurations that have been validated for this solution, and offer a good compromise between performance, flexibility and security (considering the integration is mostly for internet-bound traffic).

Crypto Profile	Phase 1	Phase 2
Confidentiality	AES-256 You configure this setting as aes-256-cbc in Prisma Access.	AES-256 You configure this setting as aes-256-cbc in Prisma Access.
Integrity	SHA256	SHA1
Authentication	Username/Password	N/A
Key Exchange Method	Diffie-Helman	Diffie-Helman
Diffie-Helman Group	14	14
NAT-Transversal	Enabled	N/A
Dead Peer Detection (DPD)	Enabled
Perfect Forward Secrecy (PFS)	N/A	Yes
VPN Type	N/A	Policy-based VPN

Configure the Remote Network Connection in Prisma Access

To begin configuration of the remote network connection, complete the following task.

Follow the steps to Connect a Remote Network Site to Prisma Access (Cloud Management).

When configuring the remote network, use the validated settings.

Choose a

Prisma Access Location

that is close to the remote network location that you want to onboard.

Select

IPSec Advanced Options

and

Create New

to create a new IPSec crypto profile for the remote network tunnel using the recommended settings.

Select

IKE Advanced Options

and

Create New

to create a new IKE cryptographic profile for the remote network tunnel.

Be sure to use crypto values that are supported with Aruba and make a note of the values you use.

Set up routing for the remote network.

Set Up

Routing and

Add

the IP subnets for Static Routing.

Push your configuration changes.

Return to

Manage

Service Setup

Remote Networks

and select

Push Config

Push

Select

Remote Networks

Push

your changes.

Make a note of the

Service IP

of the Prisma Access side of the tunnel. To find this address in Cloud Managed Prisma Access, select

Manage

Service Setup

Remote Networks

, click the

Remote Networks

. Look for the

Service IP

field corresponding to the remote network configuration you created.

Configure the Aruba BGW

The configuration required for the BGWs is straightforward and can leverage Aruba Central’s group-based configuration to reuse as much configuration as possible across branches.

In the Aruba Branch Gateway, set up the tunnel to Prisma Access.

Select

VPN

Cloud Security

Palo Alto Networks - GPCS

Enter values in the fields.

Name
—Enter an administrative name for the tunnel. The system will append _gpcs
at the end.

Priority
—Enter a numeric identifier for the tunnel.

Transform
—Select

default-aes

, which uses AES256 encryption with SHA1 Hash.

Source FQDN
—Enter the user ID created in Prisma Access (santaclara.branch in the following screenshot).

Tunnel destination IP
—Enter the

Service IP Address

from the remote network connection that you got when you configured the remote network connection in Prisma Access

Uplink VLAN
—Select the Uplink VLAN to be used to bring up tunnels to Prisma Access (in the case of BGWs) or the source VLAN in the case of VPNCs.

IKE Shared Secret
—Set the same value created in the Prisma Access configuration.

The solution is capable of setting up multiple tunnels and determining which traffic is sent through each one using PBR policies; therefore, you can configure active-active and active-backup redundancy.

Even though the source FQDN has to be unique on a per-branch basis, you should configure the remaining parts of the tunnel configuration at the group level whenever possible. This hierarchical configuration model greatly streamlines configuration efforts. The following screenshot shows a specific

Source FQDN

configured for the local configuration and a generic

Source FQDN

specified for the group-level configuration.

Create one or more next-hop lists with the tunnels.

After you create the the tunnels, next-hop lists group them together to be used inside PBR policies.

Select

NextHop Configuration

Routing

Create a

NextHop

Add

Site-to-Site

IPSec maps.

Enter different priorities for the different tunnels.

Prisma Access doesn’t support load-balancing.

Select

Preemptive-failover

Add the next hop to a routing policy by selecting

Routing

Policy-Based Routing

In the following example, the policy is sending all the traffic to private subnets (an alias representing 10.0.0.0/8 and 172.16.0.0/12) through the regular path, and it’s sending the rest of the traffic through the Prisma Access nodes.

Apply policies to the roles or VLANs.

After you create the routing policy, the last step you perform is to apply it to the role or VLAN that you want to send through Prisma Access.

If there is a conflict between PBR policies applied to a role and VLAN, policies applied to the role take precedence.

The following screen shows a PBR policy being applied to a VLAN.

The following screen shows a PBR policy being applied to a role.

Continue to Verify and Troubleshoot the Aruba Remote Network to verify the status of the remote network tunnel.

Document:Prisma Access (Cloud Management)

Configure the Aruba Remote Network

Table of Contents

Configure the Aruba Remote Network

Validated IKE and IPSec Cryptographic Profiles

Configure the Remote Network Connection in Prisma Access

Configure the Aruba BGW

Most Popular

Recommended For You

Document:Prisma Access (Cloud Management)

Configure the Aruba Remote Network

Table of Contents

Configure the Aruba Remote Network

Validated IKE and IPSec Cryptographic Profiles

Configure the Remote Network Connection in Prisma Access

Configure the Aruba BGW

Most Popular

Recommended For You

Recommended Videos