1. Home
    2. Prisma
    3. Prisma Access
    4. Prisma Access (Cloud Management)
    5. Third-Party SD-WAN Integration
    6. VMware SD-WAN by VeloCloud Solution Guide
    7. Configure the VeloCloud Remote Network

    Configure the VeloCloud Remote Network

    The following section describes the steps you perform to integrate a VeloCloud SD-WAN with Prisma Access, including an overview of the VeloCloud-Prisma Access integration.

    Secure VeloCloud SD-WAN with Prisma Access Overview

    To onboard a VeloCloud SD-WAN with Prisma Access, you configure a remote network tunnel in Prisma Access. The VeloCloud SD-WAN device sends traffic through the remote network to Prisma Access, which allows Prisma Access to protect your internet-directed traffic, including resources such as SaaS applications or publicly accessible partner applications.
    You can secure VeloCloud SD-WAN deployments by onboarding the remote network using the VeloCloud Edge device or VeloCloud Gateway.
    VeloCloud edge devices are plug and play devices that you can install in remote sites. You can connect one or more devices to an aggregation point, known as an
    SD-WAN headend
    . Use a VeloCloud gateway as the SD-WAN headend.
    In the VeloCloud SD-WAN fabric, you can configure multiple sites that connect to one gateway, a single site to connect to one gateway, or multiple sites that connect to multiple gateways, as shown in the following figure.
    You can connect one or more remote network connections to a cloud headend. To simplify setup, specify static routing and configure a separate subnet for each remote network location you onboard.
    Size the bandwidth of the remote network connection based on the traffic from the branches that are connected to the cloud headend. You can scale the VeloCloud SD-WAN with Prisma Access in multiple ways; for example, you can connect multiple gateways to one remote network, or connect one gateway to multiple remote networks.
    Prisma Access protects your internet-based resources, including SaaS applications and content. The following figure shows a sample VeloCloud gateway-Prisma Access deployment.

    Configure the Remote Network Connection in Prisma Access

    To begin configuration of a VeloCloud-Prisma Access deployment, create the Prisma Access remote network connection and configure IKE and IPSec parameters for the IPSec tunnel between Prisma Access and VeloCloud.
    This procedure assumes that you have already completed the following prerequisites:
    • You have made a note of the subnets you will use for each remote network gateway.
    • You have made a note of the IP address for the VeloCloud SD-WAN device. You obtain this information from the VMware SD-WAN Orchestrator.
      You use the IP address of the gateway address to configure the IKE gateway.
      • Choose a
        Prisma Access Location
         that is close to the remote network location that you want to onboard.
      • When creating the IPSec tunnel, use a
        Branch Device Type
         of
        Other Devices
        .
      • Enter a
        Static IP
         address that matches the VeloCloud SD-WAN device’s IP address.
        You obtain this address from the VMware SD-WAN Orchestrator.
      • Enter a
        Pre-shared key
         for symmetric authentication across the tunnel.
      • Choose a
        Local Identification
         of
        None
         and an
        IKE Peer Identification
         of
        FQDN (hostname)
        ; then, enter an FQDN.
        Make a note of the of the
        Pre-Shared key
         and
        FQDN
         that you use for the
        Peer Identification
        ; you match these settings when you configure the VeloCloud cloud gateway.
    2. Select
      IPSec Advanced Options
       and
      Create New
       to create a new IPSec crypto profile for the remote network tunnel using the recommended settings.
    3. Select
      IKE Advanced Options
       and
      Create New
       to create a new IKE cryptographic profile for the remote network tunnel.
      • Be sure to use crypto values that are supported with Velocloud and make a note of the values you use.
      • Enable
        IKE NAT Traversal
         (Enabled by default).
    4. Set up routing for the remote network.
      Set Up
       Routing and
      Add
       the IP subnets for Static Routing.
      Add
       a
      Branch IP Subnet
      Choose Static Routing and
      Add
       a subnet you have reserved for this remote network connection.
    5. Push your configuration changes.
      1. Return to
        Manage
        Service Setup
        Remote Networks
         and select
        Push Config
        Push
        .
      2. Select
        Remote Networks
        .
      3. Push
         your changes.
    6. Make a note of the
      Service IP
       of the Prisma Access side of the tunnel. To find this address in Cloud Managed Prisma Access, select
      Manage
      Service Setup
      Remote Networks
      , click the
      Remote Networks
      . Look for the
      Service IP
       field corresponding to the remote network configuration you created.

    Configure the Remote Network Connection for VeloCloud Edge Devices

    Use the following procedure to configure the IPSec tunnel on the VeloCloud edge device to complete the remote network connection.
    1. Log in to the Enterprise customer account on the VeloCloud Orchestrator (VCO).
    2. Select
      Configure
      Network Services
      .
    3. In the
      Cloud Security Services
       area, click
      New
       to create a new service.
    4. Enter the following values in the New Cloud Security Provider window that displays:
      • Enter a
        Service Name
         to identify this configuration.
      • Select a
        Service Type
         of
        Generic Cloud Security Service
        .
      • For the
        Primary Point-of-Presence
        , enter the
        Service IP
         you retrieved from Prisma Access.
    5. Click
      Add
       to save and add the configuration.
    6. Select
      Configure
      Profile
       and set
      Cloud Security Service
       to
      On
      ; then, select the
      Hash
      ,
      Encryption
      , and
      Key Exchange Protocol
       to the settings you configured for the remote network tunnel in Prisma Access.
    7. Select
      Configure
      Edge
       and complete the following steps:
      1. Set
        Cloud Security Service
         to
        On
        .
      2. Select the radio button to
        Redirect all internet bound traffic to Cloud Security Service
        .
      3. Select the
        Hash
        ,
        Encryption
        , and
        Key Exchange Protocol
         to match the settings you configured for the remote network tunnel in Prisma Access.
      4. Enter the
        FQDN
         and pre-shared key (
        PSK
        ) to match the FQDN and PSK you entered in Prisma Access.
    8. Verify the status of the remote network tunnel.
      • To view tunnel status in the VMware SD-WAN Orchestrator, select
        Monitor
        Edge
         in the VMware SD-WAN Orchestrator and viewing the information in the fields that display.
      • To view traffic and application statistics, select the
        Transport and Applications
         tab, then select
        Monitor
        Edge
        .

    Configure the Remote Network Connection for VeloCloud Gateways

    Use the following procedure to configure the IPSec tunnel on the VeloCloud edge gateway to enable the remote network connection.
    1. Establish connectivity from the VeloCloud gateway to Prisma Access.
      1. Log in to the Enterprise customer account on the VeloCloud Orchestrator (VCO).
      2. Select
        Configure
        Network Services
        .
      3. Select
        New
         in the
        Non-VeloCloud Sites
         to create a new site.
      4. Enter a
        Name
         for the site and select a
        Type
         of
        Palo Alto
        .
      5. For the
        Primary VPN Gateway
        , enter the
        Service IP
         you retrieved from Prisma Access.
      6. Click
        Next
        .
        VeloCloud creates the site and generates the IKE and IPSec configuration (including pre-shared key) for the site.
      7. Click
        Advanced
         and update the IKE and IPSec parameters and add the
        Site Subnets
         that you will protect with Prisma Access.
      8. Make sure that you have selected
        Enable Tunnel(s)
        ; then,
        Save Changes
        .
        To view the detailed IKE and IPSec parameters and the public IP address used by the VeloCloud gateway, click
        View IKE IPSec Template
        . The public IP address displays in the
        Local Identification : IP address :
        area.
    2. Verify the status of the remote network connection between the VeloCloud gateway and Prisma Access by selecting
      Monitor
      Network Services
      . A
      Status
       in green indicates that the connection has been successfully established.
    3. Configure the customer profile to service-chain the Non-VeloCloud site to the customer’s SD-WAN.
      1. Select
        Configure
        Profiles
        Profile-Name
        , where
        Profile-Name
         is the customer’s profile, then click the
        Device
         tab.
      2. Enable the
        Cloud VPN
         feature to turn on VPN connectivity from the Branch and Data Center sites.
      3. In the
        Branch to Non-VeloCloud Site
         section, select
        Enable
        ; then, select the Prisma Access site you created in Step 1.
    4. Save your changes.

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2023 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo