Integrate Prisma Access with VMware SD-WAN by VeloCloud
Focus
Focus
Prisma Access

Integrate Prisma Access with VMware SD-WAN by VeloCloud

Table of Contents

Integrate Prisma Access with VMware SD-WAN by VeloCloud

Where Can I Use This?
What Do I Need?
  • Prisma Access (Cloud Management)
  • Prisma Access (Panorama Managed)
  • Subnets you will use for each remote network gateway
  • IP address of the VeloCloud SD-WAN device. You use the IP address of the gateway address to configure the IKE gateway. Obtain this information from the VMware SD-WAN Orchestrator.
To onboard a VeloCloud SD-WAN with Prisma Access, you configure a remote network tunnel in Prisma Access. The VeloCloud SD-WAN device sends traffic through the remote network to Prisma Access, which allows Prisma Access to protect your internet-directed traffic, including resources such as SaaS applications or publicly accessible partner applications.
You can secure VeloCloud SD-WAN deployments by onboarding the remote network using the VeloCloud Edge device or VeloCloud Gateway.
VeloCloud edge devices are plug-and-play devices that you can install in remote sites. You can connect one or more devices to an aggregation point, known as an
SD-WAN headend
. Use a VeloCloud gateway as the SD-WAN headend.
In the VeloCloud SD-WAN fabric, you can configure multiple sites that connect to one gateway, a single site to connect to one gateway, or multiple sites that connect to multiple gateways, as shown in the following figure.
You can connect one or more remote network connections to a cloud headend. To simplify setup, specify static routing and configure a separate subnet for each remote network location you onboard.
Size the bandwidth of the remote network connection based on the traffic from the branches that are connected to the cloud headend. You can scale the VeloCloud SD-WAN with Prisma Access in multiple ways; for example, you can connect multiple gateways to one remote network, or connect one gateway to multiple remote networks.
Prisma Access protects your internet-based resources, including SaaS applications and content. The following figure shows a sample VeloCloud gateway-Prisma Access deployment.

Cloud Management

To begin configuration of a VeloCloud-Prisma Access deployment, create the Prisma Access remote network connection and configure IKE and IPSec parameters for the IPSec tunnel between Prisma Access and VeloCloud.
  1. Connect a remote network site to Prisma Access.
    • Choose a
      Prisma Access Location
      that is close to the remote network location that you want to onboard.
    • When creating the IPSec tunnel, use a
      Branch Device Type
      of
      Other Devices
      .
    • Enter a
      Static IP
      address that matches the VeloCloud SD-WAN device’s IP address.
      You obtain this address from the VMware SD-WAN Orchestrator.
    • Enter a
      Pre-shared key
      for symmetric authentication across the tunnel.
    • Choose a
      Local Identification
      of
      None
      and an
      IKE Peer Identification
      of
      FQDN (hostname)
      ; then, enter an FQDN.
      Make a note of the of the
      Pre-Shared key
      and
      FQDN
      that you use for the
      Peer Identification
      ; you match these settings when you configure the VeloCloud cloud gateway.
  2. Select
    IPSec Advanced Options
    and
    Create New
    to create a new IPSec crypto profile for the remote network tunnel using the recommended settings.
  3. Select
    IKE Advanced Options
    and
    Create New
    to create a new IKE cryptographic profile for the remote network tunnel.
    • Be sure to use crypto values that are supported with Velocloud and make a note of the values you use.
    • Enable
      IKE NAT Traversal
      (Enabled by default).
  4. Set up routing for the remote network.
    Set Up
    Routing and
    Add
    the IP subnets for Static Routing.
    Add
    a
    Branch IP Subnet
    Choose Static Routing and
    Add
    a subnet you have reserved for this remote network connection.
  5. Push your configuration changes.
    1. Return to
      Manage
      Service Setup
      Remote Networks
      and select
      Push Config
      Push
      .
    2. Select
      Remote Networks
      .
    3. Push
      your changes.
  6. Make a note of the
    Service IP
    of the Prisma Access side of the tunnel. To find this address in
    Prisma Access (Cloud Management)
    , select
    Manage
    Service Setup
    Remote Networks
    , click the
    Remote Networks
    . Look for the
    Service IP
    field corresponding to the remote network configuration you created.

Configure the Remote Network Connection for VeloCloud Edge Devices

Use the following procedure to configure the IPSec tunnel on the VeloCloud edge device to complete the remote network connection.
  1. Log in to the Enterprise customer account on the VeloCloud Orchestrator (VCO).
  2. Select
    Configure
    Network Services
    .
  3. In the
    Cloud Security Services
    area, click
    New
    to create a new service.
  4. Enter the following values in the New Cloud Security Provider window that displays:
    • Enter a
      Service Name
      to identify this configuration.
    • Select a
      Service Type
      of
      Generic Cloud Security Service
      .
    • For the
      Primary Point-of-Presence
      , enter the
      Service IP
      you retrieved from Prisma Access.
  5. Click
    Add
    to save and add the configuration.
  6. Select
    Configure
    Profile
    and set
    Cloud Security Service
    to
    On
    ; then, select the
    Hash
    ,
    Encryption
    , and
    Key Exchange Protocol
    to the settings you configured for the remote network tunnel in Prisma Access.
  7. Select
    Configure
    Edge
    and complete the following steps:
    1. Set
      Cloud Security Service
      to
      On
      .
    2. Select the radio button to
      Redirect all internet bound traffic to Cloud Security Service
      .
    3. Select the
      Hash
      ,
      Encryption
      , and
      Key Exchange Protocol
      to match the settings you configured for the remote network tunnel in Prisma Access.
    4. Enter the
      FQDN
      and pre-shared key (
      PSK
      ) to match the FQDN and PSK you entered in Prisma Access.
  8. Verify the status of the remote network tunnel.
    • To view tunnel status in the VMware SD-WAN Orchestrator, select
      Monitor
      Edge
      in the VMware SD-WAN Orchestrator and viewing the information in the fields that display.
    • To view traffic and application statistics, select the
      Transport and Applications
      tab, then select
      Monitor
      Edge
      .

Configure the Remote Network Connection for VeloCloud Gateways

Use the following procedure to configure the IPSec tunnel on the VeloCloud edge gateway to enable the remote network connection.
  1. Establish connectivity from the VeloCloud gateway to Prisma Access.
    1. Log in to the Enterprise customer account on the VeloCloud Orchestrator (VCO).
    2. Select
      Configure
      Network Services
      .
    3. Select
      New
      in the
      Non-VeloCloud Sites
      to create a new site.
    4. Enter a
      Name
      for the site and select a
      Type
      of
      Palo Alto
      .
    5. For the
      Primary VPN Gateway
      , enter the
      Service IP
      you retrieved from Prisma Access.
    6. Click
      Next
      .
      VeloCloud creates the site and generates the IKE and IPSec configuration (including pre-shared key) for the site.
    7. Click
      Advanced
      and update the IKE and IPSec parameters and add the
      Site Subnets
      that you will protect with Prisma Access.
    8. Make sure that you have selected
      Enable Tunnel(s)
      ; then,
      Save Changes
      .
      To view the detailed IKE and IPSec parameters and the public IP address used by the VeloCloud gateway, click
      View IKE IPSec Template
      . The public IP address displays in the
      Local Identification : IP address :
      area.
  2. Verify the status of the remote network connection between the VeloCloud gateway and Prisma Access by selecting
    Monitor
    Network Services
    . A
    Status
    in green indicates that the connection has been successfully established.
  3. Configure the customer profile to service-chain the Non-VeloCloud site to the customer’s SD-WAN.
    1. Select
      Configure
      Profiles
      Profile-Name
      , where
      Profile-Name
      is the customer’s profile, then click the
      Device
      tab.
    2. Enable the
      Cloud VPN
      feature to turn on VPN connectivity from the Branch and Data Center sites.
    3. In the
      Branch to Non-VeloCloud Site
      section, select
      Enable
      ; then, select the Prisma Access site you created in Step 1.
  4. Save your changes.

Troubleshoot the VeloCloud SD-WAN Remote Network

Use the following resources to troubleshoot issues with VeloCloud-Prisma Access deployments.
  • Prisma Access troubleshooting
    —Check the status and the logs in Prisma Access.
    • Go to
      Manage
      Service Setup
      Remote Networks
      and check the
      Status
      of the tunnel.
    • Go to
      Activity
      Log Viewer
      and check the
      Common/System
      logs for IPSec- and IKE-related messages.
      To view VPN-relates messages, set the filter to
      sub_type.value = vpn
      .
      The message
      ignoring unauthenticated notify payload
      indicates that the route has not been added in the crypto map on the other side of the IPSec tunnel after the IPSec negotiation has already occurred.
    • Check the
      Firewall/Traffic
      logs and view the messages that are coming from the zone that has the same name as the remote network.
      In the logs, the remote network name is used as the source zone.
  • VeloCloud troubleshooting
    —In the VMware SD-WAN Orchestrator, select
    Monitor
    Events
    . The following example shows a timeout error; this type of error can indicate mismatching proposals or a gateway connectivity error. The values to check are provided in the message text.

Panorama

To begin the configuration of a VeloCloud-Prisma Access deployment, use Panorama to create IPSec, and IKE parameters and create the Prisma Access remote network connection.
This procedure assumes that you have already completed the following prerequisites:
  • You have activated and installed Prisma Access.
  • You have logged into Panorama and created an Infrastructure subnet for Prisma Access, using a subnet that does not overlap with your existing network subnets.
  • You have created trusted and untrusted zones and used zone mapping to map those zones for your deployment.
  • You have made a note of the subnets you will use for each remote network gateway.
  • You have made a note of the IP address for the VeloCloud SD-WAN device. You obtain this information from the VMware SD-WAN Orchestrator.
    You use the IP address of the gateway address to configure the IKE gateway.
  1. Create IKE and IPSec Crypto profiles and an IKE gateway for the remote network connection you will create.
    You will use these profiles to provide connectivity between Prisma Access and the VeloCloud SD-WAN device.
    1. Select
      Network
      Network Profiles
      IKE Crypto
      and
      Add
      an IKE crypto profile for the IPSec tunnel.
      Make sure you have selected the
      Template
      of
      Remote_Network_Template
      before starting this task.
    2. Give the profile a name and specify IKE settings.
      Make a note of these settings; you specify the same settings. When you configure the setting on the VeloCloud SD-WAN device.
    3. Select
      Network
      Network Profiles
      IPSec Crypto
      and
      Add
      a new IPSec crypto profile.
    4. Specify a name for the profile and specify IPSec crypto parameters.
      Make a note of these settings; you specify the same settings. When you configure the setting on the VeloCloud SD-WAN device.
    5. Select
      Network
      Network Profiles
      IKE Gateways
      and
      Add
      a new IKE gateway.
    6. Specify a
      Name
      Version
      .
    7. Enter a
      Peer IP Address
      that matches the VeloCloud SD-WAN device’s IP address.
      You obtain this address from the VMware SD-WAN Orchestrator.
    8. Enter a
      Pre-shared key
      for symmetric authentication across the tunnel.
    9. Choose a
      Local Identification
      of
      None
      and a
      Peer Identification
      of
      FQDN (hostname)
      ; then, enter an FQDN.
      Make a note of the
      Pre-Shared key
      and
      FQDN
      that you use for the
      Peer Identification
      ; you match these settings when you configure the VeloCloud cloud gateway.
    10. Configure
      Advanced Options
      :
      • Enable NAT Traversal
        .
      • Set the
        Exchange Mode
        to
        Auto
        so the gateway can accept both
        main
        mode and
        aggressive
        mode requests, or let the gateway initiate negotiation and allow exchanges in
        main
        mode.
      • Select the
        IKE Crypto Profile
        you created in step 1.a.
    11. Select
      Network
      IPSec Tunnels
      and
      Add
      an IPSec tunnel.
    12. Select the
      IKE Gateway
      and
      IPSec Crypto Profile
      you created earlier in this task.
  2. Select
    Panorama
    Cloud Services
    Configuration
    Remote Networks
    and
    Add
    a new remote network connection, specifying the following values:
    • Give the remote network connection a unique
      Name
      .
    • Specify a
      Location
      that is close to the VeloCloud SD-WAN device.
    • Specify the
      IPSec Tunnel
      you created in step 1.k.
    • In the
      Static Routes
      tab,
      Add
      the
      Branch IP Subnets
      you have reserved for this remote network connection.
  3. Commit the configuration changes to Panorama and push the configuration out to Prisma Access for remote networks.
    1. Click
      Commit
      Commit and Push
      .
    2. Click
      Edit Selections
      Prisma Access
      , and select both Prisma Access for remote networks and Prisma Access for service setup to push the configuration out to the service.
      Pushing the
      GlobalProtect cloud service for service setup
      is only required if you made changes to the service setup (for example, you added the Infrastructure subnet).
    3. Click
      OK
      , then
      Commit and Push
      .
      Prisma Access displays a success page after the commit succeeds.
  4. Make a note of the
    Service IP address
    of the Prisma Access side of the tunnel. To find this address in Panorama, select
    Panorama
    Cloud Services
    Status
    Network Details
    , select
    Remote Networks
    , and find the
    Service IP Address
    .
    You use the
    Service IP Address
    as the Peer IP address when you configure the IPSec tunnel in the VeloCloud SD-WAN device.

Configure the Remote Network Connection for VeloCloud Edge Devices

Use the following procedure to configure the IPSec tunnel on the VeloCloud edge device to complete the remote network connection.
  1. Log in to the Enterprise customer account on the VeloCloud Orchestrator (VCO).
  2. Select
    Configure
    Network Services
    .
  3. In the
    Cloud Security Services
    area, click
    New
    to create a new service.
  4. Enter the following values in the New Cloud Security Provider window that displays:
    • Enter a
      Service Name
      to identify this configuration.
    • Select a
      Service Type
      of
      Generic Cloud Security Service
      .
    • For the
      Primary Point-of-Presence
      , enter the
      Service IP Address
      you retrieved from Prisma Access.
  5. Click
    Add
    to save and add the configuration.
  6. Select
    Configure
    Profile
    and set
    Cloud Security Service
    to
    On
    ; then, select the
    Hash
    ,
    Encryption
    , and
    Key Exchange Protocol
    to the settings you configured for the remote network tunnel in Prisma Access.
  7. Select
    Configure
    Edge
    and complete the following steps:
    1. Set
      Cloud Security Service
      to
      On
      .
    2. Select the radio button to
      Redirect all internet bound traffic to Cloud Security Service
      .
    3. Select the
      Hash
      ,
      Encryption
      , and
      Key Exchange Protocol
      to match the settings you configured for the remote network tunnel in Prisma Access.
    4. Enter the
      FQDN
      and pre-shared key (
      PSK
      ) to match the FQDN and PSK you entered in Prisma Access.
  8. Verify the status of the remote network tunnel.
    • To view tunnel status in the VMware SD-WAN Orchestrator, select
      Monitor
      Edge
      in the VMware SD-WAN Orchestrator and viewing the information in the fields that display.
    • To view traffic and application statistics, select the
      Transport and Applications
      tab, then select
      Monitor
      Edge
      .

Configure the Remote Network Connection for VeloCloud Gateways

Use the following procedure to configure the IPSec tunnel on the VeloCloud edge gateway to enable the remote network connection.
  1. Establish connectivity from the VeloCloud gateway to Prisma Access.
    1. Log in to the Enterprise customer account on the VeloCloud Orchestrator (VCO).
    2. Select
      Configure
      Network Services
      .
    3. Select
      New
      in the
      Non-VeloCloud Sites
      to create a new site.
    4. Enter a
      Name
      for the site and select a
      Type
      of
      Palo Alto
      .
    5. For the
      Primary VPN Gateway
      , enter the
      Service IP Address
      you retrieved from Prisma Access.
    6. Click
      Next
      .
      VeloCloud creates the site and generates the IKE and IPSec configuration (including pre-shared key) for the site.
    7. Click
      Advanced
      and update the IKE and IPSec parameters and add the
      Site Subnets
      that you will protect with Prisma Access.
    8. Make sure that you have selected
      Enable Tunnel(s)
      ; then,
      Save Changes
      .
      To view the detailed IKE and IPSec parameters and the public IP address used by the VeloCloud gateway, click
      View IKE IPSec Template
      . The public IP address displays in the
      Local Identification : IP address :
      area.
  2. Verify the status of the remote network connection between the VeloCloud gateway and Prisma Access by selecting
    Monitor
    Network Services
    . A
    Status
    in green indicates that the connection has been successfully established.
  3. Configure the customer profile to service-chain the Non-VeloCloud site to the customer’s SD-WAN.
    1. Select
      Configure
      Profiles
      Profile-Name
      , where
      Profile-Name
      is the customer’s profile, then click the
      Device
      tab.
    2. Enable the
      Cloud VPN
      feature to turn on VPN connectivity from the Branch and data center sites.
    3. In the
      Branch to Non-VeloCloud Site
      section, select
      Enable
      ; then, select the Prisma Access site you created in step 1.
  4. Save your changes.

Recommended For You