Integrate Prisma Access with Cisco Catalyst SD-WAN
Focus
Focus
Prisma Access

Integrate Prisma Access with Cisco Catalyst SD-WAN

Table of Contents

Integrate Prisma Access with Cisco Catalyst SD-WAN

Learn how to integrate Prisma Access automatically with Cisco Catalyst SD-WAN.
Where Can I Use This?
What Do I Need?
  • Prisma Access (Cloud Management)
  • Minimum Required Prisma Access Version
    : 2.1 Preferred or a later version
You can onboard a remote network using IPSec tunnels between Cisco Catalyst SD-WAN, formerly known as Viptela SD-WAN, and Prisma Access automatically or manually. When you enable a Cisco Catalyst SD-WAN for the integration, Prisma Access creates a remote network for each device using primary tunnels. Prisma Access identifies eligible interfaces on the Cisco Catalyst SD-WAN devices, and automatically selects the interface to onboard the remote network using the tunnel.
If there are many eligible interfaces, Prisma Access selects the interface automatically and builds the tunnels. If you want to select an interface, tag the Cisco Catalyst SD-WAN device with the interface name in the following syntax:
PA-<Interface_Name>
The tag isn't case-sensitive. Tag the device in Cisco vManage before you enable the connection. If the interface name that you tag isn't eligible for the integration, then Prisma Access selects an interface automatically.
To onboard the Cisco Catalyst SD-WAN networks manually, see Integrate Prisma Access with Catalyst SD-WAN (Manual Integration).
Ensure you meet the following requirements before you integrate Prisma Access with Cisco Catalyst SD-WAN:
Product
Requirement
Prisma Access
  • Update your Prisma Access to version 2.1 Preferred or a later version.
    • Migrate remote networks to the aggregate bandwidth model.
    • Activate bandwidth license per compute location.
Cisco Catalyst SD-WAN
  • Active cloud-hosted Cisco Catalyst SD-WAN Instance
  • Active subscription to Cisco vManage dashboard to manage the Cisco Catalyst SD-WAN devices
  • At least one eligible interface in the device for tunnel formation with Prisma Access
  • Only the following interfaces are eligible for the integration:
    • Interfaces with VPN ID 0
    • Interfaces with valid IP address
    • Interface type of
      iana-iftype-ethernet-csmacd
  • Device templates with devices assigned to the template
  • Configure service VPNs on the device templates for non-VPN 0 and VPN 512 ports
Cisco Catalyst SD-WAN supports only the deployment architecture, where you secure traffic from each branch site with one WAN link (Type 1), for use with Prisma Access:
For any other deployment architectures, use the manual integration workflow.
Before you begin, ensure you configure the Cisco Catalyst SD-WAN interfaces and attach them to devices based on the requirements mentioned above. To secure a Cisco Catalyst SD-WAN with Prisma Access, complete the following steps.
  1. If you have not already, allocate bandwidth for Prisma Access locations.
    1. Go to
      Settings
      Prisma Access Setup
      Remote Networks
      Bandwidth Management
      .
    2. Edit the
      Assigned Bandwidth
      for the remote network’s compute location.
    3. Push
      the changes.
  2. Go to
    Cisco Catalyst SD-WAN Integration with Prisma Access
    settings.
    1. Select
      Workflows
      Integrations
      Prisma Access
      .
    2. Locate the
      Cisco Catalyst SD-WAN Integration with Prisma Access
      application.
      Contact your Palo Alto Networks account representative if you don’t see this integration option.
  3. Enter the information needed to check the connectivity between Prisma Access and Cisco Catalyst SD-WAN by editing the
    Settings
    .
    1. Enter the hostname, username, and the password.
    2. Enter the
      PSK Seed
      , which is a string used to derive pre-shared keys (PSKs) per tunnel.
    3. (
      Optional
      ) Enter an FQDN IKE identifier as the
      Local Identifier
      in the following syntax:
      name@domain.com
      This identifier acts as a template to generate a unique ID per tunnel.
    4. (
      Optional
      ) Enter an FQDN IKE identifier different from the local identifier as the
      Remote Identifier
      in the following syntax:
      name@domain.com
    5. Set the
      Admin State
      as
      Enabled
      .
      You can set
      Admin State
      in the following modes:
      • Enabled
        : Enables the integration to discover new devices on Cisco Catalyst SD-WAN that are eligible for tunnel formation with Prisma Access. Additionally, this verifies current configurations.
      • Disabled
        : Disable the integration to remove all configurations created in Prisma Access as well as in Cisco Catalyst SD-WAN, when a connection was set up between them.
      • Paused
        : When you pause the integration, you can no longer add new devices or remove any unconfigured devices. However, the current configurations don't change.
    6. Check Connectivity
      to verify the connection.
    7. Save
      the changes.
      You can
      Save
      changes only after you
      Check Connectivity
      every time you change settings or configurations.
      After you save the changes, you can see the Cisco Catalyst SD-WAN networks eligible for tunnel formation with Prisma Access in
      Discovered Sites
      . Cisco Catalyst SD-WAN networks are displayed as sites here. It might take some time to view the discovered sites.
  4. Establish the tunnel setup between Prisma Access and Cisco Catalyst SD-WAN devices.
    1. View the discovered Cisco Catalyst SD-WAN networks and their information by clicking the site count.
      The integration checks for new Cisco Catalyst SD-WAN networks regularly. You can also initiate an on-demand site discovery.
    2. (
      Optional
      ) Select the nearest
      Prisma Access Location
      for the networks.
    3. (
      Optional
      ) Select
      IPSec Termination Node
      for each site.
      If you select the same Prisma Access location for multiple networks, ensure to allocate the bandwidth equally by selecting different IPSec termination nodes for the networks sharing the same Prisma Access location.
      The integration assigns Prisma Access location and IPSec termination nodes automatically. However, you can choose other Prisma Access locations or IPSec termination nodes if needed.
    4. Select the Cisco Catalyst SD-WAN device and toggle the
      Enable
      option to establish a tunnel formation with Prisma Access.
    5. Update
      the changes.
      You can view all the
      Enabled Sites
      and
      Configured Sites
      in the
      Cisco Catalyst SD-WAN Integration with Prisma Access
      application.
      When you click a site count, the hyperlink takes you to a filtered list of sites based on the site count you click. For example, if you click the site count of enabled sites, the list shows only the sites that are enabled and not all discovered sites.
  5. Verify the changes in Prisma Access.
    1. Go to
      Workflows
      Prisma Access Setup
      Remote Networks
      .
      Alternatively, you can click
      Remote Networks - Cisco Catalyst SD-WAN Integration with Prisma Access >
      .
      Verify the tunnel status. The integration creates remote networks automatically. Such remote networks have names in the following syntax:
      AUTO-CATALYST-Device_Name
      The configuration status of Cisco Catalyst SD-WAN devices takes some time to be
      In sync
      .
    2. View the IPSec Tunnel, IKE gateway, IKE Crypto profile, and IPSec Crypto profile details.
      Select the remote network site to view these details.
      IPSec Tunnel details:
    3. Select
      Incidents and Alerts
      Log Viewer
      Common
      Audit
      to view
      Cisco Catalyst SD-WAN Integration with Prisma Access
      logs.
      The logs specify if the changes were made in Prisma Access or in the Cisco Catalyst SD-WAN.
    4. (
      Optional
      ) In the Cisco Catalyst SD-WAN integration app, view information, errors, or warnings in
      Messages
      .
      See Troubleshoot Integration Errors to troubleshoot more errors.
  6. Verify the Cisco Catalyst SD-WAN configurations in Cisco vManage.
    1. Log in to the Cisco SD-WAN dashboard, and select
      Monitor
      Devices
      .
    2. Select
      Configuration
      Templates
      Feature Templates
      .
      The integration creates secure internet gateway (SIG) templates. The SIG template stores details of the IPSec tunnel and IKE values. Don't update these SIG templates manually.
      If there are multiple devices that are part of a device template, configure all devices for tunnel formation with Prisma Access.
    3. Check the running configuration for the interfaces.
      In Cisco vManage, select
      Configuration Devices WAN Edge List
      .
      View the
      Running Configuration
      of the corresponding devices.
      When you have multiple devices under a device template, devices that are not enabled will have dummy values.
      To enable the connectivity with Prisma Access on only some of the devices in a device template and avoid dummy values on other devices, move the devices, for those you want to enable connectivity, to a separate device template and enable the connectivity for each device in this device template. If you enable devices with dummy values, Prisma Access overwrites those dummy values with the tunnel configuration values. Prisma Access populates dummy values for the description, tunnel source interface, tunnel destination, pre-shared secret, and IKE local ID.
      If you add a new device to the device template that has a SIG, configure a few dummy values and attach the device to the device template. After the integration discovers this device, enable it.
  7. Verify the tunnel status in Cisco vManage.
    Log in to the Cisco SD-WAN dashboard, and select
    Monitor
    Devices
    . Select the device and view the
    Interface
    . Verify the admin status and operational status of the tunnel that was auto created for this device.

Customize Tunnel Source Interface Selection

By default, Prisma Access scans for devices and identifies interfaces from the Cisco Catalyst devices that are eligible to form tunnels with Prisma Access. It selects an eligible interface and uses that interface as the tunnel source interface. However, you can also customize the interface selection.
  1. In Cisco vManage, select
    Configuration
    Devices
    .
  2. Add a tag to the device where you want to select the interface.
    The syntax for the tag name is:
    PA-<Interface_Name>
    If the tag name that you create isn't eligible for the integration, then Prisma Access selects an interface automatically. Tag the device in Cisco vManage before you enable the connection.

On-Demand Site Discovery

You can initiate network discoveries anytime to view new networks added in the Cisco vManage dashboard. You can also initiate network discoveries to resolve any misconfiguration in the integration-created objects. To initiate on-demand network discovery, perform the following steps:
  1. Select
    Workflows
    Integrations
    Prisma Access
    .
  2. Locate the
    Cisco Catalyst SD-WAN Integration with Prisma Access
    application.
  3. View the discovered Cisco Catalyst SD-WAN networks and their information by clicking the site count.
  4. Discover Sites
    to identify new eligible Cisco Catalyst SD-WAN networks when required.

Troubleshoot Integration Errors

Audit logs provide records of administrators' configuration changes in the integration. You can use these logs for the compliance and troubleshooting purposes. You can also view the
Messages
in the integration settings for information, errors, and warnings.
  • If Cisco Catalyst SD-WAN locks a template, don't perform any manual operations on the integration-created objects to avoid template lock due to multiple sessions.
  • If your template is locked in edit mode while editing, relog in after sometime and try to edit the template. If the issue persists, contact Cisco Systems support.
  • If your template edit request session expires, relog in after sometime and try to edit the template. If the issue persists, contact Cisco Systems support.
  • If you see the following error, check if you tagged the correct interface name.

Recommended For You