Prisma Access for Clean Pipe Overview

To allow organizations that manage the IT infrastructure of other organizations, such as service providers, MSSPs, or Telcos, to quickly and easily protect outbound internet traffic for their tenants, Palo Alto Networks provides Prisma Access for Clean Pipe. A service provider, MSSP, or Telco can route their customers (configured as tenants) to Prisma Access for Clean Pipe using a Partner Interconnect. After the traffic crosses the Partner Interconnect, it will be sent to a tenant-dedicated instance of the Clean Pipe for security, and then routed to the Internet.
Prisma Access for Clean Pipe also provides an API that you can use to quickly and easily create Clean Pipes for your tenants.

Clean Pipe Use Cases

Use Prisma Access for Clean Pipe if you meet all of the following use cases:
  • You manage a network deployment with a large number of tenants.
    For example, you are a service provider, Telco, or MSSP who manages and maintains the networks of many different organizations (up to tens of thousands).
  • You want a way for each tenant in your deployment to have their outbound internet traffic secured.
  • You need a fast and scalable way to onboard Clean Pipes for the organizations whose networks you manage.
  • With the exception of outbound internet security, you do not have additional requirements to protect the mobile users, headquarters, or branch locations of the networks you manage.
    If you have additional security requirements, we recommend creating multiple tenants in Prisma Access instead of implementing Clean Pipe, which allows you to create and enforce security profiles for separate groups of remote networks and mobile users.

Clean Pipe Examples

The following figure provides an example of Clean Pipes configured for a single tenant, with multiple Clean Pipes configured for the tenant.
In this example, the service provider manages the internet connectivity for four organizations and wants to protect outbound internet access for them. The service provider creates a Google Cloud Platform (GCP) Partner Interconnect and creates a VLAN attachment for each tenant. The service provider configures Prisma Access for Clean Pipe using Panorama to create security for the VLAN attachment.
This example shows a single Clean Pipe per tenant. You can also create multiple Clean Pipes in a single tenant. Make sure that each Clean Pipe you specify for a tenant uses a different location.
clean-pipe-overview.png
The following figure shows a single Clean Pipe in more detail for a tenant who wants a clean connection to the internet. The Customer Edge (CE) router provides WAN connectivity for the tenant. The CE router connects to a cloud router, and the cloud router provides connectivity for the Partner Interconnect. The service provider creates a VLAN attachment for the tenant, and configures Prisma Access for Clean Pipe in Panorama to provide security for the VLAN attachment, which protects the tenant’s internet-based traffic.
clean-pipe-overview-detail.png

Clean Pipe and Partner Interconnect Requirements

Before you start, be aware of the following Clean Pipe deployment requirements, and be aware of the following differences between Prisma Access for Clean Pipe and other Prisma Access deployments:
  • You must have a Prisma Access for Clean Pipe license.
    The Prisma Access for Clean Pipe license is a separate license from other Prisma Access products. However, the same requirements for purchasing and installing Panorama and Cortex Data Lake licenses apply to Clean Pipe.
  • Prisma Access for Clean Pipe has the following GCP Partner Interconnect requirements:
    • You must be able to create a Partner Interconnect in GCP.
    • You must have the ability to create VLAN attachments in GCP.
    • For Layer 2 (L2) partner interconnects, you must have access to the customer edge (CE) router on the MSSP side and be able to make configuration changes to it.
    For more information about GCP configuration, refer to the GCP documentation.
  • Be aware of the minimum bandwidth requirements for the Clean Pipe deployment.
    The minimum license you can purchase is 1000 Mbps. The minimum bandwidth allocation for each Clean Pipe tenant is 100 Mbps.
    After you create a tenant, you can create clean pipes in that tenant. Each clean pipe must be a minimum of 100 Mbps. Each Clean Pipe shares the tenant’s access domain, templates and template stack, and device group.
  • If configuring multiple Clean Pipes for a single tenant, each Clean Pipe is required to be a unique location. If you want to configure two VLAN attachments for a single Clean Pipe location in an active/backup configuration for intra-zone redundancy, specify the
    REDUNDANT
    choice when you add a new Clean Pipe instance.
  • When creating a connection within a Clean Pipe tenant, match the bandwidth allocation to that of the VLAN attachment. Do not create a VLAN attachment that has a bandwidth that is higher or lower than the connection's bandwidth.
  • After you enable multi-tenancy, do not configure your Clean Pipe deployment with any of the other tabs in the Configuration area, with the exception of the
    Generate API key
    link in the
    Service Setup
    tab, which lets you generate an API key to retrieve Clean Pipe IP addresses. All configuration is unique to Prisma Access for Clean Pipe and separate from other Prisma Access deployments, such as Prisma Access for Networks or Prisma Access for Users.
  • Do not make changes to a Clean Pipe configuration after you commit it. If you change a Clean Pipe after it’s been committed, you will receive a commit error when you re-commit it. Instead, delete the existing Clean Pipe and add a new one. Schedule this change during a system downtime window. If you already made changes and have not yet committed, you can revert the changes by editing the Clean Pipe configuration back to their previous values.
  • Note that the locations used by Clean Pipe differ from other Prisma Access deployments. Prisma Access for Clean Pipe supports the following locations:
    • asia-east1
    • asia-east2
    • asia-northeast1
    • asia-south1
    • asia-southeast1
    • australia-southeast1
    • europe-north1
    • europe-west2
    • europe-west3
    • europe-west4
    • northamerica-northeast1
    • southamerica-east1
    • us-central1
    • us-east1
    • us-east4
    • us-west1
    • us-west2
  • Note the following networking restrictions for Clean Pipe:
    • ICMP is not supported.
    • QoS is supported on ingress (from internet to Clean Pipe direction) only.
    • User-ID is not supported.
    • Clean Pipe supports session affinity based on source and destination IP addresses and is not configurable.
    • Trust-to-Trust policies are invalid for Clean Pipe, because the traffic is always internet-bound. Only use Trust-to-Untrust policies.

Recommended For You