Configure the Service Infrastructure

Before you can begin setting up Prisma Access to secure your remote networks and/or mobile users, you must configure an infrastructure subnet, which Prisma Access will use to create the network backbone for communication between your service connections, remote networks, and mobile users, as well as with the corporate networks you plan to connect to Prisma Access over service connections. Because a large number of IP addresses will be required to set up the infrastructure, you must use a /24 subnet (for example, at a minimum. See Plan the Service Infrastructure and Service Connections for the requirements and guidelines to use when assigning an infrastructure subnet.
  1. Select
    Cloud Services
    Service Setup
    and click the gear icon to edit the Settings.
  2. On the
    tab, specify an
    Infrastructure Subnet
    , for example,
    See Plan the Service Infrastructure and Service Connections for the requirements and guidelines to use when assigning an infrastructure subnet.
  3. Enter the
    Infrastructure BGP AS
    you want to use within the Prisma Access infrastructure. If you want to use dynamic routing to enable Prisma Access to dynamically discover routes to resources on your remote networks and HQ/data center locations, specify the autonomous system (AS) number. If you do not supply an AS number, the default AS number 65534 will be used.
  4. (
    one or more templates to the predefined template stack,
    The templates you add here can help simplify the process of adding new service connections. For example, if you add a template containing existing IPSec configuration settings, such as IPSec tunnel, Tunnel Monitoring, and IPSec Crypto Profile configurations, you can select these configurations when defining the tunnel settings for each service connection rather than having to create the tunnel configuration from scratch. You can optionally edit the predefined Service_Conn_Template with tunnel settings that you can leverage when creating the tunnels from Prisma Access to your corporate network sites.
  5. Enable Prisma Access to resolve your internal domains.
    Use this step if you need Prisma Access to be able to resolve your internal domains to access services, such as LDAP servers, on your corporate network via service connections. For example, if you want a DNS lookup for your corporate domain to go exclusively to the corporate DNS server, specify the corporate domain and the corporate DNS servers here.
    1. Select the
      Internal Domain List
    2. Add
      Domain Names
      Primary DNS
      , and
      Secondary DNS
      servers that the cloud service can use to resolve your internal domain names.
      You can use a wildcard (*) in front of the domains in the domain list, for example *.acme.local or *
  6. Enable Cortex Data Lake (formerly Logging Service).
    1. Select the
      Cortex Data Lake
    2. Select a
      Cortex Data Lake Theater
      and click
    3. Configure the device groups you are using to push settings to Prisma Access with a Log Forwarding profile that forwards the desired log types to
      Panorama/Logging Service
      The Cloud Services plugin automatically adds the following Log Settings (
      Log Settings
      ) after a new installation or when removing non-Prisma Access templates from a Prisma Access template stack:
      • Log Settings for System logs (
        ), User-ID logs (
        ), and HIP Match logs (
        ) are added to the Mobile_User_Template.
      • Log Settings for System logs (
        ) and User-ID logs (
        ) are added to the Remote_Network_Template.
      • Log Settings for System logs (
        ) are added to the Service_Conn_Template.
      These Log Setting configurations automatically forward System, User-ID, and HIP Match logs to Cortex Data Lake.
      The way you enable log forwarding for other log types depends on the type. For logs that are generated based on a policy match, use a log forwarding profile. See the Cortex Data Lake Getting Started Guide for more information.
  7. (
    ) Add
    Traffic Forwarding
    rules to redirect mobile user and remote network internet traffic to service connections.
    Traffic forwarding allows you to redirect mobile user or remote network traffic through a service connection to a security stack for further processing before being sent to the internet. See Use Traffic Forwarding Rules with Service Connections for more information and for configuration details.
  8. (
    ) Change the routing preferences and enable HIP redistribution.
    1. Specify the
      Routing Preference
      to use with service connections.
      You can specify network preferences to use either your organization’s network, or the Prisma Access network, to process the service connection traffic.
      • Default
        —Prisma Access uses default routing in its internal network.
      • Hot potato routing
        —Prisma Access hands off service connection traffic to your organization’s WAN as quickly as possible.
      Changing the Prisma Access service connection routing method requires a thorough understanding of your organization’s topology and routing devices, along with an understanding of how Prisma Access routing works. We recommend that you read the Routing Preferences for Service Connection Traffic section carefully before changing the routing method from the default setting.
    2. Enable HIP Redistribution
      to have Prisma Access use service connections to redistribute HIP information from mobile users and users at remote networks.
      See Redistribute HIP Information with Prisma Access for more information about enabling HIP redistribution.
  9. Click
    to save the Service Setup settings.
  10. Commit all your changes to Panorama and push the configuration changes to Prisma Access.
    1. Click
      Commit to Panorama
    2. Click
      Push to Devices
      and click
      Edit Selections
    3. On the
      Prisma Access
      tab, make sure
      Service setup
      is selected and then click
      Prisma Access should automatically select the components that need to be committed.
    4. Click
      If there is a Palo Alto Networks next-generation firewall between the Panorama appliance and the internet, you must add a security policy rule on the firewall to allow the
      App-IDs from the Panorama appliance to the internet. These applications allow SSL-secured communication to Prisma Access and to Cortex Data Lake that the Panorama appliance uses to query logs. If the Panorama appliance is behind a legacy Layer 4 firewall, permit ports 443 and 444 outbound from the Panorama to allow this traffic from the Panorama. Note that opening layer 4 ports instead of using Palo Alto Networks App-IDs is less secure and not recommended.
  11. Verify that Prisma Access is successfully connected to Cortex Data Lake.
    1. Select
      Cloud Services
      Cortex Data Lake
      and verify that the Status is
      If the status is
      , click the details link to view any errors.

Recommended For You