Connect your Mobile Users in Mainland China to Prisma Access Overview
Describes the workflow you use to connect mobile users
in mainland China to Prisma Access.
To connect mobile users in mainland China to Prisma
Access, you start by selecting regions in Alibaba Cloud—one region
in mainland China and one region outside of mainland China—and create
one VPC in each region. You set up the connectivity between the
two VPCs over the CEN and create either a service connection or
a remote network connection between
Prisma Access and a router in the VPC outside of mainland China
(Router 2 and VPC 2 in the following figure).
You also deploy a VM-series next-generation firewall in the VPC
that is in the compute region in mainland China (VPC 1 in the following
figure) and configure it as a GlobalProtect gateway.
This gateway terminates the GlobalProtect tunnels for mobile users
This deployment allows you to enforce security policies on the
GlobalProtect gateway in China for internet-bound traffic. The following
figure provides a high-level overview.
The following list provides you with a high-level overview of
the tasks you perform to create a deployment to secure mobile users
in mainland China. This document takes you through each of these
list items in detail.
You must use IKEv2 with NAT-T and
dynamic IP addresses for the IPSec tunnel on Prisma Access.
Acquire one elastic IP address in the VPC in mainland China
Deploy a VM-series firewall (either a VM-300 or VM-500 model instance)
or a next-generation firewall to use as
the VPC located in China, configure it as a GlobalProtect gateway,
add this gateway to Prisma Access’ GlobalProtect portal, and configure
a VM-series firewall to establish an IPSec site-to-site tunnel to
the private IP address of Router 2.
Deploy a Linux instance in the VPC outside China (VPC 2)
on Alibaba Cloud, configure an Linux instance as a NAT enabled router,
to be used as
, and configure Router
2 to forward IPSec tunnel packets to the Prisma Access service connection.
Specify the traffic to route through the Prisma Access service
connection or remote network connection, depending on the type of
connection you created.