1. Home
    2. Prisma
    3. Prisma Access
    4. Prisma Access Integration Guide (Panorama Managed)
    5. Integrate Third-Party SD-WANs with Prisma Access
    6. Aruba SD-WAN Solution Guide
    7. Configure the Aruba Remote Network

    Configure the Aruba Remote Network

    To configure the Aruba SD-WAN with Prisma Access, complete the following workflow.

    Validated IKE and IPSec Cryptographic Profiles

    Both the Aruba Branch Gateways and Prisma Access support several options when it comes to setting up VPN tunnels. The following table provides the configurations that have been validated for this solution, and offer a good compromise between performance, flexibility and security (considering the integration is mostly for Internet-bound traffic).
    Crypto Profile
    Phase 1
    Phase 2
    Confidentiality
    AES-256
    You configure this setting as
    aes-256-cbc
     in Prisma Access.
    AES-256
    You configure this setting as
    aes-256-cbc
     in Prisma Access.
    Integrity
    SHA256
    SHA1
    Authentication
    Username/Password
    N/A
    Key Exchange Method
    Diffie-Helman
    Diffie-Helman
    Diffie-Helman Group
    14
    14
    NAT-Transversal
    Enabled
    N/A
    Dead Peer Detection (DPD)
    Enabled
    Perfect Forward Secrecy (PFS)
    N/A
    Yes
    VPN Type
    N/A
    Policy-based VPN

    Configure the Remote Network Connection in Prisma Access

    You manage and configure Prisma Access using the same Panorama appliance that you use to manage on-premise firewalls. To begin configuration of the remote network connection, complete the following task.
    1. Create a new IPSec crypto profile in Panorama.
      The IKE and IPSec crypto profiles you create in these steps are common to all branches and you only need to create them once.
      1. Select
        Network
        Network Profiles
        IPSec Crypto
        .
      2. Add
         a new IPSec crypto profile using the following recommended settings:
        • Encryption
          :
          aes-256-cbc
        • Authentication
          :
          sha1
        • DH Group
          :
          group14
        • Lifetime
          :
          2 Hours
    2. Create a new IKE crypto profile for the remote network tunnel.
      Be sure to use crypto values that are supported with Aruba and make a note of the values you use.
    3. Create a new IKE gateway in Panorama.
      1. Select
        Network
        Network Profiles
        IKE Gateways
        .
      2. Add
         a new IKE gateway.
        Enter the following parameters:
        • In the
          General
           tab, leave the
          Local Identification
          IP address
           blank, because you do not know what this address is at the time of configuration. You can, however, enter in the
          Peer Identificaiton
           of a type of
          FQDN (hostname)
           and enter the FQDN of the BGW.
        • In the
          Advanced Options
           tab, enter the fields as shown in the following screenshot. Be sure to specify the
          IKE Crypto Profile
           you created in Step 1
    4. Create an IPSec tunnel configuration.
      After you create the IKE gateway, you can apply it to the IPSec tunnel you create.
      1. Select
        Network
        IPSec Tunnels
        .
      2. Add
         a new IPSec tunnel.
      3. In the
        General
         tab, specify the
        IKE Gateway
         and
        IPSec Crypto Profile
         you created in earlier steps.
    5. Specify the following parameters:
      • Choose a
        Region
         that is close to the remote network location that you want to onboard.
      • Specify the
        IPSec Tunnel
         you just created.
      • If a backup gateway is in place in the branch, specify this backup gateway as a secondary by selecting
        Enable Secondary WAN
         and selecting the tunnel between the secondary BGW andPrisma Access.
    6. Retrieve the
      Service IP Address
       of the Prisma Access side of the tunnel by selecting
      Panorama
      Cloud Services
      Status
      Network Details
      , clicking the
      Remote Networks
       radio button, and copying the address in the
      Service IP Address
       field.
      You need the
      Service IP Address
       to the IPSec tunnel for the Aruba SD-WAN.

    Configure the Aruba BGW

    The configuration required for the BGWs is straightforward and can leverage Aruba Central’s group-based configuration to reuse as much configuration as possible across branches.
    1. In the Aruba Branch Gateway, set up the tunnel to Prisma Access.
      1. Select
        VPN
        Cloud Security
        Palo Alto Networks - GPCS
        .
      2. Enter values in the fields.
        • Name
          —Enter an administrative name for the tunnel. The system will append
          _gpcs
           at the end.
        • Priority
          —Enter a numeric identifier for the tunnel.
        • Transform
          —Select
          default-aes
          , which uses AES256 encryption with SHA1 Hash.
        • Source FQDN
          —Enter the user ID created in Prisma Access (santaclara.branch in the following screenshot).
        • Tunnel destination IP
          —Enter the
          Service IP Address
           from the remote network connection that you got when you configured the remote network connection in Prisma Access
        • Uplink VLAN
          —Select the Uplink VLAN to be used to bring up tunnels to Prisma Access (in the case of BGWs) or the source VLAN in the case of VPNCs.
        • IKE Shared Secret
          —Set the same value created in the Prisma Access configuration.
        The solution is capable of setting up multiple tunnels and determining which traffic is sent through each one using PBR policies; therefore, you can configure active-active and active-backup redundancy.
        Even though the source FQDN has to be unique on a per-branch basis, you should configure the remaining parts of the tunnel configuration at the group level whenever possible. This hierarchical configuration model greatly streamlines configuration efforts. The following screenshot shows a specific
        Source FQDN
         configured for the local configuration and a generic
        Source FQDN
         specified for the group-level configuration.
    2. Create one or more next-hop lists with the tunnels.
      After you create the the tunnels, next-hop lists group them together to be used inside PBR policies.
      1. Select
        Routing
        NextHop Configuration
        .
      2. Create a
        NextHop
        .
      3. Add
        Site-to-Site
         IPSec maps.
      4. Enter different priorities for the different tunnels.
        Prisma Access doesn’t support load-balancing.
      5. Select
        Preemptive-failover
        .
    3. Add the next hop to a routing policy by selecting
      Routing
      Policy-Based Routing
      .
      In the following example, the policy is sending all the traffic to private subnets (an alias representing 10.0.0.0/8 and 172.16.0.0/12) through the regular path, and it’s sending the rest of the traffic through the Prisma Access nodes.
    4. Apply policies to the roles or VLANs.
      After you create the routing policy, the last step you perform is to apply it to the role or VLAN that you want to send through Prisma Access.
      If there is a conflict between PBR policies applied to a role and VLAN, policies applied to the role take precedence.
      The following screen shows a PBR policy being applied to a VLAN.
      The following screen shows a PBR policy being applied to a role.
    5. Continue to Verify and Troubleshoot the Aruba Remote Network to verify the status of the remote network tunnel.

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2023 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo