1. Home
    2. Prisma
    3. Prisma Access
    4. Prisma Access Integration Guide (Panorama Managed)
    5. Integrate Third-Party SD-WANs with Prisma Access
    6. Silver Peak SD-WAN Solution Guide
    7. Configure the Silver Peak Remote Network

    Configure the Silver Peak Remote Network

    Configure the remote network between the Silver Peak SD-WAN and Prisma Access by completing the steps in the following workflows:

    Configure the Remote Network Tunnel

    Use this workflow to configure Silver Peak EdgeConnect with Prisma Access.
    Silver Peak recommends that you configure two tunnels in an active-backup configuration between Silver Peak EdgeConnect and Prisma Access, because there are some restrictions for accessing resources at other network locations when you configure the tunnels in an active-active configuration because of the overlapping subnets.
    Before you start this workflow, complete the following tasks:
    • configure a remote network tunnel in Prisma Access for the tunnels you create in this section, and make a note of the IKE and IPSec crypto profiles you used for the remote network tunnel. You also need the Service IP address of the Prisma Access side of the tunnel to complete this configuration. To find this address in Panorama, select
      Panorama
      Cloud Services
      Status
      Network Details
      , click the
      Remote Networks
       radio button, and find the address in the
      Service IP Address
       field.
    • Determine your remote tunnel capacity. Silver Peak bases the tunnel capacity on licensing and the capacity of the device model. For example, the base Silver Peak license supports up to 200 Mbps WAN uplink, and the EC-XS supports 200 Mbps. Prisma Access bases its tunnel capacity on what you specify when you create the remote network and the amount of bandwidth in the Prisma Access license.
    1. From the Silver Peak orchestrator, create a tunnel configuration.
      1. Select
        Configuration
        .
      2. Select
        Tunnels
        Passthrough
      3. Select
        Add Tunnel
        .
      4. Select a
        Name
        ,
        Local IP
        ,
        Remote IP
        , and
        Mode
        .
      5. In the
        Advanced Options
         area, enter the IKE and IPSec parameters.
        The parameters must be the same as the parameters that you specified on Prisma Access. Silver Peak recommends the following IKE and IPSec encryption settings:
        • IKE encryption settings:
          • Encryption
            —AES-256-CBC
          • Authentication
            —SHA512
          • IKE Lifetime
            —8 hours
          • Dead Peer Detection
            Delay time:
             300 seconds
            Retry:
             3
          • IKE Identifier
             —IP address (leave blank - public IP is auto-detected)
          • DH
            —Group 14
          • Mode
            —Aggressive
        • IPSec encryption settings:
          • Encryption
            —AES-25-CBC
          • Authentication
            —SHA512
          • Lifetime
            —60 minutes
          • PFS
            —DH - Group 14
    2. Create two tunnels to Prisma Access: one Active and the other Backup.
      The following example creates two tunnels named
      GlobalProtect-1
       and
      GlobalProtect-2
      .
      Specify the Prisma Access
      Service IP Address
       in the
      Remote IP
       field.
      Select the
      Local IP
       address from the list of WAN interface IP addresses.
    3. Use the 3rd party IPSec tunnels in a Business Intent overlay policy by selecting
      Business Intent Overlay
       and configuring the
      Peer/Service
       in the
      Policies
       area.
    4. Order the
      GlobalProtect-1
      GlobalProtect-2
       service to the
      Preferred Policy Order
       field in the Internet Traffic area.
      Defining the order in the
      Preferred Policy Order
       configures the GlobalProtect-1 tunnel to automatically fail over to the GlobalProtect-2 if the GlobalProtect-1 goes down. When both tunnels from the branch to GPCS are down, Silver Peak uses any other defined path such as local breakout or backhaul using the Overlay.

    Support for Two Active-Active Connections

    Two connections from a branch as active-active on Prisma Access are implemented as two separate remote network connections. You must onboard the connections in two separate regions using one of the following methods:
    • Specify
      Overlapped Subnets
       when you configure the remote network tunnel in Prisma Accessthe two remote networks in two separate regions. See Remote Network Locations with Overlapping Subnets for more information.
    • Onboard both remote networks to the same region, but specify the bandwidth for one of the connections to the maximum bandwidth that is licensed and supported for Prisma Access. Select
      Panorama
      Licenses
      Prisma Access for Remote Networks
       to see the maximum bandwidth.
      The Silver Peak SD-WAN manually injects branch subnets into Prisma Access, but return traffic might not travel through the same tunnel if you use the same branch subnets for both tunnels. To avoid asymmetric traffic paths, configure different branch subnets for each primary tunnel.
    1. To load balance between the two tunnels, use identical names under Peer/Service. For example, if you use a Peer/Service name
      GlobalProtect
       for the tunnels GPCS1 and GPCS2, traffic will load balance between the two tunnels.
      The following figure shows the different branch subnets configured in Prisma Access for the load-balanced tunnels.
      The following figure shows Prisma Access in two regions in the
      Remote IP
       area and the peer service configured as
      GlobalProtect
       in the
      Peer/Service
       area.
      The following figure shows
      Send to GlobalProtect
       configured in the
      Preferred Policy Order
       field.

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2023 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo