>
    Strata Copilot
    Integrate Prisma Access with HPE Aruba Networking EdgeConnect SD-WAN (Manual Integration)
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma Access
    3. Integrate Third-Party SD-WANs with Prisma Access
    4. HPE Aruba Networking EdgeConnect SD-WAN Solution Guide
    5. Integrate Prisma Access with HPE Aruba Networking EdgeConnect SD-WAN (Manual Integration)
    Download PDF
    Prisma Access

    Integrate Prisma Access with HPE Aruba Networking EdgeConnect SD-WAN (Manual Integration)

    Table of Contents

    Integrate Prisma Access with HPE Aruba Networking EdgeConnect SD-WAN (Manual Integration)

    Learn to integrate Prisma Access with HPE Aruba Networking EdgeConnect SD-WAN manually.
    Where Can I Use This?What Do I Need?
    • Prisma Access (Managed by Strata Cloud Manager)
    • Prisma Access (Managed by Panorama)
    • Prisma Access license
    • HPE Aruba Networking EdgeConnect SD-WAN software version: 8.1.9.0
    HPE Aruba Networking EdgeConnect SD-WAN (formerly Silver Peak) supports the following deployment architectures for use with Prisma Access. A dash (—) indicates that the deployment isn't supported.
    Use CaseArchitectureSupported?
    Securing traffic from each branch site with 1 WAN link (Type 1)
    Use an IPSec tunnel from each branch to Prisma Access. Use a HPE Aruba Networking EdgeConnect SD-WAN device at the branch.
    		Yes
    Securing branch and HQ sites with active/backup SD-WAN connections
    		Yes
    Securing branch and HQ sites with active/active SD-WAN connections
    		Yes
    Securing branch and HQ sites with SD-WAN edge devices in HA mode
    		Yes
    Securing SD-WAN deployments with Regional Hub/POP architecture (Type 2)
    		Yes

    Integrate Prisma Access with HPE Aruba Networking EdgeConnect SD-WAN (Strata Cloud Manager)

    Integrate Prisma Access with Silver Peak SD-WAN in Strata Cloud Manager.
    Use this workflow to configure HPE Aruba Networking EdgeConnect SD-WAN with Prisma Access.
    HPE Aruba Networking EdgeConnect SD-WAN recommends that you configure two tunnels in an active-backup configuration between HPE Aruba Networking EdgeConnect SD-WAN and Prisma Access, because there are some restrictions for accessing resources at other network locations when you configure the tunnels in an active/active configuration because of the overlapping subnets.
    Before you start this workflow, determine your remote tunnel capacity. HPE Aruba Networking EdgeConnect SD-WAN bases the tunnel capacity on licensing and the capacity of the device model. For example, the base HPE Aruba Networking EdgeConnect SD-WAN license supports up to 200 Mbps WAN uplink, and the EC-XS supports 200 Mbps. Prisma Access bases a location’s bandwidth on the bandwidth you specify for its compute location.
    1. Follow the steps to Connect a remote network to Prisma Access.
      • Choose a Prisma Access Location that is close to the remote network location that you want to onboard.
      • When creating the IPSec tunnel, use a Branch Device Type of HPE Aruba Networking EdgeConnect SD-WAN.
    2. Select IPSec Advanced Options and select an IPSec Crypto profile of HPE Aruba Networking EdgeConnect SD-WAN-IPSec-Crypto-Default.
    3. Select IKE Advanced Options and select an IKEv1 crypto profile of HPE Aruba Networking EdgeConnect SD-WAN-IKE-Crypto-Default.
    4. Set up routing for the remote network.
      Set Up Routing and Add the IP subnets for Static Routing.
    5. Push your configuration changes.
      1. Return to ConfigurationNGFW and Prisma AccessConfiguration ScopePrisma AccessRemote Networks and select Push ConfigPush.
      2. Select Remote Networks.
      3. Push your changes.
    6. Make a note of the Service IP address of the Prisma Access side of the tunnel. To find this address in Prisma Access (Managed by Strata Cloud Manager), select ConfigurationNGFW and Prisma AccessConfiguration ScopePrisma AccessRemote Networks, click the Remote Networks, and look for the Service IP field corresponding to the remote network configuration you created.
    7. From the HPE Aruba Networking EdgeConnect SD-WAN orchestrator, create a tunnel configuration.
      1. Select Configuration.
      2. Select TunnelsPassthrough
      3. Select Add Tunnel.
      4. Select a Name, Local IP, Remote IP, and Mode.
      5. In the Advanced Options area, enter the IKE and IPSec parameters.
        The parameters must be the same as the parameters that you specified on Prisma Access. HPE Aruba Networking EdgeConnect SD-WAN recommends the following IKE and IPSec encryption settings:
        • IKE encryption settings:
          • Encryption—AES-256-CBC
          • Authentication—SHA512
          • IKE Lifetime—8 hours
          • Dead Peer DetectionDelay time: 300 seconds Retry: 3
          • IKE Identifier —IP address (leave blank - public IP is auto-detected)
          • DH—Group 14
          • Mode—Aggressive
        • IPSec encryption settings:
          • Encryption—AES-25-CBC
          • Authentication—SHA512
          • Lifetime—60 minutes
          • PFS—DH - Group 14
    8. Create two tunnels to Prisma Access: one Active and the other Backup.
      The following example creates two tunnels named GlobalProtect-1 and GlobalProtect-2.
      Specify the Prisma Access Service IP address in the Remote IP field.
      Select the Local IP address from the list of WAN interface IP addresses.
    9. Use the 3rd party IPSec tunnels in a Business Intent overlay policy by selecting Business Intent Overlay and configuring the Peer/Service in the Policies area.
    10. Order the GlobalProtect-1 GlobalProtect-2 service to the Preferred Policy Order field in the internet Traffic area.
      Defining the order in the Preferred Policy Order configures the GlobalProtect-1 tunnel to automatically failover to the GlobalProtect-2 if the GlobalProtect-1 goes down. When both tunnels from the branch to GPCS are down, HPE Aruba Networking EdgeConnect SD-WAN uses any other defined path such as local breakout or backhaul using the Overlay.

    Support for Two Active-Active Connections

    Two connections from a branch as active-active on Prisma Access are implemented as two separate remote network connections. Onboard the connections in two separate locations using one of the following methods:
    • Configure two separate remote networks in two different compute locations and specify subnets that overlap (overlapping subnets) for each remote network.
    • Onboard both remote networks to the same compute location, making sure that the bandwidth for that compute location is sufficient to support two tunnels.
      The HPE Aruba Networking EdgeConnect SD-WAN manually injects branch subnets into Prisma Access, but return traffic might not travel through the same tunnel if you use the same branch subnets for both tunnels. To avoid asymmetric traffic paths, configure different branch subnets for each primary tunnel.
    1. To load balance between the two tunnels, use identical names under Peer/Service. For example, if you use a Peer/Service name GlobalProtect for the tunnels PrismaAccess-1 and PrismaAccess-2, traffic will load balance between the two tunnels.
      The following figure shows the different branch subnets configured in Prisma Access for the load-balanced tunnels.
      The following figure shows Prisma Access in two locations in the Remote IP area and the peer service configured as GlobalProtect in the Peer/Service area.
      The following figure shows Send to GlobalProtect configured in the Preferred Policy Order field.

    Troubleshoot the HPE Aruba Networking EdgeConnect SD-WAN

    Prisma Access provides logs and widgets that provide you with the status of remote tunnels and the status of each tunnel.
    • Go to ConfigurationNGFW and Prisma AccessConfiguration ScopePrisma AccessRemote Networks and check the Status of the tunnel.
    • Go to ActivityLog Viewer and check the Common/System logs for IPSec- and IKE-related messages.
      To view VPN-relates messages, set the filter to sub_type.value = vpn.
      The message ignoring unauthenticated notify payload indicates that the route has not been added in the crypto map on the other side of the IPSec tunnel after the IPSec negotiation has already occurred.
    • Check the Firewall/Traffic logs and view the messages that are coming from the zone that has the same name as the remote network.
      In the logs, the remote network name is used as the source zone.

    Integrate Prisma Access with HPE Aruba Networking EdgeConnect SD-WAN (Panorama)

    Integrate Prisma Access with HPE Aruba Networking EdgeConnect SD-WAN in Panorama.
    Use this workflow to configure HPE Aruba Networking EdgeConnect SD-WAN with Prisma Access.
    HPE Aruba Networking EdgeConnect SD-WAN recommends that you configure two tunnels in an active-backup configuration between HPE Aruba Networking EdgeConnect SD-WAN and Prisma Access, because there are some restrictions for accessing resources at other network locations when you configure the tunnels in an active-active configuration because of the overlapping subnets.
    Before you start this workflow, complete the following tasks:
    • Configure a remote network tunnel in Prisma Access for the tunnels you create in this section, and make a note of the IKE and IPSec Crypto profiles you used for the remote network tunnel. You also need the Service IP address of the Prisma Access side of the tunnel to complete this configuration. To find this address in Panorama, select PanoramaCloud ServicesStatusNetwork Details, click the Remote Networks radio button, and find the address in the Service IP Address field.
    • Determine your remote tunnel capacity. HPE Aruba Networking EdgeConnect SD-WAN bases the tunnel capacity on licensing and the capacity of the device model. For example, the base HPE Aruba Networking EdgeConnect SD-WAN license supports up to 200 Mbps WAN uplink, and the EC-XS supports 200 Mbps. Prisma Access bases its tunnel capacity on what you specify when you create the remote network and the amount of bandwidth in the Prisma Access license.
    1. From the HPE Aruba Networking EdgeConnect SD-WAN orchestrator, create a tunnel configuration.
      1. Select Configuration.
      2. Select TunnelsPassthrough
      3. Select Add Tunnel.
      4. Select a Name, Local IP, Remote IP, and Mode.
      5. In the Advanced Options area, enter the IKE and IPSec parameters.
        The parameters must be the same as the parameters that you specified on Prisma Access. HPE Aruba Networking EdgeConnect SD-WAN recommends the following IKE and IPSec encryption settings:
        • IKE encryption settings:
          • Encryption—AES-256-CBC
          • Authentication—SHA512
          • IKE Lifetime—8 hours
          • Dead Peer DetectionDelay time: 300 seconds Retry: 3
          • IKE Identifier —IP address (leave blank - public IP is autodetected)
          • DH—Group 14
          • Mode—Aggressive
        • IPSec encryption settings:
          • Encryption—AES-25-CBC
          • Authentication—SHA512
          • Lifetime—60 minutes
          • PFS—DH - Group 14
    2. Create two tunnels to Prisma Access: one Active and the other Backup.
      The following example creates two tunnels named GlobalProtect-1 and GlobalProtect-2.
      Specify the Prisma Access Service IP Address in the Remote IP field.
      Select the Local IP address from the list of WAN interface IP addresses.
    3. Use the 3rd party IPSec tunnels in a Business Intent overlay policy by selecting Business Intent Overlay and configuring the Peer/Service in the Policies area.
    4. Order the GlobalProtect-1 GlobalProtect-2 service to the Preferred Policy Order field in the internet Traffic area.
      Defining the order in the Preferred Policy Order configures the GlobalProtect-1 tunnel to automatically failover to the GlobalProtect-2 if the GlobalProtect-1 goes down. When both tunnels from the branch to Prisma Access are down, HPE Aruba Networking EdgeConnect SD-WAN uses any other defined path such as local breakout or backhaul using the Overlay.

    Support for Two Active-Active Connections

    Two connections from a branch as active-active on Prisma Access are implemented as two separate remote network connections. Onboard the connections in two separate regions using one of the following methods:
    • Specify Overlapped Subnets when you configure the remote network tunnel in Prisma Accessthe two remote networks in two separate regions. See Remote Network Locations with Overlapping Subnets for more information.
    • Onboard both remote networks to the same region, but specify the bandwidth for one of the connections to the maximum bandwidth that is licensed and supported for Prisma Access. Select PanoramaLicensesPrisma Access for Remote Networks to see the maximum bandwidth.
      The HPE Aruba Networking EdgeConnect SD-WAN manually injects branch subnets into Prisma Access, but return traffic might not travel through the same tunnel if you use the same branch subnets for both tunnels. To avoid asymmetric traffic paths, configure different branch subnets for each primary tunnel.
    1. To load balance between the two tunnels, use identical names under Peer/Service. For example, if you use a Peer/Service name GlobalProtect for the tunnels GPCS1 and GPCS2, traffic will load balance between the two tunnels.
      The following figure shows the different branch subnets configured in Prisma Access for the load-balanced tunnels.
      The following figure shows Prisma Access in two regions in the Remote IP area and the peer service configured as GlobalProtect in the Peer/Service area.
      The following figure shows Send to GlobalProtect configured in the Preferred Policy Order field.

    Troubleshoot the HPE Aruba Networking EdgeConnect SD-WAN Remote Network

    Prisma Access provides logs that provide you with the status of remote tunnels and the status of each tunnel. To view these logs in Panorama, select MonitorLogsSystem.
    To debug tunnel issues, you can filter for tunnel-specific logs by using the object identifier corresponding to that tunnel. The following figures show errors related to tunnel misconfiguration and negotiation issues.

    © 2026 Palo Alto Networks, Inc. All rights reserved.