1. Home
    2. Prisma
    3. Prisma Access
    4. Prisma Access Integration Guide (Panorama Managed)
    5. Integrate Third-Party SD-WANs with Prisma Access
    6. VMware SD-WAN by VeloCloud Solution Guide
    7. Configure the VeloCloud Remote Network

    Configure the VeloCloud Remote Network

    The following section describes the steps you perform to integrate a VeloCloud SD-WAN with Prisma Access, including an overview of the VeloCloud-Prisma Access integration.

    Secure VeloCloud SD-WAN with Prisma Access Overview

    To onboard a VeloCloud SD-WAN with Prisma Access, you configure a remote network tunnel in Prisma Access. The VeloCloud SD-WAN device sends traffic through the remote network to Prisma Access, which allows Prisma Access to protect your internet-directed traffic, including resources such as SaaS applications or publicly accessible partner applications.
    You can secure VeloCloud SD-WAN deployments by onboarding the remote network using the VeloCloud Edge device or VeloCloud Gateway.
    VeloCloud edge devices are plug and play devices that you can install in remote sites. You can connect one or more devices to an aggregation point, known as an
    SD-WAN headend
    . Use a VeloCloud gateway as the SD-WAN headend.
    In the VeloCloud SD-WAN fabric, you can configure multiple sites that connect to one gateway, a single site to connect to one gateway, or multiple sites that connect to multiple gateways, as shown in the following figure.
    You can connect one or more remote network connections to a cloud headend. To simplify setup, specify static routing and configure a separate subnet for each remote network location you onboard.
    Size the bandwidth of the remote network connection based on the traffic from the branches that are connected to the cloud headend. You can scale the VeloCloud SD-WAN with Prisma Access in multiple ways; for example, you can connect multiple gateways to one remote network, or connect one gateway to multiple remote networks.
    Prisma Access protects your internet-based resources, including SaaS applications and content. The following figure shows a sample VeloCloud gateway-Prisma Access deployment.

    Configure the Remote Network Connection in Prisma Access

    To begin configuration of a VeloCloud-Prisma Access deployment, use Panorama to create IPSec and IKE parameters and create the Prisma Access remote network connection.
    This procedure assumes that you have already completed the following prerequisites:
    • You have logged into Panorama and created an Infrastructure Subnet for Prisma Access, using a subnet that doesn’t overlap with your existing network subnets.
    • You have created trusted and untrusted zones and used zone mapping to map those zones for your deployment.
    • You have made a note of the subnets you will use for each remote network gateway.
    • You have made a note of the IP address for the VeloCloud SD-WAN device. You obtain this information from the VMware SD-WAN Orchestrator.
      You use the IP address of the gateway address to configure the IKE gateway.
    1. Create IKE and IPSec crypto profiles and an IKE gateway for the remote network connection you will create.
      You will use these profiles to provide connectivity between Prisma Access and the VeloCloud SD-WAN device.
      1. Select
        Network
        Network Profiles
        IKE Crypto
         and
        Add
         an IKE crypto profile for the IPSec tunnel.
        Make sure you have selected the
        Template
         of
        Remote_Network_Template
         before starting this task.
      2. Give the profile a name and specify IKE settings.
        Make a note of these settings; you specify the same settings When you configure the setting on the VeloCloud SD-WAN device.
      3. Select
        Network
        Network Profiles
        IPSec Crypto
         and
        Add
         a new IPSec crypto profile.
      4. Specify a name for the profile and specify IPSec crypto parameters.
        Make a note of these settings; you specify the same settings When you configure the setting on the VeloCloud SD-WAN device.
      5. Select
        Network
        Network Profiles
        IKE Gateways
         and
        Add
         a new IKE gateway.
      6. Specify a
        Name
        Version
        .
      7. Enter a
        Peer IP Address
         that matches the VeloCloud SD-WAN device’s IP address.
        You obtain this address from the VMware SD-WAN Orchestrator
      8. Enter a
        Pre-shared key
         for symmetric authentication across the tunnel.
      9. Choose a
        Local Identification
         of
        None
         and a
        Peer Identification
         of
        FQDN (hostname)
        ; then, enter an FQDN.
        Make a note of the of the
        Pre-Shared key
         and
        FQDN
         that you use for the
        Peer Identification
        ; you match these settings when you configure the VeloCloud cloud gateway.
      10. Configure
        Advanced Options
        :
        • Enable NAT Traversal
          .
        • Set the
          Exchange Mode
           to
          Auto
           so the gateway can accept both
          main
           mode and
          aggressive
           mode requests, or let the gateway initiate negotiation and allow exchanges in
          main
           mode.
        • Select the
          IKE Crypto Profile
           you created in Step 1.a.
      11. Select
        Network
        IPSec Tunnels
         and
        Add
         an IPSec tunnel.
      12. Select the
        IKE Gateway
         and
        IPSec Crypto Profile
         you created earlier in this task.
    2. Select
      Panorama
      Cloud Services
      Configuration
      Remote Networks
       and
      Add
       a new remote network connection, specifying the following values:
      • Give the remote network connection a unique
        Name
        .
      • Specify a
        Location
         that is close to the VeloCloud SD-WAN device.
      • Specify the
        IPSec Tunnel
         you created in Step 1.k.
      • In the
        Static Routes
         tab,
        Add
         the
        Branch IP Subnets
         you have reserved for this remote network connection.
    3. Commit the configuration changes to Panorama and push the configuration out to Prisma Access for remote networks.
      1. Click
        Commit
        Commit and Push
        .
      2. Click
        Edit Selections
        Prisma Access
        , and select both Prisma Access for remote networks and Prisma Access for service setup to push the configuration out to the service.
        Pushing the
        GlobalProtect cloud service for service setup
         is only required if you made changes to the service setup (for example, you added the Infrastructure Subnet).
      3. Click
        OK
        , then
        Commit and Push
        .
        Prisma Access displays a success page after the commit succeeds.
    4. Make a note of the
      Service IP address
       of the Prisma Access side of the tunnel. To find this address in Panorama, select
      Panorama
      Cloud Services
      Status
      Network Details
      , select
      Remote Networks
      , and find the
      Service IP Address
      .
      You use the
      Service IP Address
       as the Peer IP address when you configure the IPSec tunnel in the VeloCloud SD-WAN device.

    Configure the Remote Network Connection for VeloCloud Edge Devices

    Use the following procedure to configure the IPSec tunnel on the VeloCloud edge device to complete the remote network connection.
    1. Log in to the Enterprise customer account on the VeloCloud Orchestrator (VCO).
    2. Select
      Configure
      Network Services
      .
    3. In the
      Cloud Security Services
       area, click
      New
       to create a new service.
    4. Enter the following values in the New Cloud Security Provider window that displays:
      • Enter a
        Service Name
         to identify this configuration.
      • Select a
        Service Type
         of
        Generic Cloud Security Service
        .
      • For the
        Primary Point-of-Presence
        , enter the
        Service IP Address
         you retrieved from Prisma Access.
    5. Click
      Add
       to save and add the configuration.
    6. Select
      Configure
      Profile
       and set
      Cloud Security Service
       to
      On
      ; then, select the
      Hash
      ,
      Encryption
      , and
      Key Exchange Protocol
       to the settings you configured for the remote network tunnel in Prisma Access.
    7. Select
      Configure
      Edge
       and complete the following steps:
      1. Set
        Cloud Security Service
         to
        On
        .
      2. Select the radio button to
        Redirect all internet bound traffic to Cloud Security Service
        .
      3. Select the
        Hash
        ,
        Encryption
        , and
        Key Exchange Protocol
         to match the settings you configured for the remote network tunnel in Prisma Access.
      4. Enter the
        FQDN
         and pre-shared key (
        PSK
        ) to match the FQDN and PSK you entered in Prisma Access.
    8. Verify the status of the remote network tunnel.
      • To view tunnel status in the VMware SD-WAN Orchestrator, select
        Monitor
        Edge
         in the VMware SD-WAN Orchestrator and viewing the information in the fields that display.
      • To view traffic and application statistics, select the
        Transport and Applications
         tab, then select
        Monitor
        Edge
        .

    Configure the Remote Network Connection for VeloCloud Gateways

    Use the following procedure to configure the IPSec tunnel on the VeloCloud edge gateway to enable the remote network connection.
    1. Establish connectivity from the VeloCloud gateway to Prisma Access.
      1. Log in to the Enterprise customer account on the VeloCloud Orchestrator (VCO).
      2. Select
        Configure
        Network Services
        .
      3. Select
        New
         in the
        Non-VeloCloud Sites
         to create a new site.
      4. Enter a
        Name
         for the site and select a
        Type
         of
        Palo Alto
        .
      5. For the
        Primary VPN Gateway
        , enter the
        Service IP Address
         you retrieved from Prisma Access.
      6. Click
        Next
        .
        VeloCloud creates the site and generates the IKE and IPSec configuration (including pre-shared key) for the site.
      7. Click
        Advanced
         and update the IKE and IPSec parameters and add the
        Site Subnets
         that you will protect with Prisma Access.
      8. Make sure that you have selected
        Enable Tunnel(s)
        ; then,
        Save Changes
        .
        To view the detailed IKE and IPSec parameters and the public IP address used by the VeloCloud gateway, click
        View IKE IPSec Template
        . The public IP address displays in the
        Local Identification : IP address :
        area.
    2. Verify the status of the remote network connection between the VeloCloud gateway and Prisma Access by selecting
      Monitor
      Network Services
      . A
      Status
       in green indicates that the connection has been successfully established.
    3. Configure the customer profile to service-chain the Non-VeloCloud site to the customer’s SD-WAN.
      1. Select
        Configure
        Profiles
        Profile-Name
        , where
        Profile-Name
         is the customer’s profile, then click the
        Device
         tab.
      2. Enable the
        Cloud VPN
         feature to turn on VPN connectivity from the Branch and Data Center sites.
      3. In the
        Branch to Non-VeloCloud Site
         section, select
        Enable
        ; then, select the Prisma Access site you created in Step 1.
    4. Save your changes.

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2023 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo