Prisma Access
Onboard an Azure Virtual Network
Table of Contents
Expand All
|
Collapse All
Prisma Access Docs
-
- Prisma Access China
- 4.0 & Later
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
-
-
-
- 5.0 Preferred and Innovation
- 4.2 Preferred
- 4.1 Preferred
- 4.0 Preferred
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
Onboard an Azure Virtual Network
Onboard an Azure virtual network (VNet) to Prisma Access and secure access to it for
mobile users and remote networks.
Where Can I Use
This? | What Do I Need? |
---|---|
|
|
When you deploy your organization’s resources using a Microsoft Azure virtual network
(VNet), you can secure these resources with Prisma Access. To do so, you onboard an
existing or new VNet to Prisma Access as a remote network. You also configure
settings for a remote network tunnel (a site-to-site tunnel between Prisma Access
and the Azure VNet) and use BGP to dynamically route traffic between them.
The following diagram shows the topology used to secure an Azure instance with Prisma
Access.
For Azure-specific information about creating a site-to-site connection, see the
Microsoft Azure document Create a Site-to-Site connection in the Azure
portal.
Cloud Management
Cloud Management
Onboard an Azure virtual network (VNet) to Prisma Access and secure access to it for
mobile users and remote networks.
Configure a Virtual Network and Virtual Network Gateway on Azure
The Azure virtual network uses a virtual network gateway for its side of the VPN
tunnel to Prisma Access. This gateway uses a subnet called GatewaySubnet. The
GatewaySubnet contains IP addresses used for virtual network gateway resources
and services and is part of the virtual network IP address range that you
specify when you configure your virtual network on Azure.
Each Azure VPN gateway incorporates high availability by having two instances per
gateway in an active-standby configuration. If an active instance goes down for
planned maintenance or an unplanned outage, the instance automatically fails
over to the standby instance and resumes the site-to-site VPN connections. For a
planned maintenance, Azure restores the connectivity in approximately 10 to 15
seconds. For an unplanned outage, Azure restores the connectivity in
approximately 1 minute to 90 seconds.
Create the virtual network and virtual network gateway using the following
task.
By default, Azure will not direct internet traffic to the VPN tunnel you
create in this task. To secure internet-bound traffic
with Prisma Access, enable forced tunneling on Azure using
PowerShell commands.
- In Azure, create your virtual network, if you have not already created it. See the Microsoft Azure documentation for details.
- Create a subnet for the gateway.You must name the subnetGatewaySubnetto let Azure deploy its gateway resources and Azure does not allow the use of another subnet name. Without a subnet namedGatewaySubnet, gateway creation fails.
- In the Azure portal, navigate to the virtual network where you want to create a virtual network gateway.
- On your virtual network page, clickSubnetsto expand the Subnets page for the virtual network you created.
- Click+Gateway subnetat the top to open the Add subnet page.
- Add the address and clickOK.
- Add a virtual network gateway.
- On the left side of the portal page, click+Create a resourceand typeVirtual Network Gatewayin the search box, then pressEnter.
- InResults, locate and clickVirtual network gateways.
- At the bottom of theVirtual network gatewaypage, clickCreate virtual network gateway.
- Enter values similar to the values on the following screenshot and clickCreate.It may take up to 30 minutes to create the virtual network gateway.
- After Azure creates the virtual network gateway, select the virtual network gateway you created, clickOverview, and make a note of thePublic IP addressassigned to the virtual network gateway.
- ClickConfigurationand make a note of theBGP ASNandBGP peer IP address(es)fields.
Configure IKE, IPSec, and BGP and Onboard the Azure VNet in Prisma Access
After you perform the initial configuration on Azure, create IKE and IPSec
security profiles and policies and a remote network connection in Prisma
Access.
For assistance with configuring security parameters on Azure, see the Microsoft
Azure documents About VPN devices and IPsec/IKE parameters
for Site-to-Site VPN Gateway connections and About cryptographic requirements and Azure
VPN gateways.
- In Strata Cloud Manager, select.WorkflowsPrisma Access SetupRemote Networks
- (Optional) If you have not already, allocate bandwidth for the remote network underBandwidth Management.You allocate bandwidth by selecting bandwidth for the remote network’s compute location. Select anAssigned Bandwidthfor the remote network’s compute location.
- Go toRemote NetworksandAdd Remote Networks.
- Give the remote network a descriptiveSite Name.
- Select thePrisma Access Locationthat is closest to your Azure VNet.
- Select theIPSec Termination Nodeto use for the remote network.
- EnableECMP Load Balancing.
- Set up the IPSec tunnel for the Azure gateway.
- Set Upthe primary tunnel.
- Select an existing tunnel, or selectCreate Newto create a new tunnel.
- Give the tunnel a descriptiveName.
- Select theBranch Device Typefor the IPSec device at the remote network site that you’re using to establish the tunnel with Prisma Access.
- Specify aPre-Shared Key.
- Specify aBranch Device IP Addressof eitherStatic IPorDynamic IP.Setting up anIKE Peer Identificationis required if you use a dynamic IP address. If you selectStatic IP, enter a static IP address.
- SelectIKE Advanced Options, create an IPSec crypto profile for the IPSec tunnel, andSavethe changes.The IPSec crypto settings you specify here must match the settings you specify on Azure. To set IKE and IPSec policies in Azure, see the Microsoft Azure documentation.
- SelectIPSec Advanced Options, create an IKEv1 crypto profile for the gateway, andSavethe changes.
- Set UpBGP routing.
- Enable BGP for Dynamic Routing.
- Enter thePeer Addressvalue from Azure in thePeer IP addressfield and enter theAutonomous system number (ASN)value from Azure in thePeer ASfield.
- (Optional) Enter an address that Prisma Access uses as itsLocal IP Addressfor BGP.Make sure that the address you specify does not conflict or overlap with IP addresses in the Infrastructure Subnet or subnets in the remote network.You must configure a static route on your CPE to the BGP local address.
- Savethe changes.
- CommitandPushyour configuration.
- After the onboarding process completes, and make a note of the value in theService IPfield.
Set up Network Connectivity from your Azure Virtual Network
After you configure the remote network in Prisma Access, complete the
configuration on Azure by performing the following task.
For additional information about configuring BGP on Azure, see the Microsoft
Azure document Overview of BGP with Azure VPN
Gateways.
- In Azure, create a local network gateway.
- In theSearch resources, services, and docssearch box, typelocal network gateways.
- Click+Add.
- Enter the following values in the text box that displays.
- Enter aNamefor the gateway.
- CheckConfigure BGP settingsand enter a uniqueAutonomous system number (ASN)andBGP peer IP address.
- Enter aSubscription,Resource group, andLocationfor the gateway.
- ClickCreate.
- Create a virtual network connection.
- Navigate to and open the page for the virtual network gateway you created when you configured a virtual network and virtual network gateway on Azure.See the Microsoft Azure documentation for details.
- On the page for the virtual network gateway, clickConnections. At the top of the Connections page, click+Addto open the Add connection page.
- Enter values for the new connection, then clickOK.In theShared key (PSK)field, use the samePre-shared Keythat you used when you created the IKE gateway in Prisma Access.
- ClickOK.
- Add a new route table to use for BGP routing.
- Select+Create a resourceon the upper left corner of the Azure portal.
- SelectNetworking, then selectRoute table.
- Add aName,Subscription,Resource Group, andLocation.
- SetBGP route propagationtoEnabled.
- ClickCreate.
- Associate a subnet to the route table you created.
- Open the route table you created.
- Select.SettingsSubnets
- ClickAssociateto add a subnet.
- In theAssociate subnetcolumn, clickVirtual network.
- Select the virtual network you created when you configured a virtual network and virtual network gateway on Azure.
- ClickOK.
Verify Remote Network Connectivity
To verify that the IPSec tunnel between Azure and Prisma Access is operational,
perform the following steps:
- In Azure, select theConnectionyou created and clickOverview.The tunnel should show a status ofConnected.
- Verify that the BGP routes are being advertised on Azure.
- Open the route table you just created.
- Select.NetworkingSettings
- Select the name of a network interface.
- Select.Support + troubleshootingEffective routes
- Verify that the BGP routes are being advertised.
- Check the remote network and BGP status in Prisma Access.In Strata Cloud Manager, select.WorkflowsPrisma Access SetupRemote NetworksTheConfig Statusshould beIn Syncand verify the BGP Status inRouting Information.
Secure Internet-Bound Traffic with Prisma Access
If you enable BGP, the virtual network gateway does not use static routes and
uses only the routes it learns from BGP advertisements.
To secure all traffic to and from Azure, you must force traffic to pass through
Prisma Access. You do this by enabling the forced tunneling feature on
Azure.
Enabling forced tunneling may result in a loss of connectivity to virtual
network instances over the internet. Make sure that you use another
connection method (for example, a bastion host) to connect to instances over
the internet.
You configure forced tunneling by using PowerShell CLI commands in your Azure
account as described in the following task. For more details about forced
tunneling, see the Microsoft Azure document Configure forced tunneling using the Azure
Resource Manager deployment model.
To enable the feature, complete the following workflow.
These commands are examples. If you use different variables for your route
tables, virtual network gateways, subnets, or resource groups, substitute
those values in the commands provided in this task.
- Log into your PowerShell console with elevated privileges, and connect to your account.
- Create a new route table by entering the following commands:>New-AzureRmRouteTable -Name "DefRouteTable" -ResourceGroupName "GPCS-PM-TME" -Location "WEST US">$rt = Get-AzureRmRouteTable -Name "DefRouteTable" -ResourceGroupName "GPCS-PM-TME">Add-AzureRmRouteConfig -Name "DefaultRoute" -AddressPrefix "0.0.0.0/0" -NextHopType VirtualNetworkGateway -RouteTable $rt>Set-AzureRmRouteTable -RouteTable $rt
- Modify the subnet configuration by entering the following commands:>$vnet = Get-AzureRmVirtualNetwork -Name "GPCS-Onboarding-VMNET" -ResourceGroupName "GPCS-PM-TME">Set-AzureRmVirtualNetworkSubnetConfig -Name "GPCS-O-Subnet-1" -VirtualNetwork $vnet -AddressPrefix "10.200.1.0/24" -RouteTable $rt>Set-AzureRmVirtualNetwork -VirtualNetwork $vnet
- Enable the default route for the network gateway default site by entering the following commands.>$LocalGateway = Get-AzureRmLocalNetworkGateway -Name "GPCS-Gateway-US-WEST" -ResourceGroupName "GPCS-PM-TME">$VirtualGateway = Get-AzureRmVirtualNetworkGateway -Name "GPCS-Onboarding-Gateway" -ResourceGroupName "GPCS-PM-TME">Set-AzureRmVirtualNetworkGatewayDefaultSite -GatewayDefaultSite $LocalGateway -VirtualNetworkGateway $VirtualGateway
Panorama
Panorama
Onboard an Azure virtual network (VNet) to Prisma Access and secure access to it for
mobile users and remote networks.
Configure a Virtual Network and Virtual Network Gateway on Azure
The Azure virtual network uses a virtual network gateway for its side of the VPN
tunnel to Prisma Access. This gateway uses a subnet called GatewaySubnet. The
GatewaySubnet contains IP addresses used for virtual network gateway resources
and services and is part of the virtual network IP address range that you
specify when you configure your virtual network on Azure.
Each Azure VPN gateway incorporates high availability by having two instances per
gateway in an active-standby configuration. If an active instance goes down for
planned maintenance or an unplanned outage, the instance automatically fails
over to the standby instance and resumes the site-to-site VPN connections. For a
planned maintenance, Azure restores the connectivity in approximately 10 to 15
seconds. For an unplanned outage, Azure restores the connectivity in
approximately 1 minute to 90 seconds.
Create the virtual network and virtual network gateway using the following
task.
By default, Azure will not direct internet traffic to the VPN tunnel you
create in this task. To secure internet-bound traffic
with Prisma Access, enable forced tunneling on Azure using
PowerShell commands.
- In Azure, create your virtual network, if you have not already created it. See the Microsoft Azure documentation for details.
- Create a subnet for the gateway.You must name the subnetGatewaySubnetto let Azure deploy its gateway resources and Azure does not allow the use of another subnet name. Without a subnet namedGatewaySubnet, gateway creation fails.
- In the Azure portal, navigate to the virtual network where you want to create a virtual network gateway.
- On your virtual network page, clickSubnetsto expand the Subnets page for the virtual network you created.
- Click+Gateway subnetat the top to open the Add subnet page.
- Add the address and clickOK.
- Add a virtual network gateway.
- On the left side of the portal page, click+Create a resourceand typeVirtual Network Gatewayin the search box, then pressEnter.
- InResults, locate and clickVirtual network gateways.
- At the bottom of theVirtual network gatewaypage, clickCreate virtual network gateway.
- Enter values similar to the values on the following screenshot and clickCreate.It may take up to 30 minutes to create the virtual network gateway.
- After Azure creates the virtual network gateway, select the virtual network gateway you created, clickOverview, and make a note of thePublic IP addressassigned to the virtual network gateway.
- ClickConfigurationand make a note of theBGP ASNandBGP peer IP address(es)fields.
Configure IKE, IPSec, and BGP and Onboard the Azure VNet in Prisma Access
After you perform the initial configuration on Azure, create IKE and IPSec
security profiles and policies and then create a remote network connection in
Prisma Access using Panorama.
For assistance with configuring security parameters on Azure, see the Microsoft
Azure documents About VPN devices and IPsec/IKE parameters
for Site-to-Site VPN Gateway connections and About cryptographic requirements and Azure
VPN gateways.
- In Panorama, selectRemote_Network_Templatefrom theTemplatedrop-down.
- Make a note of these settings; the IKE crypto settings you specify here must match the settings you specify on Azure. To set IKE and IPSec policies in Azure, see the Microsoft Azure documentation. The screenshot in the following figure uses the following settings:
- DH Group:group2
- Encryption:aes-256-cbc
- Authentication:sha1
- Key Lifetime:8 Hours
- The IPSec crypto settings you specify here must match the settings you specify on Azure; to set IKE and IPSec policies in Azure, see the Microsoft Azure documentation. The screenshot in the following figure uses the following settings:
- IPSec Protocol:ESP
- DH Group:no-pfs
- Lifetime:8 Hours
- Encryption:aes-256-gcm
- Authentication:none
- In theGeneraltab, change thePeer ID Address TypetoIP.
- In thePeer Addressfield, enter thePublic IP addressfrom theOverviewscreen on Azure.
- Enter aPre-shared Key.Make a note of this key. You use it later when you Set up Network Connectivity from your Azure Virtual Network.
- ClickOK.
- SelectandNetworkIPSec TunnelsAddan IPSec tunnel for the Azure gateway, specifying theIKE gatewayandIPSec Crypto Profilethat you created earlier in this task.
- SelectandPanoramaCloud ServicesConfigurationRemote NetworksAddthe Azure VPN as a remote network.Specify the following choices:
- Select aLocationthat is closest to your Azure VNet.
- Select theIPSec Termination Nodethat you want to use for this remote network.Prisma Access uses this node to associate remote network locations with compute locations.
- Specify the IPSec primary tunnel that you just created in theIPSec Tunnelfield.
- Configure BGP routing.
- Click theBGPtab.
- Enter theAutonomous system number (ASN)value from Azure in thePeer ASfield and enter thePeer Addressvalue from Azure in theBGP peer IP address(es)field.
- (Optional) Enter an address that Prisma Access uses as itsLocal Addressfor BGP.Make sure that the address you specify does not conflict or overlap with IP addresses in the Infrastructure Subnet or subnets in the remote network.You must configure a static route on your CPE to the BGPLocal Address.
- ClickOK.
- CommitandPushyour configuration.
- After the onboarding process completes, selectand make a note of the value in thePanoramaCloud ServiceStatusNetwork DetailsRemote NetworksService IP Addressfield.
Set up Network Connectivity from your Azure Virtual Network
After you configure the remote network in Prisma Access, complete the
configuration on Azure by performing the following task.
For additional information about configuring BGP on Azure, see the Microsoft
Azure document Overview of BGP with Azure VPN
Gateways.
- In Azure, create a local network gateway.
- In theSearch resources, services, and docssearch box, typelocal network gateways.
- Click+Add.
- Enter the following values in the text box that displays.
- Enter aNamefor the gateway.
- Enter anIP address. Use theService IP Addressfrom the remote network in Prisma Access ().PanoramaCloud ServiceStatusNetwork DetailsRemote Networks
- CheckConfigure BGP settingsand enter a uniqueAutonomous system number (ASN)andBGP peer IP address.
- Enter aSubscription,Resource group, andLocationfor the gateway.
- ClickCreate.
- Create a virtual network connection.
- Navigate to and open the page for the virtual network gateway you created when you configured a virtual network and virtual network gateway on Azure.See the Microsoft Azure documentation for details.
- On the page for the virtual network gateway, clickConnections. At the top of the Connections page, click+Addto open the Add connection page.
- Enter values for the new connection, then clickOK.In theShared key (PSK)field, use the samePre-shared Keythat you used when you created the IKE gateway in Prisma Access.
- ClickOK.
- Add a new route table to use for BGP routing.
- Select+Create a resourceon the upper left corner of the Azure portal.
- SelectNetworking, then selectRoute table.
- Add aName,Subscription,Resource Group, andLocation.
- SetBGP route propagationtoEnabled.
- ClickCreate.
- Associate a subnet to the route table you created.
- Open the route table you created.
- Select.SettingsSubnets
- ClickAssociateto add a subnet.
- In theAssociate subnetcolumn, clickVirtual network.
- Select the virtual network you created when you configured a virtual network and virtual network gateway on Azure.
- ClickOK.
Verify Remote Network Connectivity
To verify that the IPSec tunnel between Azure and Prisma Access is operational,
perform the following steps:
- In Azure, select theConnectionyou created and clickOverview.The tunnel should show a status ofConnected.
- Verify that the BGP routes are being advertised on Azure.
- Open the route table you just created.
- Select.NetworkingSettings
- Select the name of a network interface.
- Select.Support + troubleshootingEffective routes
- Verify that the BGP routes are being advertised.
- Check the remote network and BGP status in Prisma Access.In Panorama, select.PanoramaCloud ServicesStatusMonitorRemote NetworksStatusTheConfig Statusshould beIn Syncand theBGP Statusshould beEstablished.
Secure Internet-Bound Traffic with Prisma Access
If you enable BGP, the virtual network gateway does not use static routes and
uses only the routes it learns from BGP advertisements.
To secure all traffic to and from Azure, you must force traffic to pass through
Prisma Access. You do this by enabling the forced tunneling feature on
Azure.
Enabling forced tunneling may result in a loss of connectivity to virtual
network instances over the internet. Make sure that you use another
connection method (for example, a bastion host) to connect to instances over
the internet.
You configure forced tunneling by using PowerShell CLI commands in your Azure
account as described in the following task. For more details about forced
tunneling, see the Microsoft Azure document Configure forced tunneling using the Azure
Resource Manager deployment model.
To enable the feature, complete the following workflow.
These commands are examples. If you use different variables for your route
tables, virtual network gateways, subnets, or resource groups, substitute
those values in the commands provided in this task.
- Log into your PowerShell console with elevated privileges, and connect to your account.
- Create a new route table by entering the following commands:>New-AzureRmRouteTable -Name "DefRouteTable" -ResourceGroupName "GPCS-PM-TME" -Location "WEST US">$rt = Get-AzureRmRouteTable -Name "DefRouteTable" -ResourceGroupName "GPCS-PM-TME">Add-AzureRmRouteConfig -Name "DefaultRoute" -AddressPrefix "0.0.0.0/0" -NextHopType VirtualNetworkGateway -RouteTable $rt>Set-AzureRmRouteTable -RouteTable $rt
- Modify the subnet configuration by entering the following commands:>$vnet = Get-AzureRmVirtualNetwork -Name "GPCS-Onboarding-VMNET" -ResourceGroupName "GPCS-PM-TME">Set-AzureRmVirtualNetworkSubnetConfig -Name "GPCS-O-Subnet-1" -VirtualNetwork $vnet -AddressPrefix "10.200.1.0/24" -RouteTable $rt>Set-AzureRmVirtualNetwork -VirtualNetwork $vnet
- Enable the default route for the network gateway default site by entering the following commands.>$LocalGateway = Get-AzureRmLocalNetworkGateway -Name "GPCS-Gateway-US-WEST" -ResourceGroupName "GPCS-PM-TME">$VirtualGateway = Get-AzureRmVirtualNetworkGateway -Name "GPCS-Onboarding-Gateway" -ResourceGroupName "GPCS-PM-TME">Set-AzureRmVirtualNetworkGatewayDefaultSite -GatewayDefaultSite $LocalGateway -VirtualNetworkGateway $VirtualGateway
Troubleshoot the Site-to-Site Connection
Use the procedures in this section to troubleshoot any issues you have with
tunnel creation.
- To troubleshoot the site-to-site connection in Prisma Access, log in to Panorama and select, then enterLogsSystem(subtype eq vpn)in theFilterfield to view messages related to VPN tunnel creation.
- To troubleshoot the site-to-site connection on Azure, you can download the VPN gateway configuration on Azure by selecting, selecting the name of a network interface. selectingNetworkingSettings, and clickingSupport + troubleshootingEffective routesDownload.