Configure and Run the Container

To facilitate communication between the Prisma Access for Networks (managed by Panorama) CloudBlade and Panorama, the CloudBlade requires use of either:
  • An On-Premise Docker container.
  • A Cloud Container from a Cloud Provider (Azure, Google, etc.)
Irrespective of the method selected for container operation, the container must be able to access the following resources:
  • Panorama XML API (Typically not exposed to the Internet).
  • Prisma SD-WAN Cloud Controller API (Internet).
  • Prisma Access API (Internet).
On-Premise Docker Container
The On-Premise Docker container requires:
  • A compute host or compatible Virtual Machine (VM).
    • Minimum 1 vCPU and 512 MB of memory.
  • Network access to the following:
    • Panorama XML API (TCP 443 on the Panorama System).
    • Prisma Access API Endpoint (TCP 443 to api.gpcloudservice.com).
    • Prisma SD-WAN API Endpoint (TCP 443 to api.*.cloudgenix.com).
Docker Container Start/Stop Commands (Linux)
Once the compute host/VM has been selected, perform the following:
  1. Install Docker on the compute host/VM.
    For more information on installing Docker Engine/Community Edition, refer to https://www.docker.com/products/docker-engine.
  2. Create a directory for container logs and configuration.
    These directories will use Docker Bind Maps to be published to the Container.
    From the command line (Windows, Mac or Linux) use the following commands:
    mkdir cloudgenix cd cloudgenix mkdir applog mkdir config
  3. In the config directory, create a file named config.yml that will contain the container configuration.
    An example container configuration file config.yml file is shown below.
    --- type: cloudgenix_prisma_access_panorama version: 2.1.2 # #REQUIRED ITEMS! # # VPN Pre-shared key to use for tunnels VPN_PSK: 'VPN PSK HERE' # Panorama password # Panorama Host/IP and Username are specified in Prisma SD-WAN portal # Click Email -> Extensions -> Prisma Access for Networks (managed by # Panorama) PANORAMA_PASSWORD: "password here" # PRISMA_ACCESS API Key from Panorama # Located at PANORAMA -> Cloud Services -> Configuration -> Service Setup # tab -> Generate API Key # PRISMA_ACCESS_API_KEY: "GET KEY FROM PANORAMA" # Prisma SD-WAN AUTH_TOKEN (tenant_super) # Click Email -> System Administration -> Auth Tokens CGX_AUTH_TOKEN: "CGX AUTH TOKEN FROM CGX UI" # #Optional items. # #These enable external syslog debugging export for this on-premise # container. #SYSLOG_HOST: 10.0.0.1 #SYSLOG_PORT: 514 #SYSLOG_FACILITY: local2 # #This allows modification of the default run interval - default 180s. # Please note that commits for changes will be applied for the panorama user # at this interval. #RUN_INTERVAL: 30 # #If issues occur with configuration of this container, please contact # www.paloaltonetworks.com/company/contact-support
    This configuration file should contain (at a minimum):
    • VPN Pre-Shared Key (PSK) to use when creating tunnels.
    • Panorama XML API user password (username is specified in Prisma SD-WANPortal).
    • Prisma SD-WAN Auth Token with tenant_super or custom permissions.
    The config.yml file is optional. If config.yml is not provided, all the options that would be provided in the config.yml file must be provided as Environment Variables or Secure Environment Variables instead.
  4. Once the config.yml file is configured, download and launch the Docker container with one of the following commands below.
    • Linux\Unix\Mac
      docker run --restart unless-stopped \ --network=host \ -v $PWD/applog:/tmp/applog \ -v $PWD/config:/config \ -d --name prisma_access_panorama \ cloudgenix/prisma_access_panorama:2.1.2 EXAMPLE: docker run --restart unless-stopped --network=host -v /root/cloudgenix/applog/:/tmp/applog -v /root/cloudgenix/config/:/config -d --name prisma_access_panorama cloudgenix/prisma_access_panorama:2.1.2
    • Windows CMD
      docker run -v --restart unless-stopped ^ %cd%\applog:/tmp/applog ^ -v %cd%\config:/config ^ -d --name prisma_access_panorama ^ cloudgenix/prisma_access_panorama:2.1.2
  5. After launching the Docker container, the integration process is complete.
    To do a quick validation, examine the
    ./applog/Prisma-Access-for-Networks-(managed-by-Panorama)_2.1.2/<host dir>/output.log
    file to view the latest troubleshooting messages in the Troubleshooting Section.
    If the container is running on a Linux server, the config.yml file may need to have its permissions changed to be read by the container. Example: chmod +777 config.yml
The container ID shown below is an example only. The container ID will be different on different systems or will change on the same system if removed/reinstalled.
  • Verifying Container Running Status
    root@ubuntu: /# docker psCONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 42f39ad5623b cloudgenix/prisma_access_panorama:2.1.2"./prisma_access_int…" 23hours ago Up 5 seconds prisma_access_panoramaroot@ubuntu:/#
  • Stopping the Prisma Access Container
    root@ubuntu: # docker stop 42f39ad5623b42f39ad5623broot@ubuntu:/ # 42f39ad5623b
  • Verifying Finding Prisma Access Container Name If Stopped
    root@ubuntu: # docker psCONTAINER ID IMAGE COMMAND CREATED STATUSPORTS NAMESroot@ubuntu:/#
    root@ubuntu: /# docker ps -aCONTAINER ID IMAGE COMMAND CREATEDSTATUS PORTS NAMES42f39ad5623b cloudgenix/prisma_access_panorama:2.1.2 "./prisma_access_int…" 23hours ago Exited (137) 22 hours ago prisma_access_panorama
  • Starting the Prisma Access Docker Container
    root@ubuntu: /# docker start 42f39ad5623b42f39ad5623broot@ubuntu:/# CONTAINER

Recommended For You