Prisma Access CloudBlade Integration Guide (Cloud managed)
    : Configure Prisma Access (Cloud Managed) CloudBlade
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma
    3. Prisma SD-WAN
    4. CloudBlades Integration and Deployment
    5. Prisma Access CloudBlade Integration Guide (Cloud managed)
    6. Configure Prisma Access for Networks (Cloud Managed)
    7. Configure Prisma Access (Cloud Managed) CloudBlade
    Download PDF

    Prisma Access CloudBlade Integration Guide (Cloud managed)

    Configure Prisma Access (Cloud Managed) CloudBlade

    Table of Contents

    Configure Prisma Access (Cloud Managed) CloudBlade

    316 Cloud managed
    1. From the Prisma SD-WAN web interface, select CloudBlades.
    2. In CloudBlades, locate the Prisma Access for Networks (Cloud Managed) CloudBlade and click Configure. If this CloudBlade does not appear in the list, contact Palo Alto Networks Support.
    3. Enter the following information in the fields shown below, change where appropriate:
      1. VERSION: Select the version of the CloudBlade to use (3.1.6).
      2. ADMIN STATE: For Admin State, select/retain Enabled.
      3. ION PEERING DEFAULT LOCAL AS NUMBER: The BGP Local AS number is defined to quickly onboard ECMP sites. This can be any 16-bit AS number, but private BGP AS number(s) are recommended.
      4. TUNNEL IDENTIFIER, PRISMA ACCESS FOR NETWORKS SIDE: Enter an FQDN IKE identifier in name@domain.com format. This identifier will be used by Prisma Access to identify remote tunnel connections.
      5. TUNNEL IDENTIFIER TEMPLATE, PRISMA SD-WAN SIDE: Enter an FQDN IKE identifier in name@domain.com format. This identifier should be different from the Prisma Access identifier. This identifier will be used as a template to generate a unique ID per tunnel.
      6. TUNNEL INNER IP POOL: Specify an IP pool using IP/Mask notation. This IP Pool should be unused or unique across the entire network and should not be used by the Palo Alto Service Infrastructure Subnet.
        If you wish to change the IP Prefix specified here, first disable the CloudBlade and ensure all service links are updated. Now change the IP CIDR to the required value and enable the CloudBlade to allocate Tunnels based on the new IP CIDR.
        The number of tunnels that can be created in the Prisma SD-WAN Fabric to Prisma Access are directly limited by this configuration. Each tunnel will use a /31 subnet from this pool.
        Do not use CIDR ranges that overlap with 169.254.0.0/16 or 100.64.0.0/10. Using these ranges could cause IP conflicts and potential outages.
      7. TUNNEL PSK SEED: Specify a string of text which will be used to derive the unique pre-shared keys (PSKs) used per tunnel.
      8. ENFORCE DEFAULT PRISMA SD-WAN LIVELINESS PROBES: For Prisma Access, the default is to leverage an ICMP probe to the last Prisma Access Infrastructure IP address. This can be reconfigured to probe non default tunnel monitor IP address which were configured during Prisma Access integration.
      9. ENABLE DRY RUN EXECUTIONS: This option is disabled by default to ensure all modifications made to the CloudBlade configuration are available in Prisma Access. When selected, the CloudBlade configurations are updated in the CloudBlade logs.
    4. Click Save and Install.

    © 2024 Palo Alto Networks, Inc. All rights reserved.