: Onboard PAN-OS Firewalls to Prisma Access
Focus
Focus

Onboard PAN-OS Firewalls to Prisma Access

Table of Contents

Onboard PAN-OS Firewalls to Prisma Access

Configure an SD-WAN branch firewall to connect to a Prisma Access hub for cloud-based security.
SD-WAN Plugin 2.2 provides Prisma Access hub support, in which PAN-OS firewalls connecting to Prisma Access compute nodes (CNs) achieve cloud-based security in an SD-WAN hub-and-spoke topology. In this topology, the SD-WAN hubs are Prisma Access CNs (IPSec Termination Nodes) and the SD-WAN branches are PAN-OS firewalls. A maximum of four hubs (any combination of PAN-OS hubs participating in DIA AnyPath and Prisma Access hubs) are supported. SD-WAN automatically creates IKE and IPSec tunnels that connect the branch to the hub. Review the system requirements for SD-WAN and Prisma Access.
It is important to configure Prisma Access first, and then configure SD-WAN.
  • If you are starting a brand new Prisma Access configuration, read the Prisma Access Administrator’s Guide and complete Phase 1 and then Phase 2 configuration steps.
  • If you already have Prisma Access running, ensure Phase 1 is complete, and then complete Phase 2.
The following flowchart shows the order of the two configuration phases and basic steps within each phase. The full Prisma Access prerequisites with links and the configuration steps for SD-WAN follow the flowchart.
PHASE 1—Prisma AccessPHASE 2—SD-WAN
(COMPLETE PHASE 1 FIRST)(BEGIN ONLY AFTER COMPLETING PHASE 1)
  1. Set up the infrastructure subnet, infrastructure BGP AS, template stack and device group for a tenant.
  2. Set up template stacks, templates, device groups, trust and untrust zones, and bandwidth allocation for specific regions.
  3. Ensure your Prisma Access deployment is licensed for remote networks.
  4. Ensure your deployment allocates bandwidth per compute location, instead of by location.
  5. Ensure you have assigned bandwidth to the compute location that corresponds to the location to which you want to onboard.
  6. Perform a local commit and push to the Prisma Access cloud.
  1. Configure a branch firewall with an interface that has SD-WAN enabled.
  2. Log in to the Panorama Web Interface.
  3. Specify the BGP local address pool for loopback addresses.
  4. Select the SD-WAN branch firewall to connect to the Prisma Access hub and configure the connection.
  5. Commit and Push the configuration to the cloud.
  6. Verify that onboarding is complete.
  7. Synchronize the branch firewall to Prisma Access.
  8. Commit to Panorama.
  9. Push to Devices.
  10. View the new interface that was created.
  11. Verify the IPSec tunnel is up.
  12. Verify the IKE gateway is up.
  13. Create an SD-WAN policy rule to generate monitoring data.
  14. Commit and Commit and Push to branch firewalls.
  15. Monitor Prisma Access hub application and link performance.
Before you connect SD-WAN to Prisma Access, you must have a branch firewall with an interface that has SD-WAN enabled. Additionally, ensure you have performed the following Prisma Access prerequisites for one or more tenants; these are the Phase 1 steps:
  1. For PanoramaCloud ServicesConfiguration, set up the infrastructure subnet, infrastructure BGP AS, template stack and device group for a tenant on the Service Setup page.
  2. On the Remote Networks page, set up template stacks, templates, device groups, trust and untrust zones, and bandwidth allocation for specific regions.
  3. Ensure your Prisma Access deployment is licensed for remote networks by selecting PanoramaLicenses and checking your license information.
    • Licenses available after November 17, 2020 show the amount of licensed bandwidth you have for remote networks in the Net Capacity area.
    • Licenses available before November 17, 2020 show the available remote network bandwidth in the GlobalProtect Cloud Service for Remote Networks area under Total Mbps.
  4. Ensure your deployment allocates bandwidth per compute location, instead of by location.
  5. Ensure you have assigned bandwidth to the compute location that corresponds to the location to which you want to onboard. Prisma Access allocates one IPSec termination node per 500 Mbps of bandwidth you allocate to a region.
  6. Perform a local commit and push to the Prisma Access cloud.
After you have performed the preceding steps for Phase 1 with Prisma Access, perform the following Phase 2 steps for SD-WAN.
  1. Log in to the Panorama Web Interface.
  2. Specify the BGP local address pool for loopback addresses.
    1. Select PanoramaSD-WANVPN Clusters.
    2. At the bottom of the screen, select BGP Prisma Address Pool.
    3. Add an unused private subnet (prefix and netmask) for the local BGP addresses for Prisma Access.
    4. Click OK.
    5. Commit.
      Do not simply change an existing address pool if Prisma Access is already onboarded. If you need to change an address pool, perform the following steps during a maintenance window to update the SD-WAN branch and the Prisma Access CN with your address pool changes:
      1. Use Panorama to access an SD-WAN branch and delete the existing onboarding that the address pool change will impact; then do a local Commit.
      2. Update the VPN address pool, and then do a local Commit.
      3. Perform the Prisma Access onboarding again, and then do a local Commit and Push.
  3. Select the SD-WAN branch firewall to connect to the Prisma Access hub and configure the connection.
    1. Select PanoramaSD-WANDevices.
    2. Select the branch firewall on which you enabled SD-WAN, whose name then populates the Name field.
    3. Select the Type of device as Branch.
    4. Select the Virtual Router Name.
    5. Enter the Site.
      All SD-WAN devices must have a unique Site name.
    6. Select Prisma Access Onboarding and Add.
    7. Select a local, SD-WAN-enabled Interface on the firewall to connect to the Prisma Access hub.
    8. Select a Prisma Access Tenant (select default for a single tenant environment).
      All SD-WAN interfaces on a branch firewall must use the same Prisma Access tenant.
    9. Enter a helpful Comment.
    10. Add a compute node to a Region by selecting the region where the CN (Prisma Access hub) is located.
      There can be multiple regions per interface.
    11. Select an IPSec Termination Node (GP gateway) from the list of nodes; the list is based on the nodes that Prisma Access spun up for the region earlier. You are choosing the hub to which this branch connects. SD-WAN Auto VPN configuration builds IKE and IPSec relationships and tunnels with this node.
    12. Enable BGP for communication between the branch and hub (Enable is the default).
    13. Advertise Default Route to allow the Prisma Access hub’s default route to be advertised to the branch firewall.
    14. Summarize Mobile User Routes before advertising to have the Prisma Access hub advertise summarized mobile user IP subnet routes, thereby reducing the number of advertisements to the branches.
    15. Don’t Advertise Prisma Access Routes to prevent the IPSec Termination Node/hub from advertising its Prisma Access routes to the SD-WAN branches.
    16. Enter the Secret for authentication of BGP communications and Confirm Secret.
    17. Select a Link Tag for the hub.
      When you want to enable ECMP for a Prisma Access hub, onboard more than one branch interface to the same compute node (CN) and use the same Link Tag on those branch interfaces.
    18. Click OK. The display will include a Peer AS number and the Tunnel Monitor IP address provided by Prisma Access.
  4. Commit and Push the configuration to the cloud, where Prisma Access spins up the correct number of IPSec Termination Nodes based on requested bandwidth.
    When more than one IPSec tunnel is going to the same CN, the Prisma Access configuration has ECMP enabled with symmetric return, as shown in this Prisma Access example:
  5. Verify that onboarding is complete.
    1. Select PanoramaCloud ServicesStatus and verify that the Remote Networks Deployment Status displays success.
    2. Select the Remote Networks Deployment Status details.
    3. Confirm that the Prisma Access node completion displays 100%.
  6. Synchronize the branch firewall to Prisma Access to retrieve the service IP address(es) of the CNs.
    1. Select PanoramaSD-WANDevices.
    2. Select the SD-WAN branch device.
    3. Select Prisma Access Onboarding and Sync To Prisma (and respond to message to continue). Repeat for each branch device.
      After the sync to Prisma is successful, you will see the Prisma Access configuration parameters on the SD-WAN branch firewall. If not, wait for approximately 15 minutes and repeat the Sync to Prisma. If necessary, go to the Prisma Access plugin and verify that the CN onboarding has finished (you can see the CN with the bandwidth and IP addresses assigned). After that verification, retry Sync To Prisma.
  7. Commit to Panorama.
  8. Push to Devices to push to the local branch firewall. Edit Selections to select the Push Scope Selection. Select the correct Template and Device Group.
  9. On the branch firewall, select NetworkInterfacesSD-WAN and see the new interface that was created with the Link Tag you created, assigned to the Security Zone named zone-to-pa-hub, and with the IPSec tunnel connecting to the CN.
  10. Select NetworkIPSec Tunnels and verify the IPSec tunnel is up.
  11. Select NetworkNetwork ProfilesIKE Gateways and verify the IKE gateway is up.
  12. Create an SD-WAN policy rule to generate monitoring data.
    This step is required to baseline Prisma Access Hub latency, jitter, and packet loss data for accurate traffic distribution. SD-WAN monitoring data is generated from traffic that matches your SD-WAN policy rules.
    1. Create a Traffic Distribution Profile.
    2. Create a Path Quality Profile with high latency, jitter, and packet loss thresholds.
      A Path Quality profile is required to create a SD-WAN policy rule. Creating a Path Quality profile with high thresholds allows you to baseline latency, jitter, and packet loss for the Prisma Access Hub without causing app to swap to a different link.
    3. Configure an SD-WAN Policy Rule.
  13. Commit and Commit and Push to branch firewalls.
  14. Refresh the Prisma IKE preshared key.
    If you need to change the current Prisma IKE key that is used to secure the IPSec connection between branch and the Prisma hub, perform this step to randomly generate a new key for the tunnel and update both sides of the tunnel. Perform this step when the hub and branch are not busy.
    Do not create an IKE gateway manually with a name beginning with “gw_” because such names are reserved for Prisma IKE creation during onboarding. This step to refresh the Prisma IKE preshared key refreshes all such named IKE gateways if there are any apart from those created by Prisma Access.
    1. Select PanoramaSD-WANDevices and select a device.
    2. At the bottom of the screen, select Refresh Prisma IKE Key.
    3. A message appears notifying you that Refreshing the IKE key will update all SD-WAN tunnels between the branch and the Prisma Access hub and will require a simultaneous configuration push to all branch and Prisma Access hub devices. Best practice recommendation is to perform the refresh during a maintenance window as traffic can be affected. Do you wish to continue? Select Yes if you wish to continue.
  15. Commit and Commit and Push to branch firewalls.
  16. Monitor Prisma Access Hub Application and Link Performance to understand the baseline latency, jitter, and packet loss for the links to Prisma Access.
    This step is required to gather accurate latency, jitter, and packet loss data to fine-tune your Prisma Access Hub Path Quality profiles.