Onboard PAN-OS Firewalls to Prisma Access

Configure an SD-WAN branch firewall to connect to a Prisma Access hub for cloud-based security.
SD-WAN Plugin 2.2 provides Prisma Access hub support, in which PAN-OS firewalls connecting to Prisma Access compute nodes (CNs) achieve cloud-based security in an SD-WAN hub-and-spoke topology. In this topology, the SD-WAN hubs are Prisma Access CNs (IPSec Termination Nodes) and the SD-WAN branches are PAN-OS firewalls. A maximum of four hubs (any combination of PAN-OS hubs participating in DIA AnyPath and Prisma Access hubs) are supported. SD-WAN automatically creates IKE and IPSec tunnels that connect the branch to the hub. Review the system requirements for SD-WAN and Prisma Access.
It is important to configure Prisma Access first, and then configure SD-WAN.
  • If you are starting a brand new Prisma Access configuration, read the Prisma Access Administrator’s Guide and complete Phase 1 and then Phase 2 configuration steps.
  • If you already have Prisma Access running, ensure Phase 1 is complete, and then complete Phase 2.
The following flowchart shows the order of the two configuration phases and basic steps within each phase. The full Prisma Access prerequisites with links and the configuration steps for SD-WAN follow the flowchart.
PHASE 1—PRISMA ACCESS
PHASE 2—SD-WAN
(COMPLETE PHASE 1 FIRST)
(BEGIN ONLY AFTER COMPLETING PHASE 1)
  1. Set up the infrastructure subnet, infrastructure BGP AS, template stack and device group for a tenant.
  2. Set up template stacks, templates, device groups, trust and untrust zones, and bandwidth allocation for specific regions.
  3. Ensure your Prisma Access deployment is licensed for remote networks.
  4. Ensure your deployment allocates bandwidth per compute location, instead of by location.
  5. Ensure you have assigned bandwidth to the compute location that corresponds to the location to which you want to onboard.
  6. Perform a local commit and push to the Prisma Access cloud.
  1. Configure a branch firewall with an interface that has SD-WAN enabled.
  2. Log in to the Panorama Web Interface.
  3. Specify the BGP local address pool for loopback addresses.
  4. Select the SD-WAN branch firewall to connect to the Prisma Access hub and configure the connection.
  5. Commit and Push the configuration to the cloud.
  6. Verify that onboarding is complete.
  7. Synchronize the branch firewall to Prisma Access.
  8. Commit to Panorama.
  9. Push to Devices.
  10. View the new interface that was created.
  11. Verify the IPSec tunnel is up.
  12. Verify the IKE gateway is up.
  13. Create an SD-WAN policy rule to generate monitoring data.
  14. Commit and Commit and Push to branch firewalls.
  15. Monitor Prisma Access hub application and link performance.
Before you connect SD-WAN to Prisma Access, you must have a branch firewall with an interface that has SD-WAN enabled. Additionally, ensure you have performed the following Prisma Access prerequisites for one or more tenants; these are the Phase 1 steps:
  1. For
    Panorama
    Cloud Services
    Configuration
    , set up the infrastructure subnet, infrastructure BGP AS, template stack and device group for a tenant on the
    Service Setup
    page.
  2. On the
    Remote Networks
    page, set up template stacks, templates, device groups, trust and untrust zones, and bandwidth allocation for specific regions.
  3. Ensure your Prisma Access deployment is licensed for remote networks by selecting
    Panorama
    Licenses
    and checking your license information.
    • Licenses available after November 17, 2020 show the amount of licensed bandwidth you have for remote networks in the
      Net Capacity
      area.
    • Licenses available before November 17, 2020 show the available remote network bandwidth in the
      GlobalProtect Cloud Service for Remote Networks
      area under
      Total Mbps
      .
  4. Ensure your deployment allocates bandwidth per compute location, instead of by location.
  5. Ensure you have assigned bandwidth to the compute location that corresponds to the location to which you want to onboard. Prisma Access allocates one IPSec termination node per 500 Mbps of bandwidth you allocate to a region.
  6. Perform a local commit and push to the Prisma Access cloud.
After you have performed the preceding steps for Phase 1 with Prisma Access, perform the following Phase 2 steps for SD-WAN.
  1. Specify the BGP local address pool for loopback addresses.
    1. Select
      Panorama
      SD-WAN
      VPN Clusters
      .
    2. At the bottom of the screen, select
      BGP Prisma Address Pool
      .
    3. Add
      an unused private subnet (prefix and netmask) for the local BGP addresses for Prisma Access.
    4. Click
      OK
      .
    5. Commit
      .
      Do not simply change an existing address pool if Prisma Access is already onboarded. If you need to change an address pool, perform the following steps during a maintenance window to update the SD-WAN branch and the Prisma Access CN with your address pool changes:
      1. Use Panorama to access an SD-WAN branch and delete the existing onboarding that the address pool change will impact; then do a local Commit.
      2. Update the VPN address pool, and then do a local Commit.
      3. Perform the Prisma Access onboarding again, and then do a local Commit and Push.
  2. Select the SD-WAN branch firewall to connect to the Prisma Access hub and configure the connection.
    1. Select
      Panorama
      SD-WAN
      Devices
      .
    2. Select the branch firewall on which you enabled SD-WAN, whose name then populates the
      Name
      field.
    3. Select the
      Type
      of device as
      Branch
      .
    4. Select the
      Virtual Router Name
      .
    5. Enter the
      Site
      .
      All SD-WAN devices must have a unique Site name.
    6. Select
      Prisma Access Onboarding
      and
      Add
      .
    7. Select a local, SD-WAN-enabled
      Interface
      on the firewall to connect to the Prisma Access hub.
    8. Select a Prisma Access
      Tenant
      (select
      default
      for a single tenant environment).
      All SD-WAN interfaces on a branch firewall must use the same Prisma Access tenant.
    9. Enter a helpful
      Comment
      .
    10. Add
      a compute node to a
      Region
      by selecting the region where the CN (Prisma Access hub) is located.
      There can be multiple regions per interface.
    11. Select an
      IPSec Termination Node
      (GP gateway) from the list of nodes; the list is based on the nodes that Prisma Access spun up for the region earlier. You are choosing the hub to which this branch connects. SD-WAN Auto VPN configuration builds IKE and IPSec relationships and tunnels with this node.
    12. Enable
      BGP for communication between the branch and hub (Enable is the default).
    13. Advertise Default Route
      to allow the Prisma Access hub’s default route to be advertised to the branch firewall.
    14. Summarize Mobile User Routes before advertising
      to have the Prisma Access hub advertise summarized mobile user IP subnet routes, thereby reducing the number of advertisements to the branches.
    15. Don’t Advertise Prisma Access Routes
      to prevent the IPSec Termination Node/hub from advertising its Prisma Access routes to the SD-WAN branches.
    16. Enter the
      Secret
      for authentication of BGP communications and
      Confirm Secret
      .
    17. Select a
      Link Tag
      for the hub.
      When you want to enable ECMP for a Prisma Access hub, onboard more than one branch interface to the same compute node (CN) and use the same Link Tag on those branch interfaces.
    18. Click
      OK
      . The display will include a Peer AS number and the Tunnel Monitor IP address provided by Prisma Access.
  3. Commit and Push
    the configuration to the cloud, where Prisma Access spins up the correct number of IPSec Termination Nodes based on requested bandwidth.
    When more than one IPSec tunnel is going to the same CN, the Prisma Access configuration has ECMP enabled with symmetric return, as shown in this Prisma Access example:
  4. Verify that onboarding is complete.
    1. Select
      Panorama
      Cloud Services
      Status
      and verify that the Remote Networks Deployment Status displays
      success
      .
    2. Select the Remote Networks Deployment Status
      details
      .
    3. Confirm that the Prisma Access node completion displays 100%.
  5. Synchronize the branch firewall to Prisma Access to retrieve the service IP address(es) of the CNs.
    1. Select
      Panorama
      SD-WAN
      Devices
      .
    2. Select the SD-WAN branch device.
    3. Select
      Prisma Access Onboarding
      and
      Sync To Prisma
      (and respond to message to continue). Repeat for each branch device.
      After the sync to Prisma is successful, you will see the Prisma Access configuration parameters on the SD-WAN branch firewall. If not, wait for approximately 15 minutes and repeat the Sync to Prisma. If necessary, go to the Prisma Access plugin and verify that the CN onboarding has finished (you can see the CN with the bandwidth and IP addresses assigned). After that verification, retry Sync To Prisma.
  6. Commit
    to Panorama.
  7. Push to Devices
    to push to the local branch firewall.
    Edit Selections
    to select the Push Scope Selection. Select the correct
    Template
    and
    Device Group
    .
  8. On the branch firewall, select
    Network
    Interfaces
    SD-WAN
    and see the new interface that was created with the Link Tag you created, assigned to the Security Zone named
    zone-to-pa-hub
    , and with the IPSec tunnel connecting to the CN.
  9. Select
    Network
    IPSec Tunnels
    and verify the IPSec tunnel is up.
  10. Select
    Network
    Network Profiles
    IKE Gateways
    and verify the IKE gateway is up.
  11. Create an SD-WAN policy rule to generate monitoring data.
    This step is required to baseline Prisma Access Hub latency, jitter, and packet loss data for accurate traffic distribution. SD-WAN monitoring data is generated from traffic that matches your SD-WAN policy rules.
    1. Create a Path Quality Profile with high latency, jitter, and packet loss thresholds.
      A Path Quality profile is required to create a SD-WAN policy rule. Creating a Path Quality profile with high thresholds allows you to baseline latency, jitter, and packet loss for the Prisma Access Hub without causing app to swap to a different link.
  12. Commit
    and
    Commit and Push
    to branch firewalls.
  13. Refresh the Prisma IKE preshared key.
    If you need to change the current Prisma IKE key that is used to secure the IPSec connection between branch and the Prisma hub, perform this step to randomly generate a new key for the tunnel and update both sides of the tunnel. Perform this step when the hub and branch are not busy.
    Do not create an IKE gateway manually with a name beginning with “gw_” because such names are reserved for Prisma IKE creation during onboarding. This step to refresh the Prisma IKE preshared key refreshes all such named IKE gateways if there are any apart from those created by Prisma Access.
    1. Select
      Panorama
      SD-WAN
      Devices
      and select a device.
    2. At the bottom of the screen, select
      Refresh Prisma IKE Key
      .
    3. A message appears notifying you that
      Refreshing the IKE key will update all SD-WAN tunnels between the branch and the Prisma Access hub and will require a simultaneous configuration push to all branch and Prisma Access hub devices. Best practice recommendation is to perform the refresh during a maintenance window as traffic can be affected. Do you wish to continue?
      Select
      Yes
      if you wish to continue.
  14. Commit
    and
    Commit and Push
    to branch firewalls.
  15. Monitor Prisma Access Hub Application and Link Performance to understand the baseline latency, jitter, and packet loss for the links to Prisma Access.
    This step is required to gather accurate latency, jitter, and packet loss data to fine-tune your Prisma Access Hub Path Quality profiles.

Recommended For You