Onboard PAN-OS Firewalls to Prisma Access
Configure an SD-WAN branch firewall to connect to a Prisma Access hub for cloud-based security.
SD-WAN Plugin 2.2 provides Prisma Access hub support, in which PAN-OS firewalls connecting to Prisma Access compute nodes (CNs) achieve cloud-based security in an SD-WAN hub-and-spoke topology. In this topology, the SD-WAN hubs are Prisma Access CNs (IPSec Termination Nodes) and the SD-WAN branches are PAN-OS firewalls. A maximum of four hubs (any combination of PAN-OS hubs participating in DIA AnyPath and Prisma Access hubs) are supported. SD-WAN automatically creates IKE and IPSec tunnels that connect the branch to the hub. Review the system requirements for SD-WAN and Prisma Access.
It is important to configure Prisma Access first, and then configure SD-WAN.
- If you are starting a brand new Prisma Access configuration, read the Prisma Access Administrator’s Guide and complete Phase 1 and then Phase 2 configuration steps.
- If you already have Prisma Access running, ensure Phase 1 is complete, and then complete Phase 2.
The following flowchart shows the order of the two configuration phases and basic steps within each phase. The full Prisma Access prerequisites with links and the configuration steps for SD-WAN follow the flowchart.
PHASE 1—PRISMA ACCESS
(COMPLETE PHASE 1 FIRST)
(BEGIN ONLY AFTER COMPLETING PHASE 1)
Before you connect SD-WAN to Prisma Access, you must have a branch firewall with an interface that has SD-WAN enabled. Additionally, ensure you have performed the following Prisma Access prerequisites for one or more tenants; these are the Phase 1 steps:
- For, set up the infrastructure subnet, infrastructure BGP AS, template stack and device group for a tenant on thePanoramaCloud ServicesConfigurationService Setuppage.
- On theRemote Networkspage, set up template stacks, templates, device groups, trust and untrust zones, and bandwidth allocation for specific regions.
- Ensure your Prisma Access deployment is licensed for remote networks by selectingand checking your license information.PanoramaLicenses
- Licenses available after November 17, 2020 show the amount of licensed bandwidth you have for remote networks in theNet Capacityarea.
- Licenses available before November 17, 2020 show the available remote network bandwidth in theGlobalProtect Cloud Service for Remote Networksarea underTotal Mbps.
- Ensure your deployment allocates bandwidth per compute location, instead of by location.
- Ensure you have assigned bandwidth to the compute location that corresponds to the location to which you want to onboard. Prisma Access allocates one IPSec termination node per 500 Mbps of bandwidth you allocate to a region.
- Perform a local commit and push to the Prisma Access cloud.
After you have performed the preceding steps for Phase 1 with Prisma Access, perform the following Phase 2 steps for SD-WAN.
- Specify the BGP local address pool for loopback addresses.
- Select.PanoramaSD-WANVPN Clusters
- At the bottom of the screen, selectBGP Prisma Address Pool.
- Addan unused private subnet (prefix and netmask) for the local BGP addresses for Prisma Access.
- Commit.Do not simply change an existing address pool if Prisma Access is already onboarded. If you need to change an address pool, perform the following steps during a maintenance window to update the SD-WAN branch and the Prisma Access CN with your address pool changes:
- Use Panorama to access an SD-WAN branch and delete the existing onboarding that the address pool change will impact; then do a local Commit.
- Update the VPN address pool, and then do a local Commit.
- Perform the Prisma Access onboarding again, and then do a local Commit and Push.
- Select the SD-WAN branch firewall to connect to the Prisma Access hub and configure the connection.
- Select the branch firewall on which you enabled SD-WAN, whose name then populates theNamefield.
- Select theTypeof device asBranch.
- Select theRouter Name.
- Enter theSite.All SD-WAN devices must have a unique Site name.
- SelectPrisma Access OnboardingandAdd.
- Select a local, SD-WAN-enabledInterfaceon the firewall to connect to the Prisma Access hub.
- Select a Prisma AccessTenant(selectdefaultfor a single tenant environment).All SD-WAN interfaces on a branch firewall must use the same Prisma Access tenant.
- Enter a helpfulComment.
- Adda compute node to aRegionby selecting the region where the CN (Prisma Access hub) is located.There can be multiple regions per interface.
- Select anIPSec Termination Node(GP gateway) from the list of nodes; the list is based on the nodes that Prisma Access spun up for the region earlier. You are choosing the hub to which this branch connects. SD-WAN Auto VPN configuration builds IKE and IPSec relationships and tunnels with this node.
- EnableBGP for communication between the branch and hub (Enable is the default).
- Advertise Default Routeto allow the Prisma Access hub’s default route to be advertised to the branch firewall.
- Summarize Mobile User Routes before advertisingto have the Prisma Access hub advertise summarized mobile user IP subnet routes, thereby reducing the number of advertisements to the branches.
- Don’t Advertise Prisma Access Routesto prevent the IPSec Termination Node/hub from advertising its Prisma Access routes to the SD-WAN branches.
- Enter theSecretfor authentication of BGP communications andConfirm Secret.
- Select aLink Tagfor the hub.When you want to enable ECMP for a Prisma Access hub, onboard more than one branch interface to the same compute node (CN) and use the same Link Tag on those branch interfaces.
- ClickOK. The display will include a Peer AS number and the Tunnel Monitor IP address provided by Prisma Access.
- Commit and Pushthe configuration to the cloud, where Prisma Access spins up the correct number of IPSec Termination Nodes based on requested bandwidth.When more than one IPSec tunnel is going to the same CN, the Prisma Access configuration has ECMP enabled with symmetric return, as shown in this Prisma Access example:
- Verify that onboarding is complete.
- Selectand verify that the Remote Networks Deployment Status displaysPanoramaCloud ServicesStatussuccess.
- Select the Remote Networks Deployment Statusdetails.
- Confirm that the Prisma Access node completion displays 100%.
- Synchronize the branch firewall to Prisma Access to retrieve the service IP address(es) of the CNs.
- Select the SD-WAN branch device.
- SelectPrisma Access OnboardingandSync To Prisma(and respond to message to continue). Repeat for each branch device.After the sync to Prisma is successful, you will see the Prisma Access configuration parameters on the SD-WAN branch firewall. If not, wait for approximately 15 minutes and repeat the Sync to Prisma. If necessary, go to the Prisma Access plugin and verify that the CN onboarding has finished (you can see the CN with the bandwidth and IP addresses assigned). After that verification, retry Sync To Prisma.
- Committo Panorama.
- Push to Devicesto push to the local branch firewall.Edit Selectionsto select the Push Scope Selection. Select the correctTemplateandDevice Group.
- On the branch firewall, selectand see the new interface that was created with the Link Tag you created, assigned to the Security Zone namedNetworkInterfacesSD-WANzone-to-pa-hub, and with the IPSec tunnel connecting to the CN.
- Selectand verify the IPSec tunnel is up.NetworkIPSec Tunnels
- Selectand verify the IKE gateway is up.NetworkNetwork ProfilesIKE Gateways
- Create an SD-WAN policy rule to generate monitoring data.This step is required to baseline Prisma Access Hub latency, jitter, and packet loss data for accurate traffic distribution. SD-WAN monitoring data is generated from traffic that matches your SD-WAN policy rules.
- Create a Path Quality Profile with high latency, jitter, and packet loss thresholds.A Path Quality profile is required to create a SD-WAN policy rule. Creating a Path Quality profile with high thresholds allows you to baseline latency, jitter, and packet loss for the Prisma Access Hub without causing app to swap to a different link.
- CommitandCommit and Pushto branch firewalls.
- Refresh the Prisma IKE preshared key.If you need to change the current Prisma IKE key that is used to secure the IPSec connection between branch and the Prisma hub, perform this step to randomly generate a new key for the tunnel and update both sides of the tunnel. Perform this step when the hub and branch are not busy.Do not create an IKE gateway manually with a name beginning with “gw_” because such names are reserved for Prisma IKE creation during onboarding. This step to refresh the Prisma IKE preshared key refreshes all such named IKE gateways if there are any apart from those created by Prisma Access.
- Selectand select a device.PanoramaSD-WANDevices
- At the bottom of the screen, selectRefresh Prisma IKE Key.
- A message appears notifying you thatRefreshing the IKE key will update all SD-WAN tunnels between the branch and the Prisma Access hub and will require a simultaneous configuration push to all branch and Prisma Access hub devices. Best practice recommendation is to perform the refresh during a maintenance window as traffic can be affected. Do you wish to continue?SelectYesif you wish to continue.
- CommitandCommit and Pushto branch firewalls.
- Monitor Prisma Access Hub Application and Link Performance to understand the baseline latency, jitter, and packet loss for the links to Prisma Access.
Recommended For You
Recommended videos not found.