Prisma Access
Configure Prisma Access Colo-Connect
Table of Contents
Configure Prisma Access Colo-Connect
Configure a Colo-Connect deployment in Prisma Access.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
|
Prisma Access Colo-Connect consists of the following components:
- Colo—The colocation facility that provides rack-space, power and connectivity to host networking, private and public cloud infrastructure, such as Equinix.
- Dedicated Interconnect—The dedicated Layer 2 or Layer 3 physical connection between your router and a GCP edge router in a given GCP compute region. A dedicated Interconnect provides a direct physical connection between your on-premises network and the Google network.Interconnects are called Links in the Prisma Access UI.
- GCP VLAN Attachment—The logical Layer 2 connection over the link that separates traffic from any other logical connections sharing the same link.VLAN attachments are called Connections in the Prisma Access UI.
- Partner Interconnect—The Layer 3 physical connection between a service provider owned router and a GCP edge router in a given GCP compute region. A partner Interconnect provides connectivity between your on-premises and VPC networks through a supported service provider.Colo-Connect supports both Dedicated and Partner interconnects.
- Colo (Customer) Router—The routing device in the Colo facility that establishes eBGP with the GCP cloud router over the interconnect in the Colo facility, as well as eBGP with Colo-Connect service connection over the GRE tunnel. It is a customer router for a dedicated interconnect, or if the service provider has Layer 2 connectivity with GCP over the partner interconnect. The service provider owns the Colo router when it has Layer 3 connectivity with the GCP cloud-router.
- GCP Edge Router—GCP's network edge equipment to provide physical connectivity between GCP and the customer/partner network via the Colo.
- Cloud Router—The GCP software construct in the cloud that establishes BGP sessions with the networking device (for example, router or Layer 3 firewall) in the Colo and routes traffic between Prisma Access and your network. You are not required to configure this component; it is automatically done by Prisma Access.
To configure Colo-Connect, you must first gather information about your existing
network environment and make sure that you have all required network components in
place. Ensure you have all prerequisites; then, deploy Colo-Connect in your
organization's network using either a partner or a dedicated interconnect.
Configure Prisma Access Colo-Connect (Strata Cloud Manager)
Configure a Colo-Connect deployment in Prisma Access.
Configure Prisma Access Colo-Connect—Deployments Using Partner Interconnects
To configure Prisma Access Colo-Connect using a partner interconnect, complete these
steps.
- Create subnets for your Colo-Connect connections.You use the subnets you create here in the connections and service connections that you create in later steps.
- From Strata Cloud Manager, go to .Add Prefix and add a Colo-Connect subnet a Prisma Access location for it.See the list of supported colo-connect locations here. Enter a minimum subnet of /28.(Optional) If you plan on creating Colo-Connect instances for more than one location, add more subnets on a per-location basis.You can configure one subnet per location.
![]()
Add a new Colo-Connect link (also known as the interconnect).- Go to and Add Link.Give the link a unique Link Name.Select Partner interconnect as the Link Type.Specify the remaining Colo-Connect link parameters.
- Select either 10Gbps or 20Gbps for the Bandwidth.
- Select either Zone1 or Zone2 for the Edge Availability Domain. Take this value from the GCP zone used for your edge availability domain.
- Enter the Organization Name to use for this link.
- Enter the Email to use for this link. Any email address is acceptable.
![]()
Repeat steps 2.a to 2.d and create another link with a different Edge Availability Domain.Create the connections (also known as the VLAN attachments) for Colo-Connect.- Go to and Add Connection.Configure the connection settings.
- Enter a unique Connection Name.
- Select a Link Name from the links you
configured in a previous step.You do not need to enter a VLAN ID; it's not configurable for VLANs created on partner interconnects.
- Select a Bandwidth for the connection.You can select between 1 Gbps, 2 Gbps, 5 Gbps, 10 Gbps, or 20 Gbps.If you configure multiple connections for an interconnect, make sure that the total bandwidth of the connections does not exceed the bandwidth of the interconnect. For example, given a partner interconnect of 10 Gbps, you can configure 10 connections of 1 Gbps each, but don't exceed 10 Gbps in total for all connections.If your deployment requires more than 16 connections, reach out to your Palo Alto Networks account team, who will open an SRE case to accommodate the request.
- Enter a BGP Peer ASN. Enter the Autonomous System (AS) number for the customer on-premises router in the Colo. The range is between 1 and 4294967295.
- Select the Location from the
connection names you created in a previous step. You must have already added a subnet for any location you specify.
- (Optional) Enter the BGP MD5 Secret.
![]()
Continue to create connections until complete.Create two connections. Both connections must be in the same region and one connection each must be in a separate zone. You use these connections in service connections you create in a later step.Push Config.Refresh the browser after the commit job is complete to view the pairing keys under Connections.Retrieve the Pairing Key and complete your partner interconnect configuration in GCP.You use this pairing key when you set up the partner interconnect in the Colo.When you first onboard a new connection, the Status in the Connections area shows a Status of PENDING_PARTNER and a BGP Status of DOWN. To bring the connection status to ACTIVE, retrieve the pairing key and input in the connection at the Colo.- Go to and copy the Pairing Key.
![]()
Create a new VLAN connection in the Colo.![]()
Paste the Pairing Key in the Colo VLAN.GCP detects when the pairing key is consumed, brings the VLAN status to ACTIVE, and generates the BGP IP address for you to configure on your on-premises router in the Colo. Prisma Access uses these IPs to initiate eBGP adjacency over each associated VLAN between Colo router and GCP cloud router.Create eBGP routing on the Customer (Colo) router for the Colo-Connect connection.You need to set up BGP peering to ensure connectivity between the customer router and the cloud router.Set up the service connections to use with Colo-Connect.Push Config.Check the status of the Colo-Connect connections.- To check the status of a service connection used by a Colo-Connect connection, go to .
![]()
Select . Set the Configuration Scope to Prisma Access. Select the In Sync status of the Service Connections under the Prisma Access sync status. Select the region that has a Colo-Connect connection deployed.- If the Colo-Connect connection and the BGP routing are both up, the Status displays OK.
- If the Colo-Connect connection is up but BGP routing isn't up, the Status displays Warning.
- If the Colo-Connect connection and BGP routing are down, the Status displays Down.
- If the Colo-Connect connection is down but BGP routing is up, the Status displays Error.
![]()
For more information, click the region box and view the information in the Status tab.Check the connection details, including the Pairing Key, of the Colo-Connect connections by going to .Configure Prisma Access Colo-Connect—Deployments Using Dedicated Interconnects
To configure Prisma Access Colo-Connect using a dedicated interconnect, complete these steps. - Create subnets for your Colo-Connect connections.You use the subnets you create here in the connections and service connections that you create in later steps.
- From Strata Cloud Manager, go to and click the gear icon to edit the settings.Add Prefix for Colo-Connect Subnet and select a Prisma Access location (PA Location) for it.Enter a minimum subnet of /28.(Optional) If you plan on creating Colo-Connect instances for more than one location, Add more subnets on a per-location basis.You can configure only one subnet per location.Add a new Colo-Connect link (also known as the interconnect).
- Go to and Add Link.Give the link a unique Link Name.Select a Dedicated interconnect as the Link Type.Specify the remaining Colo-Connect link parameters.
- Select either 10Gbps or
20Gbps for the
Bandwidth. If you select 20 Gbps, you must aggregate the Dedicated Interconnect link into two 10 Gbps links using LACP.You can't change the bandwidth of a dedicated interconnect link after you specify it and commit and push your changes.
- Select a Colo-Connect Location from
the drop-down list.Make sure that you select the same location that you used for the dedicated interconnect.
- Select either Zone1 or Zone2 for the Edge Availability Domain. Take this value from the GCP zone used for your edge availability domain.
- Enter the Organization Name to use for this link.
- Enter the Email where you want to
receive the LOA-CFA details from the cloud provider.
- GCP uses this email to send the Letter of Authorization and Connecting Facility Assignment (LOA-CFA). Be sure that the LOA-CFA is sent to your Colo provider, so they can begin to install your connections.
![]()
After the dedicated connection is created, the Colo facility tests your connections and informs you that they have been tested and are ready to use.No Prisma Access configuration is required for this step. Don't create the Colo-Connect connections in Prisma Access until the Colo facility lets you know that they have been tested.Create the connections (also known as the VLAN attachments) for Colo-Connect.- Make sure that the dedicated link status is Active by going to .Until the Dedicated link status is Active, you can't create Colo-Connect links.
![]()
Go to and Add Connection.Configure the connection settings.- Enter a unique Name for the connection.
- Select a Link Name from the links you configured in a previous step.
- (Optional) Enter a VLAN ID
for the connection.VLAN IDs are generated by the interconnect vendor (GCP) if you don't manually enter a value.
- Select a Bandwidth for the connection.You can select between 1 Gbps, 2 Gbps, 5 Gbps, 10 Gbps, or 20 Gbps.If you configure multiple connections for an interconnect, make sure that the total bandwidth of the connections does not exceed the bandwidth of the interconnect. For example, given a dedicated interconnect of 20 Gbps, you can configure 10 connections of 2 Gbps each, but don't exceed 20 Gbps in total for all connections.
- Enter a BGP Peer ASN. Enter the Autonomous System (AS) number for the customer on-premises router in the Colo. The range is between 1 and 4294967295.
- Select the Location from the
connection names you created in a previous step. You must have already added a subnet for any location you specify.
- (Optional) Enter the BGP MD5 Secret.
![]()
Continue to create connections until complete.Create two connections. Both connections must be in the same region and one connection each must be in a separate zone. You use these connections in service connections you create in a later step.Push Config.Configure eBGP routing on the customer router.You need to set up BGP peering to ensure connectivity between the customer router.Set up the service connections to use with Colo-Connect.Commit and Push your configuration changes, making sure that Colo-Connect is selected in the Push Scope.Check the status of the Colo-Connect connections.- To check the status of a service connection used by a Colo-Connect connection, go to . Set the Configuration Scope to Prisma Access.Hover over a region that has a Colo-Connect connection deployed.
- If the Colo-Connect connection and the BGP routing are both up, the Status displays OK.
- If the Colo-Connect connection is up but BGP routing isn't up, the Status displays Warning.
- If the Colo-Connect connection and BGP routing are down, the Status displays Down.
- If the Colo-Connect connection is down but BGP routing is up, the Status displays Error.
![]()
For more information, click the region box and view the information in the Status tab.Check the network details of the Colo-Connect connections by going to and viewing the details.For dedicated links, the Pairing Key displays as N/A.![]()
Configure VLAN eBGP Routing on the Customer Router
GCP creates IP addresses for the customer (Colo) router and the cloud router during these stages of your deployment:- For partner interconnects, GCP creates the IP addresses after the pairing key is consumed by your Colo (for example, Equinix).
- For dedicated interconnects, GCP creates the IP addresses after you onboard your Colo-Connect connections (VLAN attachments) and commit and push your changes.
To ensure correct routing, you must:- Configure the Colo router IP address (the Colo CPE IP in Prisma Access) as the local eBGP IP address
- Configure the cloud router IP address (Cloud Router IP) as the eBGP peer address on your Colo router.
When complete, eBGP is configured for the connection (VLAN attachment) between the Colo router and the cloud router.![]()
Creating this routing is the first step in setting up GRE tunnel routing. You complete the GRE tunnel routing when you set up GRE tunnels during service connection configuration.Use the following steps to configure routing between the Colo and the cloud router.- From Strata Cloud Manager, create the subnets, links, and connections and Push Config.Use the workflow specific to your interconnect type (either Partner or Dedicated) For Partner interconnects, be sure that you pasted the Pairing Key into the Colo VLAN.Go to .Make a note of the following connection elements:
- Colo CPE IP
- Cloud Router IP
- Cloud Router BGP ASN
In the following example:- For the vlan-central-1 connection, the Colo CPE IP is 169.254.24.170/29, the Cloud Router IP is 169.254.24.169/29, and the Cloud Router BGP ASN is 16550
- For the vlan-central-2 connection, the Colo CPE IP is 169.254.120.74/29, the Cloud Router IP is 169.254.120.73/29, and the Cloud Router BGP ASN is 16550.
- .
![]()
Determine the IP addresses you will use for the local GRE IP addresses when you set up the Colo-Connect service connections.You configure these when you set up a Colo-Connect service connection (). In the Peer IP 1 and, if required, Peer IP 2 areas.![]()
If you're configuring a service connection to support up to 10 Gbps of throughput, put one tunnel each in Connection 1 and Connection 2, for a total of two tunnels in each service connection.If you're configuring a service connection to support more than 10 Gbps of throughput (up to 20 Gbps), put two tunnels each in Connection 1 and Connection 2, for a total of four tunnels in each service connection.The following examples show a tunnel being configured for more than 10 Gbps throughput, so two tunnels per connection are used, and they use the following peer IP addresses:- 172.120.1.1 for Connection 1
- 172.130.1.1 for Connection 1
- 172.121.1.1 for Connection 2
- 172.131.1.1 for Connection 2
Log in to the Colo router.The following configuration screenshots use a Palo Alto Networks Next-Generation Firewall as the Colo router.Add a VLAN interface, specifying the Colo CPE IP address as the IP address.If you're using a next-generation firewall as the Colo router, go to and Add the VLAN interface, specifying the Virtual Router name, and![]()
Configure the Colo router IP address (Colo CPE IP) as the local eBGP IP address and Configure the cloud router IP address (Cloud Router IP) as the eBGP peer address on your Colo router.If you're using a next-generation firewall as the Colo router, go to , Add a virtual router, go to , and enter the Colo CPE IP as the Peer Address and the Cloud Router IP as the Local Address.![]()
![]()
Configure the Cloud Router BGP ASN as the eBGP peer Autonomous System Number (ASN).If you're using a next-generation firewall as the Colo router, go to , Add a virtual router, go to , Add a peer group, and select a Peer AS of 16500.![]()
Create a BGP export policy that allows only the local GRE IP address to be advertised to the cloud router peer IP address.Because cloud routers can receive only a limited number of routes, you need to create policies so that only the routing between the IP addresses for the service connection GRE tunnels is sent to the cloud router.If you're using a next-generation firewall as the Colo router, go to , Add a virtual router, go to , Add an export rule, Match the IP addresses used as the peer IP address, and create an Action of Allow.![]()
![]()
Create the Colo-Connect service connections.Create Colo-Connect Service Connections
Colo-Connect uses service connections, but they differ from Prisma Access in that they use GRE tunnels instead of IPSec tunnels and always use BGP for routing. To configure Colo-Connect service connections, complete the following steps. - Make sure that Prisma Access withdraws static routes by going to , and selecting Withdraw Static Routes if Service Connection or Remote Network IPSec tunnel is down.Selecting this choice ensures that, if the GRE tunnel is down, the static route used by the GRE tunnel is withdrawn.
![]()
Go to the tab and make sure that the connections are in an Active state by checking their Status.Until the Status of the connection is Active, you can't configure service connections.![]()
Go to and set the configuration scope to Prisma Access.Refresh the Prisma Access Sync Status so that the Colo-Connect configuration is provisioned in the service connections area.Go to Add Service Connection, give it a unique Name, and select a Transport Type of Colo-Connect.Make sure that the name you enter is 31 characters long or less; entering a name 32 characters or longer causes the tunnel to be mapped incorrectly in the Prisma Access infrastructure.![]()
Select two connections to use with the service connections (Connection 1 and Connection 2).These connections must be in two different zones.![]()
Select Active or Backup for Connection 1 and Connection 2Use these guidelines when setting up service connections:- You can configure connections in these modes:
- Active/Active
- Active/Backup
- Backup/Active
Configuring both connections in Backup/Backup mode is invalid and not supported. - The bandwidth of the connections must be the same for all modes.
- The connections must be in different zones.
- The maximum bandwidth you can specify for a service connection is 20 Gbps. If you specify a Bandwidth of 20 Gbps for a connection, you can't use that connection in a Active/Active configuration (it must be set as Active/Backup).
- Don't mix dedicated and partner interconnects in the same service
connection, and make sure that the service connections use different
zones. This table shows the allowed and disallowed configurations
for service connections, assuming that zones, locations, bandwidth,
and roles follow the service connection guidelines and
requirements:
Connection 1 Belongs To Connection 2 Belongs To Valid Colo-Connect Service Connection Configuration? Partner Connect 1 Partner Connect 2 Yes Dedicated Connect 1 Dedicated Connect 2 Yes Partner Connect 1 Partner Connect 1 No Dedicated Connect 1 Dedicated Connect 1 No Partner Connect Dedicated Connect No
(Optional and for hot potato routing deployments only) Select a service connection to use as the preferred backup, which is the Backup SC, in the hot potato routing configuration.You can only select a service connection that has been configured as a Colo-Connect service connection. Prisma Access uses the Backup SC you select as the preferred service connection in the event of a connection failure. Selecting a backup service connection can prevent asymmetric routing issues if you have created more than two service connections.(Optional) Enable Source NAT for Mobile Users—GlobalProtect IP pool addresses, IP addresses in the Infrastructure subnet, or both.You can specify a subnet at one or more service connections that are used to NAT traffic between Prisma Access GlobalProtect mobile users and private applications and resources at a data center.- Enable Data Traffic Source NAT—Performs NAT on Mobile User IP address pool addresses so that they are not advertised to the data center, and only the subnets you specify at the service connections are advertised and routed in the data center.
- Enable Infrastructure Traffic Source NAT—Performs NAT on addresses from the Infrastructure subnet so that they are not advertised to the data center, and only those subnets you specify at the service connections are advertised and routed in the data center.
- IP Pool—Specify the IP address pool used to perform NAT on the mobile user IP address pool, Infrastructure subnet, or both. Use a private IP (RFC 1918) subnet or a suitable subnet that’s routable in your routing domain, and does not overlap with the Mobile Users—GlobalProtect IP address pool or the Infrastructure subnet. Enter a subnet between /25 and /32.
![]()
In the GRE and BGP area, configure the GRE tunnel and BGP settings for the service connection.BGP is always set to Enable.- (Optional) Select from the following choices:
- To add a no-export community for Corporate Access Nodes (Service Connections) to the outbound prefixes from the eBGP peers at the customer premises equipment (CPE), set Add no-export community to Enabled Out. This capability is Disabled by default.Don't use this capability in hot potato routing mode.
- To reduce the number of mobile user IP subnet advertisements over BGP to your customer premises equipment (CPE), select Summarize Mobile User Routes before advertising.By default, Prisma Access advertises the mobile users IP address pools in blocks of /24 subnets; if you summarize them, Prisma Access advertises the pool based on the subnet you specified. For example, Prisma Access advertises a public user mobile IP pool of 10.8.0.0/20 using the /20 subnet, rather than dividing the pool into subnets of 10.8.1.0/24, 10.8.2.0/24, 10.8.3.0/24, and so on, before advertising them. Summarizing these advertisements can reduce the number of routes stored in CPE routing tables. For example, you can use IP pool summarization with cloud VPN gateways (Virtual Private Gateways (VGWs) or Transit Gateways (TGWs)) that can accept a limited number of routes.If you have hot potato routing enabled and you enable route summarization, Prisma Access no longer prepends AS-PATHs, which might cause asymmetric routing. Be sure that your return traffic from the data center or headquarters location has guaranteed symmetric return before you enable route summarization with hot potato routing.
- To prevent the Prisma Access BGP peer from forwarding routes into your organization’s network. Don’t Advertise Prisma Access Routes.By default, Prisma Access advertises all BGP routing information, including local routes and all prefixes it receives from other service connections, remote networks, and mobile user subnets. Select this check box to prevent Prisma Access from sending any BGP advertisements, but still use the BGP information it receives to learn routes from other BGP neighbors.Since Prisma Access does not send BGP advertisements if you select this option, you must configure static routes on the on-premises equipment to establish routes back to Prisma Access.
- What is the "Route Exchange" setting?
Set up routing for the service connection using GRE tunnels.From Strata Cloud Manager, return to a GRE tunnel for Connection 1 by entering a GRE Tunnel Name 1 and a Peer IP 1 for Connection 1 and, if more than 10 Gbps of bandwidth is required, entering GRE Tunnel Name 2 and Peer IP 2 for the second tunnel for Connection 1; then, create a GRE tunnel for Connection 2 by repeating these same steps.Each pair of GRE tunnels in a connection supports a maximum of 10 Gbps of bandwidth. If you require more than 10 Gbps of bandwidth, configure two tunnels per connection. For example:For the Peer IP, enter the GRE IP address of the on-premises router in the Colo.Use IPv4 addresses for the BGP values; IPv6 isn't supported.Enter the Peer Address and the Local Address for the BGP Peer 1 and, if a second is required for Connection 1, BGP Peer 2.For Peer Address, enter the BGP Peer IP address of the Colo router; for Local Address, enter the address that will be used for BGP network establishment over the GRE tunnel.(Optional) To configure a BGP secret, enter the Secret and Confirm Secret values.![]()
Commit and Push your configuration changes, making sure that Colo-Connect is selected in the Push Scope.Set Up Routing for the Service Connection Using GRE Tunnels
The Colo router advertises its GRE tunnel peer IP address to the cloud router, and learns the subnet for the GRE tunnel from the cloud router. When you first configured the eBGP routing over the VLAN on the customer router, you advertised local reachability for the GRE tunnels. After the cloud router and the Colo router advertise and learn the routes for the Colo subnet and the local GRE IP addresses from each other, the GRE tunnels used by the service connection become active (up).![]()
![]()
To set up routing and add GRE tunnels to the service connections, complete the following steps.- Make a note of the IP addresses you will use for the Peer Address and the Local Address for the BGP Peer 1 and, if a second is required for Connection 1, BGP Peer 2.The following examples use the following peer and local addresses:
- Peer Address—10.10.120.0 and 10.10.130.1 for Connection 1, 10.10.120.2 and 10.10.130.2 for Connection 2
- Local Address—10.10.120.2 and 10.10.130.2 for Connection 1, 10.10.121.2 and 10.10.131.2 for Connection 2
Make a note of the IP addresses you will use for the Peer IP 1 and, if required, Peer IP 2 address in the service connections.You use these IP addresses to create a Deny policy that prevents the local GRE IP address to be advertised to the Colo-Connect service connection.All examples in this document use these IP addresses:- 172.120.1.1 for Connection 1
- 172.121.1.1 for Connection 2
Configure Peer groups for the peer and local IP addresses.If you're using a next-generation firewall as the Colo router, go to , Add a virtual router, go to , and enter the Peer Address as the Peer Address and the Local Address as the Local Address.![]()
Create a BGP export policy to deny the peer IP addresses you configured (172.120.1.1, 172.130.1.1, 172.121.1.1, and 172.131.1.1) and apply them to the peer groups you created.This export policy places a DENY rule on the local GRE tunnel peer IP addresses and allows all other routes to be advertised to the service connection.If you're using a next-generation firewall as the Colo router, go to , Add a virtual router, go to , Add an export rule, Match the IP addresses used as the peer IP address, and create an Action of Deny.![]()
![]()
Increase or Decrease the Bandwidth of a Colo-Connect Service Connections
When you configure service connections, you configure bandwidth based on the connections (VLAN attachments) you associate with it. You allocate two connections per service connection, and then allocate either one or two GRE tunnels per connection.While each Colo-Connect service connection supports a maximum of 20 Gbps, each GRE tunnel in the service connection supports 10 Gbps. For this reason, you might have to add or delete the GRE tunnels in the Colo-Connect service connection change the total bandwidth in a link and it causes the service connection bandwidth to go above or below 10 Gbps.Increase the Bandwidth of a Colo-Connect Service Connection
To increase the bandwidth of an existing service connection above 10 Gbps, complete the following steps: - Go to .Select the Link Name associated with the service connection.Increase the Bandwidth of the link (interconnect).Push Config.Go to .Add the extra GRE tunnel to the Colo-Connect service connection.Push Config.Add the GRE local (peer) IP addresses to your export policies for the VLAN eBGP routing and service connection routing for the GRE tunnels.
Decrease the Bandwidth of a Colo-Connect Service Connection
To decrease the bandwidth of an existing service connection above 10 Gbps, complete the following steps: - Go to .Select the Link Name associated with the service connection.Decrease the Bandwidth of the link (interconnect).Push Config.You don't have to reconfigure the service connection to remove the extra GRE tunnel; Prisma Access detects and lowered bandwidth of the link and removes the extra tunnel when you commit and push your changes in the service connection push scope.
Delete a Colo-Connect Connection
To deleting a Colo-Connect connection, follow the reverse order of configuring it by completing the following steps: - Delete the service connections associated with the connection by going to , selecting the service connection, and Delete it.Push Config.Delete the Colo-Connect connections associated with the connection by going to , selecting the Connection Name in the Onboarding section, and Delete it.Delete the Colo-Connect link by selecting the Link Name and Delete it.Delete the GRE local (peer) IP addresses to your export policies for the VLAN eBGP routing and service connection routing for the GRE tunnels.
Configure Prisma Access Colo-Connect (Panorama)
Configure a Colo-Connect deployment in Prisma Access.Configure Prisma Access Colo-Connect—Deployments Using Partner Interconnects
To configure Prisma Access Colo-Connect using a partner interconnect, complete these steps.- Create subnets for your Colo-Connect connections.You use the subnets you create here in the connections and service connections that you create in later steps.
- Go to and click the gear icon to edit the settings.Add a Colo-Connect Subnet and select a Prisma Access location (PA Location) for it.Enter a minimum subnet of /28.(Optional) If you plan on creating Colo-Connect instances for more than one location, Add more subnets on a per-location basis.You can configure one subnet per location.Select Create new templates and device-group for Prisma Access Colo-Connect.The first time you configure a Colo-Connect deployment, select this check box so that templates and device groups (Colo_Connect_Template and Colo_Connect_Device_Group, respectively) are created for Colo-Connect. After you create these templates and device groups, this check box is grayed out.
![]()
Add a new Colo-Connect link (also known as the interconnect).- Go to and Add a Colo-Connect link.Give the link a unique Link Name.Select a Partner interconnect.You do not need to enter a VLAN ID, your Colo provides one when it uses the pairing key to complete the configuration of your VLAN attachment.Specify the remaining Colo-Connect link parameters.
- Select either 10Gbps or
20Gbps for the
Bandwidth. You cannot change the bandwidth of a dedicated interconnect link after you specify it and commit and push your changes.
- Select either Zone1 or Zone2 for the Edge Availability Domain. Take this value from the GCP zone used for your edge availability domain.
- Enter the Organization Name to use for this link.
- Enter the Email to use for this link. Any email address is acceptable.
![]()
Create the connections (also known as the VLAN attachments) for Colo-Connect.- Go to and Add a new connection.Configure the connection settings.
- Enter a unique Name for the connection.
- Select a Link Name from the links you configured in a previous step.
- Select a Bandwidth for the connection.You can select between 1 Gbps, 2 Gbps, 5 Gbps, 10 Gbps, or 20 Gbps.If you configure multiple connections for an interconnect, make sure that the total bandwidth of the connections does not exceed the bandwidth of the interconnect. For example, given a partner interconnect of 10 Gbps, you can configure 10 connections of 1 Gbps each, but do not exceed 10 Gbps in total for all connections.
