>
    Strata Copilot
    Requirements and Prerequisites for Prisma Access Colo-Connect
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma Access
    3. Prisma Access Administration
    4. Prisma Access Colo-Connect
    5. Requirements and Prerequisites for Prisma Access Colo-Connect
    Download PDF
    Prisma Access

    Requirements and Prerequisites for Prisma Access Colo-Connect

    Table of Contents

    Requirements and Prerequisites for Prisma Access Colo-Connect

    Configure a Colo-Connect deployment in Prisma Access.
    Where Can I Use This?What Do I Need?
    • Prisma Access (Managed by Strata Cloud Manager)
    • Prisma Access (Managed by Panorama)
    • Up to 20 Gbps per compute region requires a Prisma Access deployment running a minimum Cloud Services plugin version of 4.1 and a minimum dataplane version of 10.2.4.
    • GRE keepalive disablement enhancements were added in version 5.2 for Prisma Access (Managed by Panorama) deployments and the October 2025 release for Prisma Access (Managed by Strata Cloud Manager) deployments.
    • More than 20 Gbps bandwidth per compute region, the use of non-GRE tunnels, and MACsec support requires:
      • Minimum Prisma Access version of 6.1
      • Minimum dataplane of 11.2.7
      • (Prisma Access (Managed by Panorama) Deployments Only) minimum Cloud Services plugin of 6.1
      To activate this functionality, reach out to your Palo Alto Networks account representative, who will contact the Site Reliability Engineering (SRE) team and submit a request.
      If you use a plugin version of 6.1 or later, purchasing a Colo-Connect 100 Gbps license automatically enables the feature. If you’re running an earlier plugin version, you must must manually upgrade to version 6.1 or later and request that an SRE submit a ticket to enable Colo-Connect 100 Gbps.
    • A minimum of two Colo-Connect add-on licenses and service connection licenses dependent on number of users or site bandwidth
    Before you start Colo-Connect onboarding and configuration, be aware of the required information and prerequisites by following this checklist.
    • Make sure that you have access to the Colo facility provider (for example, you have access to the Equinix Customer Portal).
    • Make sure that your CPE can support BGP. For deployments between 1 Gbps and 20 Gbps in bandwidth, make sure that your CPE can support GRE tunnels as well as BGP.
    • License Requirements—You need both Private Application add-on licenses and Colo-Connect add-on licenses to allocate bandwidth for Colo-Connect.
      For the Colo-Connect add-on license, there are two different license types, one for 10 Gbps and one for 100 Gbps.
      • The 10 Gbps license provides you with a link of 10Gbps capacity.
      • The 100 Gbps license provides you with a link of 100 Gbps capacity.
        For new Prisma Access deployments that use this license, connections of 20 GB and above don't require the use of GRE tunnels.
        100 Gbps deployments support only active/backup mode.
        If you're using a Colo-Connect 100G license and are onboarding a Colo-Connect service connection 10G bandwidth in an active/backup mode, Prisma Access utilizes a single Colo-Connect service connection and attaches 2 connections (VLAN attachments). Therefore, you can only configure 1 multihop eBGP session from the Colo to one available Colo-Connect service connection, because the second connection/VLAN attachment is expected to be unutilized.
      Use the following table to see the Service Connection consumption and Colo-Connect add-on licenses required for various deployments.
      Deployment Type Number of Colo-Connect Add-On Licenses Required Number of Service Connections Used by Colo-Connect
      1Gbps Active/ 1Gbps Active Two 10G licenses2
      1Gbps Active/1Gbps Backup Two 10G licenses2
      2 Gbps Active/ 2 Gbps Active Two 10G licenses4
      2 Gbps Active/ 2 Gbps Backup Two 10G licenses4
      5 Gbps Active/5 Gbps Active Two 10G licenses10
      5 Gbps Active/5 Gbps Backup Two 10G licenses10
      10 Gbps Active/10 Gbps Active Two 10G licenses20
      10 Gbps Active/10 Gbps Backup Two 10G licenses20
      20 Gbps Active/20 Gbps BackupFour 10G licenses40
      50 Gbps Active/50 Gbps ActiveTwo 100G licenses100
      50 Gbps Active/50 Gbps Backup Two 100G licenses100
      100 Gbps Active/100 Gbps BackupTwo 100G licenses200
    • Interconnect Requirements—Decide which interconnect type you will use for Colo-Connect (a partner or dedicated interconnect).
      • Partner Interconnect—A pairing key from Prisma Access is required for partner interconnects. You receive this key during Prisma Access onboarding.
        If you create a partner interconnect, make sure that the service provider (SP) is an approved SP with GCP and the connectivity between the SP and GCP is already established.
      • Dedicated Interconnect
        • Determine the location of the Colo where the cross-connect cable will be connected before you begin onboarding in Prisma Access. The Colo location is required for Palo Alto Networks to order the dedicated link
        • Be familiar with the basic network interconnections so that you can configure the circuits.
        • After you provision the dedicated interconnect, you must test it.
    • Subnet Requirements—Determine the RFC-1918 IPv4 subnets you will use for each Colo-Connect connection per region. Prisma Access uses these subnets for internal communication and networking.
      Make the subnets unique among all Colo-Connect regions in a given tenant. The Colo-Connect subnet can't overlap with the Prisma Access infrastructure subnet and mobile users IP address pool. Use a minimum subnet size of /28.
      Do not use a Link Local IP subnet in the 169.254.0.0/16 range for either BGP or GRE configuration in Colo-Connect.
    • Link (Interconnect) Requirements—Follow these guidelines when configuring links:
      • Onboard two links in each region.
        Both of these links should be in different availability zones (edge domains).
        • (Dedicated interconnect deployments only) If you want to onboard more than six links in a tenant, reach out to your Palo Alto Networks account representative or partner, who will contact the Site Reliability Engineering (SRE) team and submit a request to increase the quota for a given tenant.
    • Connection Requirements
      • Onboard two connections in each region.
        Both connections should be in different edge domains.
      • Decide whether you want to set up your connections in an active/active or active/backup configuration.
        Connections in active/backup or active/active mode must be the same bandwidth.
    • Colo-Connect Service Connection Requirements
      • Each service connection requires two connections.
      • Each connection for a given service connection must be on a different link and a different edge domain.
      • Make a note of the BGP and, for GRE tunnel deployments, GRE peer IP addresses needed to configure service connections. The BGP Peer IP is the BGP local address of the Colo router, while the GRE Peer IP should be the router's physical IP address.
        BGP Local Addresses for service connections are optional.
      • A single Colo-Connect Service Connection can use only one of either Partner Interconnect links or Dedicated Interconnect links.
    • Interoperability with existing IPSec-Based Service Connections—Palo Alto Networks strongly recommends that you deploy Colo-Connect and IPSec tunnel-based service connections in different regions. In addition, if you're migrating from an IPSec tunnel-based service connection to a Colo-Connect service connection, you must schedule a maintenance window. After you have migrated from an IPSec tunnel-based service connection to a Colo-Connect service connection, remove the IPSec-based service connection after the Colo-Connect service connection is up and running and before the maintenance window expires.

    © 2026 Palo Alto Networks, Inc. All rights reserved.