Integrate Prisma Access with Aryaka SD-WAN (Panorama)
Focus
Focus
Prisma Access

Integrate Prisma Access with Aryaka SD-WAN (Panorama)

Table of Contents


Integrate Prisma Access with Aryaka SD-WAN (Panorama)

To set up Prisma Access for use with an Aryaka SD-WAN, complete the following task.
  1. In Prisma Access, configure the service infrastructure (PanoramaCloud ServicesConfiguration and create an Infrastructure Subnet.
  2. Configure the remote network connection.
    When you add a new IPSec Tunnel during the onboarding procedure, make a note of the IPSec Tunnel name and the IKE Gateway and IPSec Crypto profile that you use (or use the Default IPSec Crypto profile) for the tunnels you create.
    If you configure a pre-shared key (PSK) for the IKE Gateway, make a note of it; you enter this PSK when you configure the IPSec tunnel in Aryaka SmartConnect.
    The following example configures a remote network with a Bandwidth of 25 Mbps, a Region of US West (N. California), and a Secondary WAN configured for this location.
  3. Enable zone mapping.
  4. Commit the configuration changes to Panorama and push the configuration out to Prisma Access for remote networks.
    1. Click CommitCommit to Panorama.
    2. Click CommitCommit and Push. Click Edit SelectionsPrisma Access, and select both Prisma Access for remote networks and Prisma Access for service setup to push the configuration out to the service.
    3. Click OK and Push.
  5. Make a note of the Service IP address of the Prisma Access side of the tunnel. To find this address in Panorama, select PanoramaCloud ServicesStatusNetwork Details, click the Remote Networks radio button, and find the address in the Service IP Address field.

Configure the IPSec Tunnel in Aryaka SmartConnect

You configure Aryaka SmartConnect in the Cloud Security Connector section of the MyAryaka portal at https://my.aryaka.com/. Alternatively, you can contact the Aryaka support team to assist with the configuration.
Your MyAryaka account must have write permission access to configure the Cloud Security Service. To verify that you have this access, log in to MyAryaka and select ConfigUser ManagementUsers.
To complete the tunnel configuration for Aryaka SmartConnect, complete the following task.
  1. Log in to MyAryaka and navigate to the SmartConnect site for which you want to deploy Prisma Access.
  2. Click Edit Site, then select Cloud Security from the list of Advanced Settings.
  3. Enter information for the remote network tunnel.
    Enter the following settings:
    • Select Palo Alto in the Cloud Connector Vendor field.
    • Enter the Service IP Address for the remote network tunnel from Prisma Access in the Primary TunnelTunnel Destination field.
    • Enter the PSK value from the Prisma Access IKE gateway in the Tunnel SettingsShared Key field.
    • Enter a FQDN for the Aryaka Network Access Point (ANAP), if the IP address of the M1/M2 interface is dynamic.
    • Select All Internet Traffic in the Traffic Forwarding field.
    After you choose to forward all internet traffic to Prisma Access, a default rule named DEFAULT INTERNET is inserted in the Route Controller, in the Default Routes section. The following screenshot shows the traffic forwarding settings.
  4. (Optional) If you choose to forward only specific internet traffic to Prisma Access, program appropriate routes in the Router Controller section.
    Aryaka recommends that you edit Default Routes and not override routes to control forwarding. Override routes take precedence over any Aryaka-destined traffic and may accidentally cause site-to-site traffic to be routed to Prisma Access.
    The following figures provide screenshots of the Route Controller feature.
  5. Check the status of the tunnels.
    • To check the status from the Aryaka Cloud Security Connector, click the Status tab. Aryaka uses Dead Peer Detection (DPD) to determine the availability of the tunnel.
    • To check the status from Panorama, select PanoramaCloud ServicesStatusStatus to verify that the remote network has been successfully deployed.

Monitor Remote Network Traffic

To monitor remote network tunnel traffic from the Aryaka SD-WAN, complete the following task.
  1. Click the Monitor tab, then select Cloud Security Connector Traffic.
  2. Pick a reference site, select a time, and click Apply.
    To zoom in any of these graphs, click a graph and drag the cursor.
    • The following information displays in the Internet Traffic graph:
      • Total Internet—All traffic forwarded to the internet.
      • Total Palo Alto —All internet traffic forwarded to Prisma Access.
      • Total Other—All traffic forwarded to internet that isn't going to Prisma Access.
    • The Palo Alto Traffic graph shows traffic data (in Mbps) over IPSec tunnels to Prisma Access for the time period that you select. This graph shows traffic flow in both directions to Prisma Access.
    • The Palo Alto Received graph shows traffic received on the IPSec tunnels to Prisma Access. This graph shows all internet traffic inbound to the site from Prisma Access.
    • The Palo Alto Transmitted graph shows all traffic that is transmitted on IPSec tunnels to Prisma Access. This graph shows all traffic outbound to Prisma Access from the site.

Troubleshoot the Aryaka Remote Network

Prisma Access provides logs that provide you with the status of remote tunnels and the status of each tunnel. To view these logs in Panorama, select MonitorLogsSystem.
To debug tunnel issues, you can filter for tunnel-specific logs by using the object identifier corresponding to that tunnel. The following figures show errors related to tunnel misconfiguration and negotiation issues.