Integrate Prisma Access with VMware SD-WAN by VeloCloud (Strata Cloud Manager)
Focus
Focus
Prisma Access

Integrate Prisma Access with VMware SD-WAN by VeloCloud (Strata Cloud Manager)

Table of Contents


Integrate Prisma Access with VMware SD-WAN by VeloCloud (Strata Cloud Manager)

To begin configuration of a VeloCloud-Prisma Access deployment, create the Prisma Access remote network connection and configure IKE and IPSec parameters for the IPSec tunnel between Prisma Access and VeloCloud.
  1. Connect a remote network site to Prisma Access.
    • Choose a Prisma Access Location that is close to the remote network location that you want to onboard.
    • When creating the IPSec tunnel, use a Branch Device Type of Other Devices.
    • Enter a Static IP address that matches the VeloCloud SD-WAN device’s IP address.
      You obtain this address from the VMware SD-WAN Orchestrator.
    • Enter a Pre-shared key for symmetric authentication across the tunnel.
    • Choose a Local Identification of None and an IKE Peer Identification of FQDN (hostname); then, enter an FQDN.
      Make a note of the of the Pre-Shared key and FQDN that you use for the Peer Identification; you match these settings when you configure the VeloCloud cloud gateway.
  2. Select IPSec Advanced Options and Create New to create a new IPSec crypto profile for the remote network tunnel using the recommended settings.
  3. Select IKE Advanced Options and Create New to create a new IKE cryptographic profile for the remote network tunnel.
    • Be sure to use crypto values that are supported with Velocloud and make a note of the values you use.
    • Enable IKE NAT Traversal (Enabled by default).
  4. Set up routing for the remote network.
    Set Up Routing and Add the IP subnets for Static Routing.
    Add a Branch IP Subnet
    Choose Static Routing and Add a subnet you have reserved for this remote network connection.
  5. Push your configuration changes.
    1. Return to ManageService SetupRemote Networks and select Push ConfigPush.
    2. Select Remote Networks.
    3. Push your changes.
  6. Make a note of the Service IP of the Prisma Access side of the tunnel. To find this address in Prisma Access (Managed by Strata Cloud Manager), select ManageService SetupRemote Networks, click the Remote Networks. Look for the Service IP field corresponding to the remote network configuration you created.

Configure the Remote Network Connection for VeloCloud Edge Devices

Use the following procedure to configure the IPSec tunnel on the VeloCloud edge device to complete the remote network connection.
  1. Log in to the Enterprise customer account on the VeloCloud Orchestrator (VCO).
  2. Select ConfigureNetwork Services.
  3. In the Cloud Security Services area, click New to create a new service.
  4. Enter the following values in the New Cloud Security Provider window that displays:
    • Enter a Service Name to identify this configuration.
    • Select a Service Type of Generic Cloud Security Service.
    • For the Primary Point-of-Presence, enter the Service IP you retrieved from Prisma Access.
  5. Click Add to save and add the configuration.
  6. Select ConfigureProfile and set Cloud Security Service to On; then, select the Hash, Encryption, and Key Exchange Protocol to the settings you configured for the remote network tunnel in Prisma Access.
  7. Select ConfigureEdge and complete the following steps:
    1. Set Cloud Security Service to On.
    2. Select the radio button to Redirect all internet bound traffic to Cloud Security Service.
    3. Select the Hash, Encryption, and Key Exchange Protocol to match the settings you configured for the remote network tunnel in Prisma Access.
    4. Enter the FQDN and pre-shared key (PSK) to match the FQDN and PSK you entered in Prisma Access.
  8. Verify the status of the remote network tunnel.
    • To view tunnel status in the VMware SD-WAN Orchestrator, select MonitorEdge in the VMware SD-WAN Orchestrator and viewing the information in the fields that display.
    • To view traffic and application statistics, select the Transport and Applications tab, then select MonitorEdge.

Configure the Remote Network Connection for VeloCloud Gateways

Use the following procedure to configure the IPSec tunnel on the VeloCloud edge gateway to enable the remote network connection.
  1. Establish connectivity from the VeloCloud gateway to Prisma Access.
    1. Log in to the Enterprise customer account on the VeloCloud Orchestrator (VCO).
    2. Select ConfigureNetwork Services.
    3. Select New in the Non-VeloCloud Sites to create a new site.
    4. Enter a Name for the site and select a Type of Palo Alto.
    5. For the Primary VPN Gateway, enter the Service IP you retrieved from Prisma Access.
    6. Click Next.
      VeloCloud creates the site and generates the IKE and IPSec configuration (including pre-shared key) for the site.
    7. Click Advanced and update the IKE and IPSec parameters and add the Site Subnets that you will protect with Prisma Access.
    8. Make sure that you have selected Enable Tunnel(s); then, Save Changes.
      To view the detailed IKE and IPSec parameters and the public IP address used by the VeloCloud gateway, click View IKE IPSec Template. The public IP address displays in the Local Identification : IP address : area.
  2. Verify the status of the remote network connection between the VeloCloud gateway and Prisma Access by selecting MonitorNetwork Services. A Status in green indicates that the connection has been successfully established.
  3. Configure the customer profile to service-chain the Non-VeloCloud site to the customer’s SD-WAN.
    1. Select ConfigureProfiles Profile-Name, where Profile-Name is the customer’s profile, then click the Device tab.
    2. Enable the Cloud VPN feature to turn on VPN connectivity from the Branch and Data Center sites.
    3. In the Branch to Non-VeloCloud Site section, select Enable; then, select the Prisma Access site you created in Step 1.
  4. Save your changes.

Troubleshoot the VeloCloud SD-WAN Remote Network

Use the following resources to troubleshoot issues with VeloCloud-Prisma Access deployments.
  • Prisma Access troubleshooting—Check the status and the logs in Prisma Access.
    • Go to ManageService SetupRemote Networks and check the Status of the tunnel.
    • Go to ActivityLog Viewer and check the Common/System logs for IPSec- and IKE-related messages.
      To view VPN-relates messages, set the filter to sub_type.value = vpn.
      The message ignoring unauthenticated notify payload indicates that the route has not been added in the crypto map on the other side of the IPSec tunnel after the IPSec negotiation has already occurred.
    • Check the Firewall/Traffic logs and view the messages that are coming from the zone that has the same name as the remote network.
      In the logs, the remote network name is used as the source zone.
  • VeloCloud troubleshooting—In the VMware SD-WAN Orchestrator, select MonitorEvents. The following example shows a timeout error; this type of error can indicate mismatching proposals or a gateway connectivity error. The values to check are provided in the message text.