Integrate Prisma Access with VMware SD-WAN by VeloCloud (Panorama)

Table of Contents

Filter

Expand All | Collapse All

Prisma Access Docs

Activation & Onboarding
Administration
Version
- Prisma Access China
- 4.0 & Later
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
Integrations
Incidents & Alerts
Release Notes
Version
- 5.2 Preferred and Innovation
- 5.1 Preferred and Innovation
- 5.0 Preferred and Innovation
- 4.2 Preferred
- 4.1 Preferred
- 4.0 Preferred
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred

Integrate Prisma Access with VMware SD-WAN by VeloCloud (Panorama)

To begin the configuration of a VeloCloud-Prisma Access deployment, use Panorama to create IPSec, and IKE parameters and create the Prisma Access remote network connection.

This procedure assumes that you have already completed the following prerequisites:

You have activated and installed Prisma Access.
You have logged into Panorama and created an Infrastructure subnet for Prisma Access, using a subnet that does not overlap with your existing network subnets.
You have created trusted and untrusted zones and used zone mapping to map those zones for your deployment.
You have made a note of the subnets you will use for each remote network gateway.
You have made a note of the IP address for the VeloCloud SD-WAN device. You obtain this information from the VMware SD-WAN Orchestrator.
You use the IP address of the gateway address to configure the IKE gateway.

Create IKE and IPSec Crypto profiles and an IKE gateway for the remote network connection you will create.

You will use these profiles to provide connectivity between Prisma Access and the VeloCloud SD-WAN device.
1. Select NetworkNetwork ProfilesIKE Crypto and Add an IKE crypto profile for the IPSec tunnel.
  
  Make sure you have selected the Template of Remote_Network_Template before starting this task.
2. Give the profile a name and specify IKE settings.
  
  Make a note of these settings; you specify the same settings. When you configure the setting on the VeloCloud SD-WAN device.
3. Select NetworkNetwork ProfilesIPSec Crypto and Add a new IPSec crypto profile.
4. Specify a name for the profile and specify IPSec crypto parameters.
  
  Make a note of these settings; you specify the same settings. When you configure the setting on the VeloCloud SD-WAN device.
5. Select NetworkNetwork ProfilesIKE Gateways and Add a new IKE gateway.
6. Specify a Name Version.
7. Enter a Peer IP Address that matches the VeloCloud SD-WAN device’s IP address.
  
  You obtain this address from the VMware SD-WAN Orchestrator.
8. Enter a Pre-shared key for symmetric authentication across the tunnel.
9. Choose a Local Identification of None and a Peer Identification of FQDN (hostname); then, enter an FQDN.
  
  Make a note of the Pre-Shared key and FQDN that you use for the Peer Identification; you match these settings when you configure the VeloCloud cloud gateway.
10. Configure Advanced Options:
  Enable NAT Traversal.
  Set the Exchange Mode to Auto so the gateway can accept both main mode and aggressive mode requests, or let the gateway initiate negotiation and allow exchanges in main mode.
  Select the IKE Crypto Profile you created in step 1.a.
11. Select NetworkIPSec Tunnels and Add an IPSec tunnel.
12. Select the IKE Gateway and IPSec Crypto Profile you created earlier in this task.
Select PanoramaCloud ServicesConfigurationRemote Networks and Add a new remote network connection, specifying the following values:
- Give the remote network connection a unique Name.
- Specify a Location that is close to the VeloCloud SD-WAN device.
- Specify the IPSec Tunnel you created in step 1.k.
- In the Static Routes tab, Add the Branch IP Subnets you have reserved for this remote network connection.
Commit the configuration changes to Panorama and push the configuration out to Prisma Access for remote networks.
1. Click CommitCommit and Push.
2. Click Edit SelectionsPrisma Access, and select both Prisma Access for remote networks and Prisma Access for service setup to push the configuration out to the service.
  
  Pushing the GlobalProtect cloud service for service setup is only required if you made changes to the service setup (for example, you added the Infrastructure subnet).
3. Click OK, then Commit and Push.
  
  Prisma Access displays a success page after the commit succeeds.
Make a note of the Service IP address of the Prisma Access side of the tunnel. To find this address in Panorama, select PanoramaCloud ServicesStatusNetwork Details, select Remote Networks, and find the Service IP Address.

You use the Service IP Address as the Peer IP address when you configure the IPSec tunnel in the VeloCloud SD-WAN device.

Configure the Remote Network Connection for VeloCloud Edge Devices

Use the following procedure to configure the IPSec tunnel on the VeloCloud edge device to complete the remote network connection.

Log in to the Enterprise customer account on the VeloCloud Orchestrator (VCO).
Select ConfigureNetwork Services.
In the Cloud Security Services area, click New to create a new service.
Enter the following values in the New Cloud Security Provider window that displays:
- Enter a Service Name to identify this configuration.
- Select a Service Type of Generic Cloud Security Service.
- For the Primary Point-of-Presence, enter the Service IP Address you retrieved from Prisma Access.
Click Add to save and add the configuration.
Select ConfigureProfile and set Cloud Security Service to On; then, select the Hash, Encryption, and Key Exchange Protocol to the settings you configured for the remote network tunnel in Prisma Access.
Select ConfigureEdge and complete the following steps:
1. Set Cloud Security Service to On.
2. Select the radio button to Redirect all internet bound traffic to Cloud Security Service.
3. Select the Hash, Encryption, and Key Exchange Protocol to match the settings you configured for the remote network tunnel in Prisma Access.
4. Enter the FQDN and pre-shared key (PSK) to match the FQDN and PSK you entered in Prisma Access.
Verify the status of the remote network tunnel.
- To view tunnel status in the VMware SD-WAN Orchestrator, select MonitorEdge in the VMware SD-WAN Orchestrator and viewing the information in the fields that display.
- To view traffic and application statistics, select the Transport and Applications tab, then select MonitorEdge.

Configure the Remote Network Connection for VeloCloud Gateways

Use the following procedure to configure the IPSec tunnel on the VeloCloud edge gateway to enable the remote network connection.

Establish connectivity from the VeloCloud gateway to Prisma Access.
1. Log in to the Enterprise customer account on the VeloCloud Orchestrator (VCO).
2. Select ConfigureNetwork Services.
3. Select New in the Non-VeloCloud Sites to create a new site.
4. Enter a Name for the site and select a Type of Palo Alto.
5. For the Primary VPN Gateway, enter the Service IP Address you retrieved from Prisma Access.
6. Click Next.
  
  VeloCloud creates the site and generates the IKE and IPSec configuration (including pre-shared key) for the site.
7. Click Advanced and update the IKE and IPSec parameters and add the Site Subnets that you will protect with Prisma Access.
8. Make sure that you have selected Enable Tunnel(s); then, Save Changes.
  
  To view the detailed IKE and IPSec parameters and the public IP address used by the VeloCloud gateway, click View IKE IPSec Template. The public IP address displays in the Local Identification : IP address : area.
Verify the status of the remote network connection between the VeloCloud gateway and Prisma Access by selecting MonitorNetwork Services. A Status in green indicates that the connection has been successfully established.
Configure the customer profile to service-chain the Non-VeloCloud site to the customer’s SD-WAN.
1. Select ConfigureProfiles Profile-Name, where Profile-Name is the customer’s profile, then click the Device tab.
2. Enable the Cloud VPN feature to turn on VPN connectivity from the Branch and data center sites.
3. In the Branch to Non-VeloCloud Site section, select Enable; then, select the Prisma Access site you created in step 1.
Save your changes.