Configure Prisma Access for Mobile Users in China

Table of Contents

Filter

Expand All | Collapse All

Prisma Access Docs

Activation & Onboarding
Administration
Version
- Prisma Access China
- 4.0 & Later
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
Integrations
Incidents & Alerts
Release Notes
Version
- 5.2 Preferred and Innovation
- 5.1 Preferred and Innovation
- 5.0 Preferred and Innovation
- 4.2 Preferred
- 4.1 Preferred
- 4.0 Preferred
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred

Connect your Mobile Users in Mainland China to Prisma Access Overview

Configure Real-Name Registration and Create the VPCs in Alibaba Cloud

Configure Prisma Access for Mobile Users in China

Where Can I Use This?	What Do I Need?
Prisma Access (Managed by Panorama)	Prisma Access license

To begin the process to provide secure access to mobile users in China, you set up either a service connection or a remote network connection in Prisma Access by completing the following steps.

The type of connection you choose (service or remote network connection) depends on the type of access you need to provide. To provide access to internal applications or to send all traffic to a data center, use a service connection. To provide access to internet resources such as SaaS applications or publicly accessible partner applications, use a remote network.

In the Panorama that manages Prisma Access, select NetworkNetwork ProfilesIKE CryptoAdd and Add an IKE crypto profile for the IPSec tunnel.
Select the template you want to use for the connection. If you are creating a service connection, select Service_Conn_Template; if you are creating a remote network connection, select Remote_Network_Template.
Give the profile a name and specify IKE settings.
Make a note of these settings; you specify the same settings when you create the IPSec tunnel in the router instance you configure in Alibaba Cloud.
Select NetworkNetwork ProfilesIPSec Crypto and create a new IPSec crypto profile in Panorama, making a note of the settings you specify.
Skip this step if you have already created an IPSec crypto profile.
Select NetworkNetwork ProfilesIKE Gateways and Add a new IKE gateway, specifying the following parameters:
- Specify a Version of IKEv2 only mode.
- Specify a Peer IP Address Type of Dynamic.
- Enter a Pre-Shared Key.
- Specify User FQDN (email address) for Local Identification and Peer Identification and enter the IP addresses to use.
Select Advanced Options and enable NAT Traversal.
Select NetworkIPSec Tunnels and Add an IPSec tunnel, specifying the IPSec Crypto Profile you just created.
Onboard a new service connection or remote network connection, specifying the following parameters:
- Select a location that is close to the location of VPC 2.
- Enter placeholder Corporate Subnets (for service connections) or Branch IP Subnets (for remote network connections). You add valid subnets when you deploy the VM-series firewall in Alibaba cloud after you create Linux instances in the Alibaba Cloud VPCs.
  This example uses static routes; you can also configure BGP routing for your deployment.
Commit your changes to Panorama (CommitCommit to Panorama), then commit and push your changes (CommitCommit and Push).
Select PanoramaCloud ServicesStatusNetwork Details and note the Service IP Address for the service connections you onboarded.