Connect your Mobile Users in Mainland China to Prisma Access Overview
Focus
Focus
Prisma Access

Connect your Mobile Users in Mainland China to Prisma Access Overview

Table of Contents

Connect your Mobile Users in Mainland China to Prisma Access Overview

Describes the workflow you use to connect mobile users in mainland China to Prisma Access.
Where Can I Use This?What Do I Need?
  • Prisma Access (Managed by Panorama)
To connect mobile users in mainland China to Prisma Access, you start by selecting regions in Alibaba Cloud—one region in mainland China and one region outside of mainland China—and create one VPC in each region. You set up the connectivity between the two VPCs over the CEN and create either a service connection or a remote network connection between Prisma Access and a router in the VPC outside of mainland China (Router 2 and VPC 2 in the following figure).
You also deploy a VM-series next-generation firewall in the VPC that is in the compute region in mainland China (VPC 1 in the following figure) and configure it as a GlobalProtect gateway. This gateway terminates the GlobalProtect tunnels for mobile users in China.
This deployment allows you to enforce security policies on the GlobalProtect gateway in China for internet-bound traffic. The following figure provides a high-level overview.
The following list provides you with a high-level overview of the tasks you perform to create a deployment to secure mobile users in mainland China. This document takes you through each of these list items in detail.
  • Complete real-name registration and configure and purchase bandwidth for Alibaba Cloud Express Connect (CEN).
  • Create two VPCs, one in two separate regions in Alibaba cloud.
    Configure one VPC in mainland China. Refer to the Alibaba Cloud website for a list of available regions. Configure the second VPC outside mainland China, close to a Prisma Access location.
  • Purchase and attach both VPCs to the CEN.
  • Onboard a Prisma Access service connection or remote network connection in a region close to VPC 2.
    You must use IKEv2 with NAT-T and dynamic IP addresses for the IPSec tunnel on Prisma Access.
  • Acquire one elastic IP address in the VPC in mainland China (VPC 1).
  • Deploy a VM-series firewall (either a VM-300 or VM-500 model instance) or a next-generation firewall to use as Router 1 in the VPC located in China, configure it as a GlobalProtect gateway, add this gateway to Prisma Access’ GlobalProtect portal, and configure a VM-series firewall to establish an IPSec site-to-site tunnel to the private IP address of Router 2.
  • Deploy a Linux instance in the VPC outside China (VPC 2) on Alibaba Cloud, configure an Linux instance as a NAT enabled router, to be used as Router 2, and configure Router 2 to forward IPSec tunnel packets to the Prisma Access service connection.
  • Specify the traffic to route through the Prisma Access service connection or remote network connection, depending on the type of connection you created.