To allow organizations that manage the IT infrastructure
of other organizations, such as service providers, MSSPs, or Telcos,
to quickly and easily protect outbound internet traffic for their tenants,
Palo Alto Networks provides Prisma Access for Clean Pipe. A service
provider, MSSP, or Telco can route their customers (configured as
tenants) to Prisma Access for Clean Pipe using a Partner Interconnect.
After the traffic crosses the Partner Interconnect, it will be sent
to a tenant-dedicated instance of the Clean Pipe for security, and
then routed to the Internet.
Prisma Access for Clean Pipe also provides an API that you can
use to quickly and easily create Clean Pipes for your tenants.
Use Prisma Access for Clean Pipe if you meet all of
the following use cases:
You manage a network deployment with a large number of
tenants.
For example, you are a service provider, Telco, or
MSSP who manages and maintains the networks of many different organizations
(up to tens of thousands).
You want a way for each tenant in your deployment to have
their outbound internet traffic secured.
You need a fast and scalable way to onboard Clean Pipes for
the organizations whose networks you manage.
With the exception of outbound internet security, you do
not have additional requirements to protect the mobile users, headquarters,
or branch locations of the networks you manage.
If you have
additional security requirements, we recommend creating multiple
tenants in Prisma Access instead of implementing Clean Pipe,
which allows you to create and enforce security profiles for separate
groups of remote networks and mobile users.
Clean Pipe Examples
The following figure provides an example of Clean Pipes
configured for a single tenant, with multiple Clean Pipes configured
for the tenant.
In this example, the service provider manages the internet connectivity
for four organizations and wants to protect outbound internet access
for them. The service provider creates a Google Cloud Platform (GCP)
Partner Interconnect and creates a VLAN attachment for each tenant.
The service provider configures Prisma Access for Clean Pipe using
Panorama to create security for the VLAN attachment.
This example shows a single Clean Pipe per tenant. You can also
create multiple Clean Pipes in a single tenant. Make sure that each
Clean Pipe you specify for a tenant uses a different location.
The following figure shows a single Clean Pipe in more detail
for a tenant who wants a clean connection to the internet. The Customer
Edge (CE) router provides WAN connectivity for the tenant. The CE router
connects to a cloud router, and the cloud router provides connectivity
for the Partner Interconnect. The service provider creates a VLAN
attachment for the tenant, and configures Prisma Access for Clean Pipe
in Panorama to provide security for the VLAN attachment, which protects
the tenant’s internet-based traffic.
Clean Pipe and Partner Interconnect Requirements
Before you start, be aware of the following Clean Pipe
deployment requirements, and be aware of the following differences
between Prisma Access for Clean Pipe and other Prisma Access deployments:
You must have a Prisma Access for Clean Pipe license.
The
Prisma Access for Clean Pipe license is a separate license from
other Prisma Access products. However, the same requirements for
purchasing and installing Panorama and
Strata Logging Service licenses apply to Clean Pipe.
Prisma Access for Clean Pipe has the following GCP Partner
Interconnect requirements:
You must be able to create
a Partner Interconnect in GCP.
You must have the ability to create VLAN attachments in GCP.
For Layer 2 (L2) partner interconnects, you must have access
to the customer edge (CE) router on the MSSP side and be able to
make configuration changes to it.
For more information
about GCP configuration, refer to the GCP documentation.
Be aware of the minimum bandwidth requirements for the Clean
Pipe deployment.
The minimum license you can purchase is 1000
Mbps. The minimum bandwidth allocation for each Clean Pipe tenant
is 100 Mbps.
After you create a tenant, you can create clean
pipes in that tenant. Each clean pipe must be a minimum of 100 Mbps.
Each Clean Pipe shares the tenant’s access domain, templates and template stack, and device group.
If configuring multiple Clean Pipes for a single tenant,
each Clean Pipe is required to be a unique location. If you want
to configure two VLAN attachments for a single Clean Pipe location
in an active/backup configuration for intra-zone redundancy, specify
the REDUNDANT choice when you add a new Clean Pipe
instance.
When creating a connection within a Clean Pipe tenant, match
the bandwidth allocation to that of the VLAN attachment. Do not
create a VLAN attachment that has a bandwidth that is higher or
lower than the connection's bandwidth.
After you enable multitenancy, do
not configure your Clean Pipe deployment with any of the other tabs
in the Configuration area, with the exception of the Generate API
key link in the Service Setup tab,
which lets you generate an API key to retrieve Clean Pipe
IP addresses. All configuration is unique to Prisma Access for
Clean Pipe and separate from other Prisma Access deployments, such
as Prisma Access for Networks or Prisma Access for Users.
Do not make changes to a Clean Pipe configuration after you
commit it. If you change a Clean Pipe after it’s been committed,
you will receive a commit error when you re-commit it. Instead, delete
the existing Clean Pipe and add a new one. Schedule this change
during a system downtime window. If you already made changes and
have not yet committed, you can revert the changes by editing the
Clean Pipe configuration back to their previous values.
Note that the locations used by Clean Pipe differ from other
Prisma Access deployments. Prisma Access for Clean Pipe supports
the following locations:
asia-east1
asia-east2
asia-northeast1
asia-south1
asia-southeast1
australia-southeast1
europe-north1
europe-west2
europe-west3
europe-west4
northamerica-northeast1
southamerica-east1
us-central1
us-east1
us-east4
us-west1
us-west2
Note the following networking restrictions for Clean Pipe: