Configure the Service Infrastructure
Table of Contents
Expand All
|
Collapse All
Prisma Access Docs
-
-
- Prisma Access China
- 4.0 & Later
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
-
-
-
- 5.2 Preferred and Innovation
- 5.1 Preferred and Innovation
- 5.0 Preferred and Innovation
- 4.2 Preferred
- 4.1 Preferred
- 4.0 Preferred
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
Configure the Service Infrastructure
Before you can begin setting up Prisma Access
to secure your remote networks and/or mobile users, you must configure
an infrastructure subnet, which Prisma Access will use to create
the network backbone for communication between your service connections,
remote networks, and mobile users, as well as with the corporate
networks you plan to connect to Prisma Access over service connections.
Because a large number of IP addresses will be required to set up
the infrastructure, you must use a /24 subnet (for example, 172.16.55.0/24)
at a minimum. See Plan the Service Infrastructure and Service Connections for the
requirements and guidelines to use when assigning an infrastructure
subnet.
- Select PanoramaCloud ServicesConfigurationService Setup and click the gear icon to edit the Settings.
- On the General tab, specify an Infrastructure Subnet,
for example, 172.16.55.0/24.See Plan the Service Infrastructure and Service Connections for the requirements and guidelines to use when assigning an infrastructure subnet.
- Enter the Infrastructure BGP AS you want to use within the Prisma Access infrastructure. If you want to use dynamic routing to enable Prisma Access to dynamically discover routes to resources on your remote networks and HQ/data center locations, specify the autonomous system (AS) number. If you do not supply an AS number, the default AS number 65534 will be used.
- (Optional) Add one or
more templates to the predefined template stack, Service_Conn_Template_Stack.The templates you add here can help simplify the process of adding new service connections. For example, if you add a template containing existing IPSec configuration settings, such as IPSec tunnel, Tunnel Monitoring, and IPSec Crypto Profile configurations, you can select these configurations when defining the tunnel settings for each service connection rather than having to create the tunnel configuration from scratch. You can optionally edit the predefined Service_Conn_Template with tunnel settings that you can leverage when creating the tunnels from Prisma Access to your corporate network sites.
- Enable Prisma Access to resolve your internal domains.Use this step if you need Prisma Access to be able to resolve your internal domains to access services, such as LDAP servers, on your corporate network via service connections. For example, if you want a DNS lookup for your corporate domain to go exclusively to the corporate DNS server, specify the corporate domain and the corporate DNS servers here.
- Select the Internal Domain List tab.
- Add the Domain Names, Primary
DNS, and Secondary DNS servers
that the cloud service can use to resolve your internal domain names.You can use a wildcard (*) in front of the domains in the domain list, for example *.acme.local or *.acme.com.
- Enable Strata Logging Service.
- Select the Strata Logging Service tab.
- Select a Strata Logging Service Theater and click OK.
- Configure the device groups you are using to push
settings to Prisma Access with a Log Forwarding profile that forwards the
desired log types to Panorama/Strata Logging Service.The Cloud Services plugin automatically adds the following Log Settings (DeviceLog Settings) after a new installation or when removing non-Prisma Access templates from a Prisma Access template stack:
- Log Settings for System logs (system-gpcs-default), User-ID logs (userid-gpcs-default), HIP Match logs (hipmatch-gpcs-default), and GlobalProtect logs (gp-prismaaccess-default) are added to the Mobile_User_Template.
- Log Settings for System logs (system-gpcs-default), User-ID logs (userid-gpcs-default), and GlobalProtect logs (gp-prismaaccess-default) are added to the Remote_Network_Template.
- Log Settings for System logs (system-gpcs-default) and GlobalProtect logs (gp-prismaaccess-default) are added to the Service_Conn_Template.
These Log Setting configurations automatically forward System, User-ID, HIP Match, and GlobalProtect logs to Strata Logging Service.To apply log setting changes, perform the following steps, then commit and push your changes:- To apply the log setting to the mobile user template, select PanoramaCloud ServicesConfigurationMobile Users, click the gear icon to edit the settings, and click OK.
- To apply the log setting to the remote network template, select PanoramaCloud ServicesConfigurationRemote Networks, click the gear icon to edit the settings, and click OK.
- To apply the log setting to the service connection template, select PanoramaCloud ServicesConfigurationService Setup, click the gear icon to edit the settings, and click OK.
See Add Log Settings to Prisma Access (Panorama Managed) for a video that describes the log settings process.The way you enable log forwarding for other log types depends on the type. For logs that are generated based on a policy match, use a log forwarding profile.
- (Optional) Configure Advanced settings
(routing preferences, symmetric network path options for service
connections, and HIP redistribution).
- Specify the Routing Preference to
use with service connections.You can specify network preferences to use either your organization’s network, or the Prisma Access network, to process the service connection traffic.
- Default—Prisma Access uses default routing in its internal network.
- Hot potato routing—Prisma Access hands off service connection traffic to your organization’s WAN as quickly as possible.
Changing the Prisma Access service connection routing method requires a thorough understanding of your organization’s topology and routing devices, along with an understanding of how Prisma Access routing works. We recommend that you read the Routing Preferences for Service Connection Traffic section carefully before changing the routing method from the default setting. - Configure the Backbone Routing to
use for the service connections.By default, the Prisma Access backbone requires that you have a symmetric network path for the traffic returning from the data center or headquarters location by way of a service connection. If you want to use ECMP or another load balancing mechanism for service connections from your CPE, you can specify Prisma Access to allow asymmetric flows through the Prisma Access backbone.
- Select no-asymmetric-routing to require symmetric flows across the service connection backbone (the default setting).
- Select asymmetric-routing-only to allow Prisma Access to use asymmetric flows across the service connection backbone.
- If you have multiple data centers or headquarters locations, and one or more of those locations have multiple service connections, select asymmetric-routing-with-load-share to allow Prisma Access to use asymmetric flows and load balance between the service connections.
If you have a new Prisma Access deployment, Palo Alto Networks recommends that you select asymmetric-routing-only or, if you use multiple service connections in a location, asymmetric-routing-with-load-sharing to enable more efficient routing across the Prisma Access backbone. If you have an existing deployment, you should determine the impact of any service connection routing changes before you enable asymmetric routing. - Enable HIP Redistribution to
have Prisma Access use service connections to redistribute HIP information
from mobile users and users at remote networks.See Redistribute HIP Information with Prisma Access for more information about enabling HIP redistribution.
- Withdraw static routes in the event if a service connection
or remote network connection goes down and there is no secondary
tunnel by selecting Withdraw Static Routes if Service
Connection or Remote Network IPSec tunnel is down.Prisma Access removes the route in the following situations:
- The primary tunnel goes down and there is no secondary tunnel.
- If a primary and secondary tunnel is configured, but both go down.
If you do not select this check box, Prisma Access keeps the static route if the primary tunnel goes down and there is no secondary tunnel configured. - (Optional) Automatically add a host-specific
static route to the static IKE gateway peer for the IPSec tunnel
on the Remote Network security processing node (SPN) and Service Connection
corporate access node (CAN) by selecting Enable automatic
IKE peer host routes for Remote Networks and Service Connections.After you make this selection, IPSec tunnel packets to the static IKE gateways will be routed over the internet.
- (Optional) Specify Outbound Routes for the Service (Max 10) by adding up to 10 prefixes for which Prisma Access adds static routes on all SPNs and CANs. Prisma Access then routes traffic to these prefixes over the internet.
- Specify the Routing Preference to
use with service connections.
- Click OK to save the Service Setup settings.
- Commit all your changes to Panorama and push the configuration
changes to Prisma Access.
- Click CommitCommit to Panorama.
- Click CommitPush to Devices and click Edit Selections.
- On the Prisma Access tab, make
sure Service setup is selected and then click OK.Prisma Access should automatically select the components that need to be committed.
- Click Push.If there is a Palo Alto Networks next-generation firewall between the Panorama appliance and the internet, you must add a security policy rule on the firewall to allow the paloalto-logging-service and paloalto-shared-services App-IDs from the Panorama appliance to the internet. These applications allow SSL-secured communication to Prisma Access and to Strata Logging Service that the Panorama appliance uses to query logs. If the Panorama appliance is behind a legacy Layer 4 firewall, permit ports 443 and 444 outbound from the Panorama to allow this traffic from the Panorama. Note that opening layer 4 ports instead of using Palo Alto Networks App-IDs is less secure and not recommended.
- Verify that Prisma Access is successfully connected to
Strata Logging Service.
- Select PanoramaCloud ServicesStatusStatusStrata Logging Service and
verify that the Status is OK.If the status is Error, click the details link to view any errors.
- Select PanoramaCloud ServicesStatusStatusStrata Logging Service and
verify that the Status is OK.
- Continue setting up Prisma Access: