Configure and Run the Container
Table of Contents
2.0.3 Panorama Managed
Expand all | Collapse all
-
- Understand Prisma SD-WAN and Prisma Access for Networks Integration
- Access the Integration Run Logs
- Correlate Objects between Prisma SD-WAN and Panorama
- View Standard VPNs at a Site Level
- View Alerts and Alarms
- View Activity Charts
- Use the Device Toolkit
- Check Tunnel Status on Panorama
- Common Errors and Syntax Output
- Successful Integration Run Log Output
Configure and Run the Container
To facilitate communication between the Prisma Access
for Networks (managed by Panorama) CloudBlade and Panorama, the
CloudBlade requires use of either:
- An On-Premise Docker container.
- A Cloud Container from a Cloud Provider (Azure, Google, etc.)
Irrespective of the method selected for container operation,
the container must be able to access the following resources:
- Panorama XML API (Typically not exposed to the Internet).
- Prisma SD-WAN Cloud Controller API (Internet).
- Prisma Access API (Internet).
On-Premise Docker Container
Prisma Access version 2.0 (Preferred and Innovation) for
non-aggregate bandwidth requires the Docker container version 2.0.3-b2.
Failure to use this version will result in onboarding failure of
remote networks. This applies to any container version of 2.0.3
created/run before 3/26/21.
The On-Premise Docker container requires:
- A compute host or compatible Virtual Machine (VM).
- Minimum 1 vCPU and 512 MB of memory.
- Network access to the following:
- Panorama XML API (TCP 443 on the Panorama System).
- Prisma Access API Endpoint (TCP 443 to api.gpcloudservice.com).
- Prisma SD-WAN API Endpoint (TCP 443 to api.*.cloudgenix.com).
Docker Container Start/Stop Commands (Linux)
Once the compute host/VM has been selected, perform the following:
- Install Docker on the compute host/VM.For more information on installing Docker Engine/Community Edition, refer to https://www.docker.com/products/docker-engine.
- Create a directory for container logs and configuration.These directories will use Docker Bind Maps to be published to the Container.From the command line (Windows, Mac or Linux) use the following commands:mkdir cloudgenix cd cloudgenix mkdir applog mkdir configIn the config directory, create a file named config.yml that will contain the container configuration.An example container configuration file config.yml file is shown below.--- type: cloudgenix_prisma_access_panorama version: 2.0.3 # #REQUIRED ITEMS! # # VPN Pre-shared key to use for tunnels VPN_PSK: 'VPN PSK HERE' # Panorama password # Panorama Host/IP and Username are specified in Prisma SD-WAN portal # Click Email -> Extensions -> Prisma Access for Networks (managed by # Panorama) PANORAMA_PASSWORD: "password here" # PRISMA_ACCESS API Key from Panorama # Located at PANORAMA -> Cloud Services -> Configuration -> Service Setup # tab -> Generate API Key # PRISMA_ACCESS_API_KEY: "GET KEY FROM PANORAMA" # Prisma SD-WAN AUTH_TOKEN (tenant_super) # Click Email -> System Administration -> Auth Tokens CGX_AUTH_TOKEN: "CGX AUTH TOKEN FROM CGX UI" # #Optional items. # #These enable external syslog debugging export for this on-premise # container. #SYSLOG_HOST: 10.0.0.1 #SYSLOG_PORT: 514 #SYSLOG_FACILITY: local2 # #This allows modification of the default run interval - default 180s. # Please note that commits for changes will be applied for the panorama user # at this interval. #RUN_INTERVAL: 30 # #If issues occur with configuration of this container, please contact # www.paloaltonetworks.com/company/contact-supportThis configuration file should contain (at a minimum):
- VPN Pre-Shared Key (PSK) to use when creating tunnels.
- Panorama XML API user password (username is specified in Prisma SD-WANPortal).
- Prisma SD-WAN Auth Token with tenant_super or custom permissions.
The config.yml file is optional. If config.yml is not provided, all the options that would be provided in the config.yml file must be provided as Environment Variables or Secure Environment Variables instead.Once the config.yml file is configured, download and launch the Docker container with one of the following commands below.- Linux\Unix\Macdocker run --restart unless-stopped \ --network=host \ -v $PWD/applog:/tmp/applog \ -v $PWD/config:/config \ -d --name prisma_access_panorama \ cloudgenix/prisma_access_panorama:2.0.3 EXAMPLE: docker run --restart unless-stopped --network=host -v /root/cloudgenix/applog/:/tmp/applog -v /root/cloudgenix/config/:/config -d --name prisma_access_panorama cloudgenix/prisma_access_panorama:2.0.3Windows CMDdocker run -v --restart unless-stopped ^ %cd%\applog:/tmp/applog ^ -v %cd%\config:/config ^ -d --name prisma_access_panorama ^ cloudgenix/prisma_access_panorama:2.0.3After launching the Docker container, the integration process is complete.To do a quick validation, examine the ./applog/Prisma-Access-for-Networks-(managed-by-Panorama)_2.0.3/<host dir>/output.log file to view the latest troubleshooting messages in the Troubleshooting Section.If the container is running on a Linux server, the config.yml file may need to have its permissions changed to be read by the container. Example: chmod +777 config.ymlThe container ID shown below is an example only. The container ID will be different on different systems or will change on the same system if removed/reinstalled.
- Verify Container Running Statusroot@ubuntu:/# docker psCONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 42f39ad5623b cloudgenix/prisma_access_panorama:2.0.3"./prisma_access_int…" 23hours ago Up 5 seconds prisma_access_panoramaroot@ubuntu:/#Stop the Prisma Access Containerroot@ubuntu:# docker stop 42f39ad5623b42f39ad5623broot@ubuntu:/ # 42f39ad5623bVerify Finding Prisma Access Container Name If Stoppedroot@ubuntu:# docker psCONTAINER ID IMAGE COMMAND CREATED STATUSPORTS NAMESroot@ubuntu:/#root@ubuntu:/# docker ps -aCONTAINER ID IMAGE COMMAND CREATEDSTATUS PORTS NAMES42f39ad5623b cloudgenix/prisma_access_panorama:2.0.3 "./prisma_access_int…" 23hours ago Exited (137) 22 hours ago prisma_access_panoramaStart the Prisma Access Docker Containerroot@ubuntu:/# docker start 42f39ad5623b42f39ad5623broot@ubuntu:/# CONTAINER