Prisma SD-WAN
Prisma SD-WAN Standard VPN
Table of Contents
Expand All
|
Collapse All
Prisma SD-WAN Docs
-
-
- Prisma SD-WAN Key Elements
- Prisma SD-WAN Releases and Upgrades
- Use Copilot in Prisma SD-WAN
- Prisma SD-WAN Summary
- Prisma SD-WAN Application Insights
- Device Activity Charts
- Site Summary Dashboard
- Prisma SD-WAN Predictive Analytics Dashboard
- Prisma SD-WAN Link Quality Dashboard
- Prisma SD-WAN Subscription Usage
-
-
- Add a Branch
- Add a Data Center
- Add a Branch Gateway
- Secure Group Tags (SGT) Propagation
- Configure Circuits
- Configure Internet Circuit Underlay Link Aggregation
- Configure Private WAN Underlay Link Quality Aggregation
- Configure Circuit Categories
- Configure Device Initiated Connections for Circuits
- Add Public IP LAN Address to Enterprise Prefixes
- Manage Data Center Clusters
- Configure Secure SD-WAN Fabric Tunnels between Data Centers
- Configure a Site Prefix
- Configure Ciphers
- Configure a DHCP Server
- Configure NTP for Prisma SD-WAN
- Configure the ION Device at a Branch Site
- Configure the ION Device at a Data Center
- Switch a Site to Control Mode
- Allow IP Addresses in Firewall Configuration
-
- Configure a Controller Port
- Configure Internet Ports
- Configure WAN/LAN Ports
- Configure a Sub-Interface
- Configure a Loopback Interface
- Add and Configure Port Channel Interface
- Configure a PoE Port
- Configure and Monitor LLDP Activity and Status
- Configure a PPPoE Interface
- Configure a Layer 3 LAN Interface
- Configure Application Reachability Probes
- Configure a Secondary IP Address
- Configure a Static ARP
- Configure a DHCP Relay
- Configure IP Directed Broadcast
- VPN Keep-Alives
-
- Configure Prisma SD-WAN IPFIX
- Configure IPFIX Profiles and Templates
- Configure and Attach a Collector Context to a Device Interface in IPFIX
- Configure and Attach a Filter Context to a Device Interface in IPFIX
- Configure Global and Local IPFIX Prefixes
- Flow Information Elements
- Options Information Elements
- Configure the DNS Service on the Prisma SD-WAN Interface
- Configure SNMP
-
-
- Prisma SD-WAN Branch Routing
- Prisma SD-WAN Data Center Routing
-
- Configure an OSPF in Prisma SD-WAN
- Enable BGP for Private WAN and LAN
- Configure BGP Global Parameters
- Global or Local Scope for BGP Peers
- Configure a Route Map
- Configure a Prefix List
- Configure an AS Path List
- Configure an IP Community List
- View Routing Status and Statistics
- Distribution to Fabric
- Host Tracking
-
- Configure Multicast
- Create, Assign, and Configure a WAN Multicast Configuration Profile
- Configure Global Multicast Parameters
- Configure a Multicast Static Rendezvous Point (RP)
- Learn Rendezvous Points (RPs) Dynamically
- View LAN Statistics for Multicast
- View WAN Statistics for Multicast
- View IGMP Membership
- View the Multicast Route Table
- View Multicast Flow Statistics
- View Routing Statistics
-
- Prisma SD-WAN Branch HA Key Concepts
-
- Configure Branch HA with Gen-1 Platforms (2000, 3000, 7000, and 9000)
- Configure Branch HA with Gen-2 Platforms (3200, 5200, and 9200)
- Configure Branch HA with Gen-2 Embedded Switch Platforms (1200-S or 3200-L2)
- Configure Branch HA for Devices with Software Cellular Bypass (1200-S-C-5G)
- Configure Branch HA for Platforms without Bypass Pairs
- Configure Branch HA in a Hybrid Topology with Gen-1 (3000) and Gen-2 (3200) Platforms
- Configure HA Groups
- Add ION Devices to HA Groups
- Edit HA Groups and Group Membership
- Prisma SD-WAN Clarity Reports
-
-
CloudBlade Integrations
- CloudBlade Integrations
- CloudBlades Integration with Prisma Access
-
-
-
-
- clear app-engine
- clear app-map dynamic
- clear app-probe prefix
- clear connection
- clear device account-login
- clear dhcplease
- clear dhcprelay stat
- clear flow and clear flows
- clear flow-arp
- clear qos-bwc queue-snapshot
- clear routing
- clear routing multicast statistics
- clear routing ospf
- clear routing peer-ip
- clear switch mac-address-entries
- clear user-id agent statistics
-
- arping interface
- curl
- ping
- ping6
- debug bounce interface
- debug bw-test src-interface
- debug cellular stats
- debug controller reachability
- debug flow
- debug ipfix
- debug log agent eal file log
- debug logging facility
- debug logs dump
- debug logs follow
- debug logs tail
- debug performance-policy
- debug poe interface
- debug process
- debug reboot
- debug routing multicast log
- debug routing multicast pimd
- debug servicelink logging
- debug tcpproxy
- debug time sync
- dig dns
- dig6
- file export
- file remove
- file space available
- file tailf log
- file view log
- ssh6 interface
- ssh interface
- tcpdump
- tcpping
- traceroute
- traceroute6
-
- dump appdef config
- dump appdef version
- dump app-engine
- dump app-l4-prefix table
- dump app-probe config
- dump app-probe flow
- dump app-probe prefix
- dump app-probe status
- dump auth config
- dump auth status
- dump banner config
- dump bfd status
- dump bypass-pair config
- dump cellular config
- dump cellular stats
- dump cellular status
- dump cgnxinfra status
- dump cgnxinfra status live
- dump cgnxinfra status store
- dump config network
- dump config security
- dump controller cipher
- dump controller status
- dump device accessconfig
- dump device conntrack count
- dump device date
- dump device info
- dump device status
- dump dhcp-relay config
- dump dhcprelay stat
- dump dhcp-server config
- dump dhcp-server status
- dump dhcpstat
- dump dnsservice config all
- dump dpdk cpu
- dump dpdk interface
- dump dpdk port status
- dump dpdk stats
- dump flow
- dump flow count-summary
- dump interface config
- dump interface status
- dump interface status interface details
- dump interface status interface module
- dump intra cluster tunnel
- dump ipfix config collector-contexts
- dump ipfix config derived-exporters
- dump ipfix config filter-contexts
- dump ipfix config ipfix-overrides
- dump ipfix config prefix-filters
- dump ipfix config profiles
- dump ipfix config templates
- dump lldp
- dump lldp config
- dump lldp info
- dump lldp stats
- dump lldp status
- dump log-agent eal conn
- dump log-agent eal response-time
- dump log-agent eal stats
- dump log-agent config
- dump log-agent iot snmp config
- dump log-agent iot snmp device discovery stats
- dump log-agent ip mac bindings
- dump log-agent neighbor discovery stats
- dump log-agent status
- dump ml7 mctd counters
- dump ml7 mctd session
- dump ml7 mctd version
- dump nat counters
- dump nat6 counters
- dump nat summary
- dump network-policy config policy-rules
- dump network-policy config policy-sets
- dump network-policy config policy-stacks
- dump network-policy config prefix-filters
- dump overview
- dump performance-policy config policy-rules
- dump performance-policy config policy-sets
- dump performance-policy config policy-set-stacks
- dump performance-policy config threshold-profile
- dump poe system config
- dump poe system status
- dump priority-policy config policy-rules
- dump priority-policy config policy-sets
- dump priority-policy config policy-stacks
- dump priority-policy config prefix-filters
- dump probe config
- dump probe profile
- dump radius config
- dump radius statistics
- dump radius status
- dump reachability-probe config
- dump qos-bwc config
- dump reachability-probe status
- dump routing aspath-list
- dump routing cache
- dump routing communitylist
- dump routing multicast config
- dump routing multicast igmp
- dump routing multicast interface
- dump routing multicast internal vif-entries
- dump routing multicast mroute
- dump routing multicast pim
- dump routing multicast sources
- dump routing multicast statistics
- dump routing multicast status
- dump routing ospf
- dump routing peer advertised routes
- dump routing peer config
- dump routing peer neighbor
- dump routing peer received-routes
- dump routing peer routes
- dump routing peer route-via
- dump routing peer status
- dump routing peer route-json
- dump routing prefixlist
- dump routing prefix-reachability
- dump routing route
- dump routing routemap
- dump routing running-config
- dump routing summary
- dump routing static-route reachability-status
- dump routing static-route config
- dump routing vpn host tracker
- dump security-policy config policy-rules
- dump security-policy config policy-set
- dump security-policy config policy-set-stack
- dump security-policy config prefix-filters
- dump security-policy config zones
- dump sensor type
- dump sensor type summary
- dump serviceendpoints
- dump servicelink summary
- dump servicelink stats
- dump servicelink status
- dump site config
- dump snmpagent config
- dump snmpagent status
- dump software status
- dump spoke-ha config
- dump spoke-ha status
- dump standingalarms
- dump static-arp config
- dump static host config
- dump static routes
- dump support details
- dump-support
- dump switch fdb vlan-id
- dump switch port status
- dump switch vlan-db
- dump syslog config
- dump syslog-rtr stats
- dump syslog status
- dump time config
- dump time log
- dump time status
- dump troubleshoot message
- dump user-id agent config
- dump user-id agent statistics
- dump user-id agent status
- dump user-id agent summary
- dump user-id groupidx
- dump user-id group-mapping
- dump user-id ip-user-mapping
- dump user-id statistics
- dump user-id status
- dump user-id summary
- dump user-id useridx
- dump vlan member
- dump vpn count
- dump vpn ka all
- dump vpn ka summary
- dump vpn ka VpnID
- dump vpn status
- dump vpn summary
- dump vrf
- dump waninterface config
- dump waninterface summary
-
- inspect app-flow-table
- inspect app-l4-prefix lookup
- inspect app-map
- inspect certificate
- inspect certificate device
- inspect cgnxinfra role
- inspect connection
- inspect dhcplease
- inspect dhcp6lease
- inspect dpdk ip-rules
- inspect dpdk vrf
- inspect fib
- inspect fib-leak
- inspect flow-arp
- inspect flow brief
- inspect flow-detail
- inspect flow internal
- inspect interface stats
- inspect ipfix exporter-stats
- inspect ipfix collector-stats
- inspect ipfix app-table
- inspect ipfix wan-path-info
- inspect ipfix interface-info
- inspect ip-rules
- inspect ipv6-rules
- inspect lqm stats
- inspect memory summary
- inspect network-policy conflicts
- inspect network-policy dropped
- inspect network-policy hits policy-rules
- inspect network-policy lookup
- inspect performance-policy fec status
- inspect policy-manager status
- inspect policy-mix lookup-flow
- inspect priority-policy conflicts
- inspect priority-policy dropped
- inspect priority-policy hits default-rule-dscp
- inspect priority-policy hits policy-rules
- inspect priority-policy lookup
- inspect performance-policy incidents
- inspect performance-policy lookup
- inspect performance-policy hits analytics
- inspect process status
- inspect qos-bwc debug-state
- inspect qos-bwc queue-history
- inspect qos-bwc queue-snapshot
- inspect routing multicast fc site-iface
- inspect routing multicast interface
- inspect routing multicast mroute
- inspect security-policy lookup
- inspect security-policy size
- inspect switch mac-address-table
- inspect system arp
- inspect system ipv6-neighbor
- inspect system vrf
- inspect vrf
- inspect wanpaths
-
-
5.6
- 5.6
- 6.1
- 6.2
- 6.3
- 6.4
- 6.5
- New Features Guide
- On-Premises Controller
- Prisma SD-WAN CloudBlades
- Prisma Access CloudBlade Cloud Managed
- Prisma Access CloudBlade Panorama Managed
-
- Features Introduced in Prisma SD-WAN ION Release 5.6
- Changes to Default Behavior in Prisma SD-WAN ION Release 5.6
- Upgrade ION 9000 Firmware for Device Version 5.6.x
- CLI Commands in Prisma SD-WAN ION Release 5.6
- Addressed Issues in Prisma SD-WAN ION Release 5.6
- Known Issues in Prisma SD-WAN ION Release 5.6
Prisma SD-WAN Standard VPN
Prisma SD-WAN ION devices can communicate with other Prisma SD-WAN devices through Prisma SD-WAN Secure Fabric
Links or communicate with standard VPN endpoints through traditional IPsec or GRE
tunnels.
Where Can I Use This? | What Do I Need? |
---|---|
|
|
Prisma SD-WAN ION devices can communicate with other Prisma SD-WAN devices through Prisma SD-WAN Secure
Fabric Links or communicate with standard VPN endpoints through traditional IPsec or
GRE tunnels. Similar to all other paths, a standard VPN will be monitored for
application reachability and best path selection. Traffic on a standard VPN is
subject to QoS policies.
A Standard VPN can be of type:
- IPSec
- GRE
A standard VPN has two endpoints—one endpoint is on the Prisma SD-WAN
ION device and the other endpoint is on the remote peer. You can configure a
combination of IPsec and GRE tunnels from an interface on the ION device to a
standard VPN endpoint. However, there cannot be two tunnels of the same type to the
same endpoint from the same interface.
When you connect a Prisma SD-WAN branch with a non-Prisma SD-WAN branch through a private WAN and you select direct
private WAN as a viable route, traffic flows seamlessly between these sites without
any additional configuration. When using an internet WAN, you can manually configure
an IPSec or GRE tunnel to enable direct traffic flow between Prisma SD-WAN branch sites and non-Prisma SD-WAN
sites. For a streamlined autoconfiguration of IPSec or GRE tunnels, explore the
available options provided by CloudBlade. For more details, refer to CloudBlade Integrations.
Create an IPsec Profile
To create and configure an IPsec VPN connection between a branch device and a
cloud security service endpoint, you must configure both endpoints with the same
crypto settings. Since crypto settings required to connect to the cloud security
service are likely to be the same across all ION devices, an IPsec profile can
be configured once and reused across all ION devices.
Before you configure the IPsec profile on Prisma SD-WAN, make sure
you have the IPsec protocols and authentication details required to connect to
the cloud security service endpoint or consult your cloud security service
provider’s documentation for relevant details.
- Select ManageResourcesConfiguration Profiles and then select IPsec.
- To add a new IPsec Profile, click Add IPsec Profile.If there are previously created IPsec profiles, these will display.
- On the Info screen, enter a name for the IPsec Profile and optional enter a description and tags.
- Click Next and proceed to define the IKE Group.
- For the Key Exchange field, select IKEv1 or IKEv2.
- Enter a life time for the IKE Group from the
Lifetime drop-down if required.The default lifetime of an IKE Group is 24 hours. The tunnel will have to be re-established after the life time expires.
- Enter the port number of the communication port in the Port
field.The default port is 500. The port number configured in the IKE group has to be the same as the port number configured in the standard VPN endpoint IKE group.
- Select the mode of operation from the Mode
drop-down. The mode for IKEv1 can be Main or Aggressive. Choose the aggressive mode if the source interface or endpoint is behind NAT or there are multiple tunnels to the same remote endpoint.The mode for IKEv2 is ReAuth. If selected, then a new tunnel has to be re-negotiated when the lifetime is reached.
- On the Proposals screen,
select a DH Group,
Encryption and
Hash.Proposals is a list of crypto parameters to be used to secure the IKE and ESP sessions between the ION device and the endpoint.The set of parameters selected in the Proposals screen have to be identical to the set of parameters selected for the standard VPN endpoint. You can add a proposal by clicking Add Proposal. Up to 8 proposals can be added. While establishing the IPsec tunnel, the system checks for a proposal match with the standard VPN endpoint.
- DH Group—The Diffie-Hellman (DH) group is used for certain cryptographic operations. Prisma SD-WAN supports the DH groups specified by IKE.
- Encryption— Select one of the
cryptographic algorithms for encryption. The ION devices
encrypt and decrypt traffic based on the algorithm that you
choose.Only IKEv2 supports the AES-GCM algorithms.
- HASH/PRF—Select the cryptographic
hash function. If you have selected AES-GCM as the Encryption, then the value entered for HASH/PRFwill be used as PRF.If you select any algorithm other than GCM, Hash must be selected. For GCM, Prisma SD-WAN supports only two PRF algorithms— SHA-256 and SHA-512.
- Select if Dead Peer Detection (DPD) is to be enabled from the
DPD tab. If enabled, enter the DPD delay and DPD timeout in seconds for IKEv1. If DPD fails within the configured timeout period, a new tunnel is attempted. For IKEv2, there is no DPD timeout; instead a series of 5 retransmissions is used.
- Click Next and proceed to define the ESP Group.
- Enter a life time for the ESP Group from the Lifetime drop-down if
required. The default lifetime of an ESP Group is 24 hours.
- Choose the type of encapsulation from the Encapsulation
drop-down.You can choose Auto or Force UDP. The type of encapsulation selected has to match the encapsulation configured at the standard VPN endpoint.
- Configure parametersin the Proposal tab, and then click Next.
- Enter a life time for the ESP Group from the Lifetime drop-down if
required.
- On the Authentication screen, select the authentication type as either PSK or Certificates from the Type drop-down.
- For PSK authentication:
- Enter a secret in the Secret
field.This field is mandatory.
- For the Local ID Type, choose between Interface IP Address, Hostname or Custom.
- Enter an optional ID for the standard VPN endpoint in the Remote ID field.
- Enter a secret in the Secret
field.
- For Certificate authentication:
- For the Certificate field, upload the certificate by clicking Import File.
- Similarly upload a CA certificate in the Local CA Certificate field and a private key file in the Private Key field.
- Optional You can choose to upload the standard VPN endpoint CA certificate in the Remote CA Certificate field.
- Click Next to proceed to the Summary screen.
- Review the parameters selected and click Save and Exit.All new customer tenants should have the default IPsec profiles allocated which match the best practices of some of our cloud partners. These default profiles can be copied and manipulated to meet the needs specific to standard VPN services. If these default profiles are not present on your tenant, open a support case to have them allocated.
Configure Generic Routing Encapsulation (GRE) Tunnels
Prisma SD-WAN supports Generic Routing Encapsulation (GRE) tunnels
from branch or data center sites to standard VPN endpoints to integrate with
cloud security services. Due to the insecure nature of GRE, as a best practice
we strongly recommend applying a Zone Based Firewall Policy to any traffic using
GRE for transport over an insecure transport, such as the Internet.
Additionally, you should also consider implementing Source Network Address
Translation (NAT) for any traffic going through a GRE tunnel to obscure the
Internal IP addressing scheme. Exposure of the internal addressing scheme along
with unencrypted data over GRE can significantly increase attack vectors at a
site.
- Select WorkflowsDevicesClaimed Devices.
- From the ellipsis menu, select Configure the device.
- Select Interfaces and click the + add icon to create a new interface as Standard VPN.
- On the Configure Interface: New Standard VPN screen, set up the Main Configuration for the new interface.
- For Admin Up, select
Yes.GRE tunnels are stateless by design, the GRE tunnel is established when the standard VPN interface is created, and the parent interface is up.When Keep-Alive is disabled, the standard VPN interface immediately enters the Up state when:
- The standard VPN interface is created.
- The parent interface is up.
- The Admin Up is set to Yes.
The standard VPN interface may later be moved to the down state due to the failure of a liveliness probe if one or more were configured on the standard VPN endpoint associated with this interface. We strongly recommend to have GRE keep-alive enabled or have a liveliness probe configured on the standard VPN endpoint such that a failure can be detected and avoid traffic being black-holed. - Optional Enter a Name, Description, and Tags.
- Select GRE as the Standard VPN
Type.The Interface Type must display as Standard VPN.
- Select a Parent Interface to establish the
GRE tunnel.For a branch ION device any of, the following ports can be used as a parent interface:
- Internet L3 Port
- Private WAN L3 Port
- Virtual Interface (private and public)
- PPPoE interface
- Bypass Pair - Internet and Private WAN ports
- Sub-Interfaces - Internet and Private WAN ports
For a data center ION device, any of the following ports can be used as a parent interface:- Any Connect to Internet port
- Any Connect to Peer Network port
The following interfaces, which don’t have an IP address can’t be used as a parent interface:- A Private Layer 2 port of a bypass pair
- A Loopback interface
- Toggle Scope to Local or Global.
- For VRF, select
Global or any other custom VRF listed.
VRF Global is enabled only when the associated device supports
VRF.Currently, VRF supports LAN. Two standard VPNs in two different VRFs cannot have the same overlay endpoint IP Address. Example:SL1(Vrf: RED) sl1_ip: 1.1.1.1SL2(Vrf: Blue) sl2_ip: 1.1.1.1
- Enter an Inner Tunnel IP Address or
Mask.The address is the address of the innermost envelope's payload. When the standard VPN peer receives the IP packet from the tunnel interface, the outer IP header and GRE header are removed. The packet is then routed based on the Inner Tunnel IP Address.
- Optional Enter values for Checksum
and Keep Alive. The default value for Keep-Alive Interval is 10 seconds, which implies that a Keep-Alive is sent every 10 seconds. The default value for Keep-Alive Retry Count is 3, which means that the device tries sending a keep alive three times before declaring the interface to be down.
- If you configure Keep-Alive on the ION device, the standard VPN peer device should be capable of replying to the Keep-Alive. If the ION device does not receive a response from the peer device within the configured Keep-Alive Retry Count, it will result in the interface being marked as down.
- If devices act as remote service endpoints, they don't support Prisma SD-WAN GRE Keep-alives. In such cases, you may need to use service endpoint liveliness probes.
- If the Prisma SD-WAN Data Center devices do not support service endpoint configuration, the liveliness probes cannot be configured and multiple remotes, and remote selection cannot be used.
- If NAT performs between the local and remote endpoints of the GRE Tunnel, this may disrupt the use of GRE Keep-Alives.
- If Checksum is configured on the ION device, the standard VPN peer device should also respond with a checksum in its GRE header. If the standard VPN peer device doesn’t support Checksum, the packet drops as a Frame Error.
- Select a Standard VPN Endpoint from the
Endpoint field.The GRE tunnel can only be created if the standard VPN interface has an endpoint or Peer IP configured. The Peer IP must be available either through the endpoint or the Peer IP field.An endpoint must be configured when the ION device is being used at a branch site. This enables the endpoint to be used in path policies to direct traffic. Endpoints can, but aren’t required to, specify IP addresses or host names of the possible peer device(s).The Peer IP overrides any IP addresses provided by the endpoint. If the ION device is being used at a Data Center site, the Peer IP has to be provided.
- Click Create Standard VPN.
- For Admin Up, select
Yes.