Onboard PAN-OS Firewalls to Prisma Access

1. Log in to the Panorama Web Interface.
2. Specify the BGP local address pool for loopback addresses.
   1. Select PanoramaSD-WANVPN Clusters.
   2. At the bottom of the screen, select BGP Prisma Address Pool.

   3. Add an unused private subnet (prefix and netmask) for the local BGP addresses for Prisma Access.

   4. Click OK.
   5. Commit.
      Do not simply change an existing address pool if Prisma Access is already onboarded. If you need to change an address pool, perform the following steps during a maintenance window to update the SD-WAN branch and the Prisma Access CN with your address pool changes:

      1. Use Panorama to access an SD-WAN branch and delete the existing onboarding that the address pool change will impact; then do a local Commit.
      2. Update the VPN address pool, and then do a local Commit.
      3. Perform the Prisma Access onboarding again, and then do a local Commit and Push.
3. Select the SD-WAN branch firewall to connect to the Prisma Access hub and configure the connection.
   1. Select PanoramaSD-WANDevices.
   2. Select the branch firewall on which you enabled SD-WAN, whose name then populates the Name field.
   3. Select the Type of device as Branch.
   4. Select the Router Name.
   5. Enter the Site.
      All SD-WAN devices must have a unique Site name.
   6. Select Prisma Access Onboarding and Add.

   7. Select a local, SD-WAN-enabled Interface on the firewall to connect to the Prisma Access hub.
   8. Select a Prisma Access Tenant (select default for a single tenant environment).
      All SD-WAN interfaces on a branch firewall must use the same Prisma Access tenant.
   9. Enter a helpful Comment.

   10. Add a compute node to a Region by selecting the region where the CN (Prisma Access hub) is located.
       There can be multiple regions per interface.

   11. Select an IPSec Termination Node (GP gateway) from the list of nodes; the list is based on the nodes that Prisma Access spun up for the region earlier. You are choosing the hub to which this branch connects. SD-WAN Auto VPN configuration builds IKE and IPSec relationships and tunnels with this node.
   12. Enable BGP for communication between the branch and hub (Enable is the default).
   13. Advertise Default Route to allow the Prisma Access hub’s default route to be advertised to the branch firewall.
   14. Summarize Mobile User Routes before advertising to have the Prisma Access hub advertise summarized mobile user IP subnet routes, thereby reducing the number of advertisements to the branches.
   15. Don’t Advertise Prisma Access Routes to prevent the IPSec Termination Node/hub from advertising its Prisma Access routes to the SD-WAN branches.
   16. Enter the Secret for authentication of BGP communications and Confirm Secret.
   17. (SD-WAN plugin 3.2.0 and later releases) Configure the VPN tunnel parameters and authentication type to authenticate the PAN-OS firewall and Prisma Access hub.
       1. (Optional) If you want to preserve the Type of Service (ToS) information in the encapsulated packets, select Copy TOS Header.
          If there are multiple sessions inside the tunnel (each with a different ToS value), copying the ToS header can cause the IPSec packets to arrive out of order.
       2. Select the Authentication: Pre Shared Key or Certificate.
          Ensure that you select the same authentication type for all the branch devices and the Prisma Access device that is added.
          The pre-shared key is automatically generated if selected as an authentication type for a region.
   18. Select Certificate to configure certificate-based authentication.
   19. (Only if enabling Certificate authentication type) The certificate must be present on the Panorama before performing Prisma Access Onboarding of the SD-WAN branch firewall. We do not support SCEP-generated certificate. Select a Local Certificate—one that is already on the Panorama.
       Ensure the following for the certificate that you have in the Panorama for the successful Prisma Access Onboarding process:

       • The certificate must be unique for each SD-WAN device. That is, you can't share the certificate among multiple SD-WAN devices.
         Keep the following in mind while generating the branch and hub firewall certificates that is used for SD-WAN tunnel authentication:

         • Two different hub devices can use the same hub certificate.
         • Two different branch devices can use the same branch certificates if the following conditions are met:
           • Branch devices are not part of the same VPN cluster
           • There is no common hub device between the VPN clusters that these branch devices would be part of
         • (HA deployments only) Two different branch devices can also have the same branch certificates if they are configured as HA members.
         • If the hub device is common between VPN clusters, certificates for branch devices part of these VPN clusters should have unique certificates with all attributes having unique values. If you don't ensure the uniqueness of the certificate and its values, then commit will fail on the hub device (no commit failure on Panorama).
         Also ensure that the leaf certificates (branch and hub firewall certificates) used for SD-WAN tunnel authentication are generated meeting the following criteria:

         • Key usage should have digital signatures
         • All certificates must be signed by the same root CA
         • The device certificate must be directly signed by the root CA
         • Certificate format should be PKCS12
       • The certificate attributes are used for determining the local ID and peer ID for IKE gateways. Hence, the leaf certificates, that is, the branch and hub firewall certificates that is used for SD-WAN tunnel authentication must be generated with the following three certificate attributes and each certificate attribute should be assigned with three unique attribute values. Otherwise, a commit error will be thrown.
         • FQDN (Host Name)
         • IP address (IP)
         • User FQDN (Alt Email)
         It's mandatory to have unique Host Name, IP, and Alt Email certificate attributes among all certificates. That is, none of the certificates should have these attribute values in common.
         In the below example, NewCertificate is generated with the total of nine mandatory certificate attributes. The Host Name certificate attribute is configured with three unique attribute values: pan-fw01.yourcompany.com, pan-fw02.yourcompany.com, and pan-fw03.yourcompany.com. The IP certificate attribute is configured with three unique attribute values: 192.0.2.0, 192.0.2.1, and 192.0.2.2. The Alt Email certificate attribute is configured with three unique attribute values: sales@yourcompany.com, IT@yourcompany.com, and customercare@yourcompany.com.

   20. (Optional) (Only if enabling Certificate authentication type) Choose a Certificate Profile. A Certificate Profile contains information about how to authenticate the peer gateway.
   21. (Optional) Enable strict validation of peer’s extended key use to control strictly how the key can be used.
   22. Select a Link Tag for the hub.
       When you want to enable ECMP for a Prisma Access hub, onboard more than one branch interface to the same compute node (CN) and use the same Link Tag on those branch interfaces.
   23. Click OK. The display will include a Peer AS number and the Tunnel Monitor IP address provided by Prisma Access.
4. Commit and Push the configuration to the cloud, where Prisma Access spins up the correct number of IPSec Termination Nodes based on requested bandwidth.
   When more than one IPSec tunnel is going to the same CN, the Prisma Access configuration has ECMP enabled with symmetric return, as shown in this Prisma Access example:

5. Verify that onboarding is complete.
   1. Select PanoramaCloud ServicesStatus and verify that the Remote Networks Deployment Status displays success.

   2. Select the Remote Networks Deployment Status details.
   3. Confirm that the Prisma Access node completion displays 100%.

6. Synchronize the branch firewall to Prisma Access to retrieve the service IP address(es) of the CNs.
   1. Select PanoramaSD-WANDevices.
   2. Select the SD-WAN branch device.
   3. Select Prisma Access Onboarding and Sync To Prisma (and respond to message to continue). Repeat for each branch device.
      After the sync to Prisma is successful, you will see the Prisma Access configuration parameters on the SD-WAN branch firewall. If not, wait for approximately 15 minutes and repeat the Sync to Prisma. If necessary, go to the Prisma Access plugin and verify that the CN onboarding has finished (you can see the CN with the bandwidth and IP addresses assigned). After that verification, retry Sync To Prisma.

7. Commit to Panorama.
8. Push to Devices to push to the local branch firewall. Edit Selections to select the Push Scope Selection. Select the correct Template and Device Group.
9. On the branch firewall, select NetworkInterfacesSD-WAN and see the new interface that was created with the Link Tag you created, assigned to the Security Zone named zone-to-pa-hub, and with the IPSec tunnel connecting to the CN.
10. Select NetworkIPSec Tunnels and verify the IPSec tunnel is up.
11. Select NetworkNetwork ProfilesIKE Gateways and verify the IKE gateway is up.
12. Create an SD-WAN policy rule to generate monitoring data.
    This step is required to baseline Prisma Access Hub latency, jitter, and packet loss data for accurate traffic distribution. SD-WAN monitoring data is generated from traffic that matches your SD-WAN policy rules.
    1. Create a Traffic Distribution Profile.
    2. Create a Path Quality Profile with high latency, jitter, and packet loss thresholds.
       A Path Quality profile is required to create an SD-WAN policy rule. Creating a Path Quality profile with high thresholds allows you to baseline latency, jitter, and packet loss for the Prisma Access hub without causing app to swap to a different link.
    3. Configure an SD-WAN Policy Rule.
13. Commit and Commit and Push to branch firewalls.
14. (Only if enabling Pre Shared Key authentication type) Refresh the Prisma IKE pre-shared key.
    If you need to change the current Prisma IKE key that is used to secure the IPSec connection between the branch and the Prisma hub, perform this step to randomly generate a new key for the tunnel and update both sides of the tunnel. Perform this step when the hub and branch are not busy.
    Do not create an IKE gateway manually with a name beginning with “gw_” because such names are reserved for Prisma IKE creation during onboarding. This step to refresh the Prisma IKE pre-shared key refreshes all such named IKE gateways if there are any apart from those created by Prisma Access.
    1. Select PanoramaSD-WANDevices and select a device.
    2. At the bottom of the screen, select Refresh Prisma IKE Key.

    3. A message appears notifying you that Refreshing the IKE key will update all SD-WAN tunnels between the branch and the Prisma Access hub and will require a simultaneous configuration push to all branch and Prisma Access hub devices. Best practice recommendation is to perform the refresh during a maintenance window as traffic can be affected. Do you wish to continue? Select Yes if you wish to continue.
15. Commit and Commit and Push to branch firewalls.
16. Monitor Prisma Access Hub Application and Link Performance to understand the baseline latency, jitter, and packet loss for the links to Prisma Access.
    This step is required to gather accurate latency, jitter, and packet loss data to fine-tune your Prisma Access hub Path Quality profiles.