>
    Connect a Remote Network Site to Prisma Access
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma Access
    3. Prisma Access Remote Networks
    4. Connect a Remote Network Site to Prisma Access
    Download PDF
    Prisma Access

    Connect a Remote Network Site to Prisma Access

    Table of Contents

    Connect a Remote Network Site to Prisma Access

    Set up IPSec VPN tunnels to connect your remote networks sites to Prisma Access.
    Where Can I Use This?What Do I Need?
    • Prisma Access (Managed by Strata Cloud Manager)
    Set up IPSec VPN tunnels to connect your remote networks sites to Prisma Access. You must create an IPSec tunnel from your branch IPSec device to Prisma Access.
    The first tunnel you create is the primary tunnel for the remote network site. You can then repeat this workflow to optionally set up a secondary tunnel. When both tunnels are up, the primary tunnel takes priority over the secondary tunnel. If the primary tunnel for a remote network site goes down, the remote network falls back to the secondary tunnel until the primary tunnel comes back up.
    Based on the IPSec device you use to establish the tunnel at the remote network site, Prisma Access provides built-in, recommended IKE and IPSec security settings. You can use the recommended settings to get started quickly, or customize them as needed for your environment.

    Add Primary and Secondary IPSec VPN Tunnels

    1. Launch Prisma Access.
    2. Go to ManageService SetupRemote NetworksAdd Remote Networks and Set Up the primary tunnel. If you’ve already set up a primary tunnel, you can continue here to also add a secondary tunnel.
      If you're using Strata Cloud Manager, go to WorkflowsPrisma Access SetupRemote NetworksAdd Remote Networks and Set Up the primary tunnel.
      1. Give the tunnel a descriptive Name.
      2. Select the Branch Device Type for the IPSec device at the remote network site that you’re using to establish the tunnel with Prisma Access.
      3. For the Branch Device IP Address, choose to use either a Static IP address that identifies the tunnel endpoint or a Dynamic IP address.
        If you set the Branch Device IP Address to Dynamic, you must also add the IKE ID for the remote network site (IKE Local Identification) or for Prisma Access (IKE Peer Identification) to enable the IPSec peers to authenticate.
        Because you do not have the values to use for the Prisma Access IKE ID (IKE Peer Identification) until the remote network is fully deployed, you would typically want to set the IKE ID for the remote network site (IKE Local Identification) rather than the Prisma Access IKE ID.
    3. Turn on Tunnel Monitoring.
      Enter a Tunnel Monitoring Destination IP address on the remote network for Prisma Access to use determine whether the tunnel is up and, if your branch IPSec device uses policy-based VPN, enter the associated Proxy ID.
      The tunnel monitoring IP address you enter is automatically added to the list of branch subnetworks.
    4. Save the tunnel settings.
      To continue:

    More IKE Options

    Based on the IPSec device type you selected, Prisma Access provides a recommended set of ciphers and a key lifetime for the IKE Phase 1 key exchange process between the remote network site device and Prisma Access. You can use the recommended settings, or customize the settings as needed for your environment.
    • Select an IKE Protocol Version for your branch device and Prisma Access to use for IKE negotiation.
      If you select IKEv1 Only Mode, Prisma Access can use only the IKEv1 protocol for the negotiation. If you select IKEv2 Only Mode, Prisma Access can use only the IKEv2 protocol for the negotiation. If you select IKEv2 Preferred Mode, Prisma Access uses the IKEv2 protocol only if your branch IPSec device also supports IKEv2. If your branch IPSec device does not support IKEv2, Prisma Access falls back to using the IKEv1 protocol.
    • Add an IKEv1 Crypto Profile to customize the IKE crypto settings that define the encryption and authentication algorithms used for the key exchange process in IKE Phase 1.
      Prisma Access automatically uses a default IKE crypto profile based on the Branch Device Type that’s being used to establish this tunnel.
      • Encryption—Specify the encryption algorithm used in the IKE SA negotiation.
        Prisma Access supports the following encryption algorithms: 3des (168 bits), aes-128-cbc (128 bits), aes-192-cbc (192 bits), aes-256-cbc (256 bits), and des (56 bits). You can also select null (no encryption).
      • Authentication—Specify the authentication algorithm used in the IKE SA negotiation.
        Prisma Access supports the following authentication algorithms: sha1 (160 bits), sha256 (256 bits), sha384 (384 bits), sha512 (512 bits), and md5 (128 bits). You can also select null (no authentication).
      • DH Group—Specify the Diffie-Hellman (DH) groups used to generate symmetrical keys for IKE in the IKE SA negotiation. The Diffie-Hellman algorithm uses the private key of one party and the public key of the other to create a shared secret, which is an encrypted key that both VPN tunnel peers share.
        Prisma Access supports the following DH groups: Group 1 (768 bits), Group 2 (1024 bits—default), Group 5 (1536 bits), Group 14 (2048 bits), Group 19 (256-bit elliptic curve group), and Group 20 (384-bit elliptic curve group). For the strongest security, select the group with the highest number.
      • Lifetime—Specify the unit and amount of time for which the IKE Phase 1 key is valid (default is 8 hours). For IKEv1, the security association (SA) is not actively re-keyed before the key lifetime expires. The IKEv1 Phase 1 re-key triggers only when the SA expires. For IKEv2, the SA must be re-keyed before the key lifetime expires. If the SA is not re-keyed upon expiration, the SA must begin a new Phase 1 key.
      • IKEv2 Authentication Multiple—Specify the value that is multiplied by the key lifetime to determine the authentication count (range is 0 to 50; default is 0). The authentication count is the number of times that the security processing node can perform IKEv2 IKE SA re-key before it must start over with IKEv2 re-authentication. The default value of 0 disables the re-authentication feature.
    • Enable IKE Passive Mode so that Prisma Access only response to IKE connections and does not initiate them.
    • IKE NAT Traversal is turned on by default.
      This means that UDP encapsulation is used on IKE and UDP protocols, enabling them to pass through network address translation (NAT) devices that are between the IPSec VPN tunnel endpoints.

    More IPSec Options

    Based on the IPSec device type you selected, Prisma Access provides a recommended set of IPSec protocol and key lifetime settings to secure data within the IPSec tunnel between your branch device and Prisma Access in IKE Phase 2 for the Security Association (SA). You can use the recommended settings, or customize the settings as needed for your environment.
    • Customize the IPSec Crypto Profile to define how data is secured within the tunnel when Auto Key IKE automatically generates keys for the IKE SAs during IKE Phase 2.
      Prisma Access automatically configures a default IPSec crypto profile based on the Branch Device Type vendor. You can either use the default profile or create a custom profile.
      • IPSec Protocol—Secure the data that traverses the VPN tunnel. The Encapsulating Security Payload (ESP) protocol encrypts the data, authenticates the source, and verifies the data integrity. The Authentication Header (AH) protocol authenticates the source and verifies the data integrity.
        If you use ESP as the IPSec protocol, also specify the Encryption algorithm used in the IPSec SA negotiation.
        Prisma Access supports the following encryption algorithms: aes-256-gcm (256 bits), aes-256-cbc (256 bits), aes-192-cbc (192 bits), aes-128-gcm (128 bits), aes-128-cbc (128 bits), 3des (168 bits), and des (56 bits). You can also select null (no encryption).
    • Authentication—Specify the authentication algorithm used in the IPSec SA negotiation.
      Prisma Access supports the following authentication algorithms: sha1 (160 bits), sha256 (256 bits), sha384 (384 bits), sha512 (512 bits), and md5 (128 bits). If you set the IPSec Protocol to ESP, you can also select none (no authentication).
    • DH Group—Specify the Diffie-Hellman (DH) groups for IKE in the IPSec security association (SA) negotiation.
      Prisma Access supports the following DH groups: Group 1 (768 bits), Group 2 (1024 bits—default), Group 5 (1536 bits), Group 14 (2048 bits), Group 19 (256-bit elliptic curve group), and Group 20 (384-bit elliptic curve group). For the strongest security, select the group with the highest number. If you don’t want to renew the key that Prisma Access creates during IKE phase 1, select no-pfs (no perfect forward secrecy). If you select this option, Prisma Access reuses the current key for the IPSec SA negotiation.
    • Lifetime—Specify the unit and amount of time during which the negotiated key is valid (default is one hour).
    • Lifesize—Specify the unit and amount of data that the key can use for encryption.

    © 2024 Palo Alto Networks, Inc. All rights reserved.