Plan the Service Connections
Focus
Focus

Plan the Service Connections

Table of Contents

Plan the Service Connections

Learn how to implement service connections in a Prisma Access deployment.
If you use the service connection to access information from your headquarters or data center, gather the following information for each of your HQ/data center sites that you want to connect to Prisma Access:
If you are creating a service connection only to provide communication between remote networks and mobile users, you do not need this information.
  • IPSec-capable firewall, router, or SD-WAN device connection.
  • IPSec settings for terminating the primary VPN tunnel from Prisma Access to the IPSec-capable device on your corporate network.
  • IPSec settings for terminating the secondary VPN tunnel from Prisma Access to the IPSec-capable device on your corporate network.
    If you have an existing template that contains IPSec tunnel, Tunnel Monitoring, and IPSec Crypto Profile configurations, you can add that template to the template stack to simplify the process of creating the IPSec tunnels. Or, you can edit the Service_Conn_Template that gets created automatically and create the IPSec configurations required to create the IPSec tunnel back to the corporate site. Prisma Access also provides you with a set of predefined IPSec templates for some commonly-used network devices, and a generic template for any device that is not included in the predefined templates.
  • List of IP subnetworks at the site.
  • List of internal domains that the cloud service will need to be able to resolve.
  • IP address of a node at your network’s site to which Prisma Access can send ICMP ping requests for IPSec tunnel monitoring.
    Make sure that this address is reachable by ICMP from the entire Prisma Access infrastructure subnet.
  • Service account for your authentication service, if required for access.
  • Network reachability settings for the service infrastructure subnet.
    We recommend that you make the entire service infrastructure subnet reachable from the HQ or Data Center site. Prisma Access uses IP addresses for all control plane traffic, including tunnel monitoring, LDAP, User-ID, and so on from this subnet.
  • The routing type (either static or dynamic (BGP)) to use with service connections.
    In order for Prisma Access to route users to the resources they need, you must provide the routes to the resources. You can do this in one or more of the following ways:
    • Define a static route to each subnetwork or specific resource that you want your users to be able to access.
    • Configure BGP between your service connection locations and Prisma Access.
    • Use a combination of both methods.
    If you configure both static routes and enable BGP, the static routes will take precedence. While it might be convenient to use static routes if you have just a few subnetworks or resources you want to allow access to, in a large data center/HQ environment where you have routes that change dynamically, BGP will enable you to scale easier. Dynamic routing also provides redundancy for your service connections. If one service connection tunnel is down, BGP can dynamically route mobile user and remote network traffic over the operational service connection tunnel.