Configure SSE for PAN Prisma

Prerequisites

For the PAN Prisma SSE integration:
  • An Enterprise user must first create a service account in the Palo Alto Networks Strata Cloud Manager portal. For more information, see Create a Prisma Service Account.
  • An Enterprise user must create IKE and IPsec profiles on the Palo Alto Networks Strata Cloud Manager portal. These profiles can then be used for the SSE integration. For more information, see Palo Alto Networks Strata Cloud Manager Configuration.
    Note: As tunnel establishment is an asynchronous operation, the Security Service Edge (SSE) automated configuration for PAN Prisma might take 5 - 30 minutes per WAN link tunnel, to complete.

Prisma Access is the Enterprise Security Solution offered by Palo Alto Networks (PAN). It is a cloud-based solution.

Follow the below procedure to configure SSE Subscription and SSE Integration for PAN Prisma:

  1. In the SD-WAN service of the Enterprise portal, navigate to Configure > Security Service Edge (SSE) .
  2. Click the SSE Subscriptions tab on the Security Service Edge (SSE) screen.
    Figure 1. SSE Subscriptions for Prisma
  3. On each tile, click View to view the existing subscription details.
  4. Click the vertical ellipsis, and then click Delete to delete a subscription.
  5. To create a new subscription, click + New SSE Subscription.
    The Configure SSE Subscription window appears.
    Figure 2. Configure a new SSE Subscription for Prisma
    Note: The fields displayed on the screen vary depending on the selected Subscription Type.
  6. Configure the following options:
     
    Option Description
    Name Enter a name for the subscription.
    Subscription Type Select PAN Prisma from the drop-down menu.
    Tsg Id Enter the ID. This value is a positive integer and can be found in the Palo Alto Networks Strata Cloud Manager portal, under Settings > Products .
    User Name Enter the service account username.
    Password Enter the service account password.
    Note: Starting from the 4.5 release, the use of the special character "<" in the password is no longer supported. In cases where users have already used "<" in their passwords in previous releases, they must remove it to save any changes on the page.
    Note: The fields Tsg Id, User Name, and Password must match the values configured in the Palo Alto Networks Strata Cloud Manager portal.
  7. Click Validate Subscription to make sure that the entered credentials are correct, and then click Save to save the configured subscription.
  8. After creating an SSE Subscription, you can proceed to create an SSE Integration.
  9. Navigate to ConfigureSecurity Service Edge (SSE). By default, the SSE Integrations tab is displayed.
    Figure 3. SSE Integrations for Prisma
  10. To create a new SSE integration, click + New SSE Integration.
    Figure 4. Configure a new SSE Integration for Prisma
    Note: The fields displayed on the screen vary depending on the selected Subscription Type.
  11. Under Choose Cloud Subscription section, configure the following options:
     
    Option Description
    Subscription Type Select a subscription type for which you want to set up an SSE integration. The available options are:
    • Prisma Access
    • Symantec
    Cloud Subscription Select a cloud subscription from the drop-down menu. Only those cloud subscriptions that are configured under the SSE vendor selected in Subscription Type, appear in the drop-down menu.
    These cloud subscriptions are populated based on the configurations under Configure > Security Service Edge (SSE) > SSE Subscriptions .
    Note: This field appears only when you select a subscription type.
  12. Click Next Step to activate the next section. Under the Network Service section, there are two tabs. Configure the following options under the General tab:
    Figure 5. Create Network Service - General
     
    Option Description
    Service Name Enter a unique service name.
    Minimum Bandwidth per Tunnel (Mbps) Enter the required bandwidth. The default value is 2.
    Tunneling Protocol By default, IPsec tunneling protocol is selected. You must select the IPsec Crypto Profile and IKE Crypto Profile from the respective drop-down menus. These drop-down menus are populated based on the Profiles created in the Palo Alto Networks Strata Cloud Manager portal.
  13. The following options are displayed under the IKE/IPsec Information tab. These values must be configured in the Palo Alto Networks Strata Cloud Manager portal. For more details about these fields, refer to the Arista VeloCloud SD-WAN Administration Guide - Configure Non SD-WAN Destinations Via Edge section.
    Figure 6. Create Network Service - IKE/IPsec Information
  14. Click Create and Continue to activate the next section.
  15. Under Select Profile/Edges section, configure the following options:
    Figure 7. Select Profile/Edges
     
    Option Description
    Select Profile Select an SD-WAN Edge Profile from the drop-down menu.
    Select Segment Select a Segment from the drop-down menu. By default, Global Segment is selected.
    Note: You can select only one Segment for Prisma subscription.
  16. Once you select Profile and Segment, a list of Edges associated with the selected Profile gets auto-populated. Select one or more Edges for which you wish to apply the SSE integration.
  17. If an Edge has more than two WAN links, the first two WAN links are auto-populated in the table. You can select the WAN links that you wish to use for the automation.
  18. Click Validate Tunnel Configuration. A warning is displayed if any of the datacenters is over subscribed.
    Note: The Validate Tunnel Configuration button is available only for the Prisma Access subscription type. In Prisma deployment, you must buy a license to add bandwidth capacity at a datacenter. This license restricts the maximum throughput, thus displaying a warning.
  19. Once the tunnel configuration is validated, click Save and Finish.
    The newly created SSE integration appears on the list on the Security Service Edge (SSE) screen.