Prisma Access Integration Overview

Last updated
Save as PDF

The document provides an overview of integrating Prisma Access with Meraki MX devices, enabling seamless integration of Prisma Access security services with Meraki networks, enhancing security posture and simplifying management through centralized policy enforcement and threat prevention capabilities.

Prisma Access Integration Overview

Palo Alto Prima Access offers a security stack solution from the cloud for internet and SaaS connections. Prisma acts as a secure web gateway where 0.0.0.0/0 traffic will be routed for inspection and enforcement prior to internet termination.

This document describes how to configure Prisma Access IPsec peering with the Meraki MX Security Appliance (MX/Z platforms).

Prerequisites

Prisma Access account
Meraki MX/Z device (running MX17+ firmware)
Meraki MX/Z Site-to-site VPN enabled

Integration with Prisma Access can be done from the Prisma Access Dashboard or from the Meraki Dashboard. See links to Prisma Access documentation.
Prisma Access Integration
Prisma Access manual Integration

Prisma Access Configuration

Go to sase.paloaltonetworks.com and login
Allocate bandwidth to the required Compute locations.
Navigate to Manage > Service Setup > Remote Networks and click on Bandwidth Management tab.

Below we have allocated 100Mbps to different compute locations
Onboard your Remote Network by Navigating to Manage > Service Setup > Remote Networks
Click “Add Remote Networks” at the top right corner
Configure General information - Select Compute point closest to your location. Below we have selected US Southeast for our Atlanta Branch Office
Setup Primary Tunnel

Under Tunnel, Click on create New.
Update Tunnel Name, Shared secret and Address of the branch network (Static or dynamic). If the branch device does not have a dedicated IP, you can use the dynamic option with FQDN of the branch as configured below.

8. IKE and IPsec settings can be configured by clicking on IKE Advanced Options & IPsec Advanced options

IKE Advanced Options > “Create New” and save configuration once parameters have been set.

Below we created a new IKE setting for our Atlanta Office

IPsec Advanced options > “Create New” and save configuration once parameters have been set.

Below we created a new IPsec setting for our Atlanta Office

9. Once both IKE and IPsec settings have been configured and saved, you need to save configurations on the bottom right of the General page seen below.

10. Push Configuration: At the top right corner of the Remote Networks Setup page as seen below, Click “Push Config” and “Push”

Select Remote Networks > and “Push”.
Once the Config push is completed, you can navigate to your Meraki Network to continue set up.

Enable Meraki site-to-site VPN

On the Meraki Network, Navigate to Site-to-site VPN settings through the Security & SD-WAN > Configure > Site-to-site VPN page.

There are three options for configuring the MX-Z's role in the Auto VPN topology:

Screen Shot 2021-12-07 at 1.41.29 PM.png

Off: The MX-Z device will not participate in site-to-site VPN.
Hub (Mesh): The MX-Z device will establish VPN tunnels to all remote Meraki VPN peers that are also configured in this mode, as well as any MX-Z appliances in hub-and-spoke mode that have the MX-Z device configured as a hub.
Spoke: This MX-Z device (spoke) will establish direct tunnels only to the specified remote MX-Z devices (hubs). Other spokes will be reachable via their respective hubs unless blocked by site-to-site firewall rules.

Select Hub (Mesh) to enable AutoVPN as this is recommended for the MX peering with the non-Meraki/Prisma Access.

Gather details from Prisma Access

1. You need the Service IP addresses of Prisma Access Compute location. This can be seen under Manage > Service Setup > Remote Networks. The service IP is the Prisma Access IP your branch points to.

2. You also need to know the:

Pre-shared key (use your preferred secret)
IKE crypto configured (we used AES-256,SHA-1,DH-14)
IPsec crypto configure (we used AES-256,SHA-1,DH-14)

Configuration

You can create Site-to-site VPN tunnels between a Security Appliance or a Teleworker Gateway and Prisma Access under the Non-Meraki VPN peers section on the Security & SD-WAN > Configure > Site-to-site VPN page. Simply click "Add a peer" and enter the following information:

* Required

Name - A name for the remote device or VPN tunnel
Public IP - Prisma Access Service IP
IKE Version - KEv2
IKEv2 enables the Local ID field (optional), but must match "IKE Peer identification field on Prisma Access Dashboard" if used
IPSec policies, must match IKE and IPsec option on Prisma Access Dashbaord for configured peer

Per configured IKE and IPSec policy settings configured in Prisma Access. Please note policies must match on the Meraki and Prisma end for the tunnel to come up.

6. Our configuration looks like this on for our Atlanta Office once completed

7. On the Remote Networks page, once the tunnel is up and running, you will see an OK green check mark for the configured peer tunnel

8. The Prisma Access security policy is to deny all traffic by default, so be sure to add firewall rules on Prisma Access to permit traffic from the configured Remote Branch location

Primary and backup Prisma Access

Meraki MX/Z platforms do not support native primary and backup peering at this time, but we have created an API configuration guide as a workaround. For more information, read here.

Non-Meraki VPN firewall

You can add firewall rules to control what traffic is allowed to pass through the VPN tunnel. These rules will apply to outbound VPN traffic to/from all MX-Z appliances in the Organization that participate in site-to-site VPN. These rules are configured in the same manner as the Layer 3 firewall rules described on the Firewall Settings page of this documentation. Note that VPN Firewall rules will not apply to inbound traffic or to traffic that is not passing through the VPN.

Serviceability

Event Logs

If you have any issues or would like to know more about the Prisma Access peering details, navigate to Network-wide > Monitor > Event log

Packet Captures

The following options are available for a packet capture on MX/Z platforms:

Appliance: The appliance the capture will run on.
Interface: Select the interface to run the capture on; the interface names will vary depending on the appliance configuration. A few examples of interfaces you may see are:
- Internet 1 or Internet 2 - Capture traffic on one active WAN uplink. Internet 2 will only appear if there is a second WAN link.
- LAN - Captures traffic from all LAN ports
- Cellular - Captures cellular traffic from the integrated cellular interface. This does not apply to USB modems.
- Site-to-Site VPN - Captures AutoVPN traffic (MX/Z to MX/Z only). This does not apply to Non-Meraki VPN peers.
Output: Select how the capture should be displayed; view output or download .pcap.
Verbosity: Select the level of the packet capture (only available when viewing the output directly to Dashboard).
Ignore: Optionally ignore capturing broadcast/multicast traffic.
Filter expressions: Apply a capture filter.

To capture packets, select the WAN interface and use the filter expressions for UDP 500 for Phase 1 or UDP 4500 for Phase 2.

API

The Meraki dashboard API is an interface for software to interact directly with the Meraki cloud platform and Meraki-managed devices. The API contains a set of tools known as endpoints for building software and applications that communicate with the Meraki dashboard for use cases such as provisioning, bulk configuration changes, monitoring, and role-based access controls. The dashboard API is a modern, RESTful API using HTTPS requests to a URL and JSON as a human-readable format. The dashboard API is an open-ended tool that can be used for many purposes.

For more information, read here.

24/7 Support

Cisco Meraki Support is available 24/7 to Enterprise customers for assistance with resolving network issues and providing answers to questions not covered by the documentation. For more information, read here.