ONBOARDING GUIDE GLOBALPROTECT CLOUD SERVICE FOR REMOTE NETWORKS

Similar documents
Integrating Riverbed SD-WAN with Palo Alto Networks GlobalProtect Cloud Service

SOLUTION BRIEF Enterprise WAN Agility, Simplicity and Performance with Software-Defined WAN

VeloCloud Cloud-Delivered WAN Fast. Simple. Secure. KUHN CONSULTING GmbH

PANORAMA. Figure 1: Panorama deployment

PROTECT WORKLOADS IN THE HYBRID CLOUD

VM-SERIES FOR VMWARE VM VM

VM-SERIES ON GOOGLE CLOUD DEPLOYMENT GUIDELINES

WHITE PAPER ARUBA SD-BRANCH OVERVIEW

Cradlepoint to Palo Alto VPN Example. Summary. Standard IPSec VPN Topology. Global Leader in 4G LTE Network Solutions

Live Demo: Top Deployed SD-WAN Use Cases

Agenda Basecamp The Journey So Far Enhancements Into the Fear Zone Climbing The VM-Series Performance Peak New VM-Series Models and Licensing Best Pra

Best Practices for Extending the WAN into AWS (IaaS) with SD-WAN

CTO PoV: Enterprise Networks (Part 2) Security for IoT & Cloud

Technology Brief. VeloCloud Dynamic. Multipath Optimization. Page 1 TECHNOLOGY BRIEF

Simplifying WAN Architecture

Citrix SD-WAN for Optimal Office 365 Connectivity and Performance

Transit Network VPC. AWS Reference Deployment Guide. Last updated: May 10, Aviatrix Systems, Inc. 411 High Street Palo Alto, CA USA

PANORAMA. Key Security Features

The Cloud is the Network

SD-WAN 101. November 3 rd 2016 Rob McBride Marketing

Silver Peak EC-V and Microsoft Azure Deployment Guide

Managing Site-to-Site VPNs: The Basics

Cisco SD-WAN and DNA-C

ZyWALL USG-Series How to setup a Site-to-Site VPN connection between two ZyWALL USG series appliances. 1/8

How to Configure a Route-Based VPN Between Azure and a Forcepoint NGFW TECHNICAL DOCUMENT

SD-WAN Deployment Guide (CVD)

FortiGate. on OCB FE Configuration Guide. 6 th December 2018 Version 1.0

Ordering and deleting Single-node Trial for VMware vcenter Server on IBM Cloud instances

Fundamentals and Deployment of Cisco SD-WAN Duration: 3 Days (24 hours) Prerequisites

Configuring Aviatrix Encryption

Cisco SD-WAN (Viptela) Migration, QoS and Advanced Policies Hands-on Lab

Making Enterprise Branches Agile and Efficient with Software-defined WAN (SD-WAN)

IaaS Integration for Multi- Machine Services. vrealize Automation 6.2

Transit VPC Deployment Using AWS CloudFormation Templates. White Paper

AT&T NetBond for SoftLayer

EdgeConnectSP The Premier SD-WAN Solution

VMware Workspace ONE Quick Configuration Guide. VMware AirWatch 9.1

Managing Site-to-Site VPNs

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the SonicWall Firewall.

VeloCloud SD-WAN Subscription

VMware vshield Edge Design Guide

Managing Site-to-Site VPNs: The Basics

Versa Software-Defined Solutions for Service Providers

vcloud Director Tenant Portal Guide vcloud Director 8.20

Nuage Networks Product Architecture. White Paper

EdgeConnect for Amazon Web Services (AWS)

Enterprise WAN Agility.

The Next Generation Security Platform. Domenico Stranieri Pre- Sales Engineer Palo Alto Networks EMEA Italy

SEGMENTATION TO A TRADITIONAL DATA CENTER

Workspace ONE UEM Certificate Authentication for Cisco IPSec VPN. VMware Workspace ONE UEM 1810

Configure Unsanctioned Device Access Control

Simplifying the Branch Network

VPN Auto Provisioning

Configuring Windows 7 VPN (Agile) Client for authentication to McAfee Firewall Enterprise v8. David LePage - Enterprise Solutions Architect, Firewalls

Firepower Threat Defense Site-to-site VPNs

IaaS Integration for Multi-Machine Services

Citrix Tech Zone Citrix Product Documentation docs.citrix.com November 13, 2018

Deployments and Network Topologies

GLOBALPROTECT. Key Usage Scenarios and Benefits. Remote Access VPN Provides secure access to internal and cloud-based business applications

VMware vcloud Architecture Toolkit Hybrid VMware vcloud Use Case

Cisco Group Encrypted Transport VPN

Palo Alto Networks PCNSE Exam Questions and Answers (PDF) Palo Alto Networks PCNSE Exam Questions PCNSE BrainDumps

Why the Cloud is the Network

Cato Cloud. Software-defined and cloud-based secure enterprise network. Solution Brief

Juniper SD-WAN Alexandre Cezar Consulting Systems Engineer, Security/Cloud

SteelConnect. The Future of Networking is here. It s Application-Defined for the Cloud Era. SD-WAN Cloud Networks Branch LAN/WLAN

PRAGATHI TECHNOLOGIES BTM Marathahalli Ph:

Dynamic WAN Selection

Workspace ONE UEM Certificate Authority Integration with JCCH. VMware Workspace ONE UEM 1810

Transform your network and your customer experience. Introducing SD-WAN Concierge

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Introducing Avaya SDN Fx with FatPipe Networks Next Generation SD-WAN

Virtual Tunnel Interface

Unity EdgeConnect SP SD-WAN Solution

Establishing secure connectivity between Oracle Ravello and Oracle Cloud Infrastructure Database Cloud ORACLE WHITE PAPER DECEMBER 2017

AWS VPC Cloud Environment Setup

Using the Terminal Services Gateway Lesson 10

A. Verify that the IKE gateway proposals on the initiator and responder are the same.

How To Forward GRE Traffic over IPSec VPN Tunnel

Intelligent WAN: Leveraging the Internet Secure WAN Transport and Internet Access

ARCHITECTURAL OVERVIEW REVISED 6 NOVEMBER 2018

Scalability Considerations

Getting Started with VMware Cloud Assembly. 27 August 2018 VMware Cloud Assembly

FIREWALL OVERVIEW. Palo Alto Networks Next-Generation Firewall

DEFINING SECURITY FOR TODAY S CLOUD ENVIRONMENTS. Security Without Compromise

Virtual Private Cloud. User Guide. Issue 03 Date

What s New with VMware vcloud Director 8.0

Evolution of Data Center Security Automated Security for Today s Dynamic Data Centers

The Top 10 Reasons to Replace Your Branch Router with SD-WAN. An ebook presented by Silver Peak Systems

Getting Started Guide. VMware NSX Cloud services

Unity EdgeConnect SD-WAN Solution

vcloud Air - Virtual Private Cloud OnDemand Networking Guide

VNS3 IPsec Configuration. Connecting VNS3 Side by Side via IPsec

C O M P E T E A T Y O U R P E A K

Installing vrealize Network Insight

SteelConnect. The Future of Networking is here. It s Application- Defined for the Cloud Era. SD-WAN Cloud Networks Branch LAN/WLAN

Proxy Protocol Support for Sophos UTM on AWS. Sophos XG Firewall How to Configure VPN Connections for Azure

Installing vrealize Network Insight. VMware vrealize Network Insight 3.3

Cisco SD-WAN. Securely connect any user to any application across any platform, all with a consistent user experience.

Cato Networks. Network Security as a Service

Transcription:

ONBOARDING GUIDE GLOBALPROTECT CLOUD SERVICE FOR REMOTE NETWORKS GlobalProtect cloud service extends Palo Alto Networks Next-Generation Security Platform to your remote networks and mobile users. It operationalizes next-generation security deployment to these through a cloud-based security infrastructure managed by Palo Alto Networks. Based on our Next-Generation Security Platform, you administrate GlobalProtect cloud service with Panorama network security management, allowing you to create and deploy consistent security policies across your entire organization. GlobalProtect Cloud Service for Remote Networks GlobalProtect cloud service for remote networks lets you extend the prevention philosophy of your corporate network to your remote networks, safely enabling commonly used applications and web access. Remote networks are connected to GlobalProtect cloud service through VeloCloud, the VMware NSX SD-WAN fabric. www It secures enterprise and cloud applications over internet and hybrid WAN, simplifies deployment and reduces costs. GlobalProtect cloud service takes advantage of our full suite of Next-Generation Security Platform features. AutoFocus contextual threat intelligence and Aperture SaaS security services can be deployed to complement GlobalProtect. For onboarding, an instance of GlobalProtect cloud service for remote networks will be set up. Figure 1 demonstrates onboarding three locations two branches and one headquarters that connect to GlobalProtect cloud service. For simplicity of validation, each branch will be given a unique subnet. (It should be noted that Palo Alto Networks does not recommend using overlapping IP GlobalProtect Cloud Service PN Logging Service Headquarters Add/remove locations and users, manage policy IPsec/SSL VPN Figure 1: Onboarding with GlobalProtect cloud service Palo Alto Networks Onboarding Guide: GlobalProtect Cloud Service for Remote Networks Datasheet 1

subnets in general, although they can be configured with certain limitations in functionality.) We will first establish the IPSec tunnel from each location to the cloud firewall(s). Please refer to the last section for IPSec tunnel setup. The environment has three SD-WAN components: 1. VMware NSX SD-WAN Edge by VeloCloud: The edge device is a zero-touch, enterprise-class appliance that provides secure, optimized connectivity to private, public and hybrid applications, compute, and virtualized services. These edges perform deep application recognition, application and packet steering, performance metrics, and end-to-end quality of service in addition to hosting virtual network function services. 2. VMware NSX SD-WAN Gateway by VeloCloud: A distributed network of service gateways deployed at top-tier cloud datacenters around the world provides scalability, redundancy and on-demand flexibility. These gateways provide optimized data paths to all applications, branches and data centers along with the ability to deliver network services from the cloud. 3. VMware NSX SD-WAN Orchestrator by VeloCloud: The orchestrator provides centralized, enterprise-wide installation, configuration and real-time monitoring in addition to orchestrating data flow through the cloud network. The orchestrator enables one-click provisioning of virtual services in the branch, the cloud or the enterprise data center. Onboarding Validation Checklist Validation Environment Product Name Version Environment/Operating System VeloCloud Edge Release 2.3 VeloCloud Gateway Release 2.3 VeloCloud Orchestrator Release 2.3 Validation Test Cases Status IPSec tunnels connectivity Branch-to-branch connectivity/communication Branch-to-corporate connectivity/communication Branch-to-internet connectivity/communication ü ü ü ü ü= Pass, X = Fail, N/A = Not Applicable Topology for Test Cases With SD-WAN: 1. Branch to branch: Branch1 SD-WAN HUB/GW GlobalProtect cloud service (hairpin back) SD-WAN HUB/GW Branch2 (SD-WAN handles routing) 2. Branch to HQ/DC: Branch1 SD-WAN HUB/GW GlobalProtect cloud service (hairpin back) SD-WAN HUB/GW Hub (SD-WAN handles routing) 3. Branch to internet: Branch1 SD-WAN GlobalProtect cloud service internet Passing Criteria: 1. Branch to branch: host at Branch1 passes traffic to host at Branch2 and vice versa 2. Branch to HQ/DC: host at Branch1 passes traffic to host at HQ/DC and vice versa 3. Branch to internet: host at branch reaches internet Palo Alto Networks Onboarding Guide: GlobalProtect Cloud Service for Remote Networks Datasheet 2

Testing Scenarios Remote network: SD-WAN integration On-board 2 branches with 1 IPsec tunnel of 300 Mbps GlobalProtect Cloud Service Internet PN 300 Mbps SD-WAN FABRIC Headquarters Traffic flow IPsec Remote network: scaling with SD-WAN On-board 1 branch with 600 Mpbs as 2 300 Mbps tunnel to cloud service GlobalProtect Cloud Service Internet PN 300 Mbps 300 Mbps SD-WAN FABRIC Headquarters IPsec Remote network: scaling with SD-WAN 2 IPsec tunnels of 300 Mbps each for 5 branches of 100 Mbps each GlobalProtect Cloud Service Internet PN 300 Mbps 300 Mbps SD-WAN FABRIC Headquarters IPsec Palo Alto Networks Onboarding Guide: GlobalProtect Cloud Service for Remote Networks Datasheet 3

Palo Alto Networks GlobalProtect Cloud Service Configuration GlobalProtect cloud service must be configured with branch site network details; IPsec tunnel and Internet Key Exchange, or IKE, configuration for protocol negotiation between your remote network location and the GlobalProtect cloud service; remote network configuration; and any other needed security policies. This can be configured through Panorama. These steps only provide a broad configuration guideline using Panorama, and screens may change over time. Please refer to the GlobalProtect Cloud Service Getting Started Guide for additional details. Install the Cloud Services plugin on Panorama before you proceed with configuration. GlobalProtect Cloud Service Setup Palo Alto Networks requires that you configure an infrastructure subnet that doesn t overlap with any of your existing network. This is used to create a network backbone for communication between your branch office networks and GlobalProtect cloud service. To create this, navigate to Panorama Cloud Services Configuration, select Service Setup and click the Settings icon. Configure Zone Mapping You must create zone mappings so GlobalProtect cloud service will know whether to associate a zone with an internal (trust) interface or an external (untrust) interface on the firewalls it instantiates within the cloud. To create zone mapping: 1. Go to Panorama Network Zones 2. Create your trusted and untrusted zones 3. Map them under Panorama Cloud services Configuration Remote Networks Zone Mapping Palo Alto Networks Onboarding Guide: GlobalProtect Cloud Service for Remote Networks Datasheet 4

Onboard VeloCloud Headend as a Branch To onboard a VeloCloud headend as a branch, you must establish an IPSec tunnel between GlobalProtect cloud service and the headend site. Follow the steps below: Go to Panorama Cloud services Configuration Remote Networks Add IPSec Tunnel To create a new IPSec tunnel, click New IPSec Tunnel, give it a name, and configure the IKE gateway, IPSec Crypto Profile. You can use default setting for IPSec Crypto Profile. The following figures show a sample configuration for IKE gateway and IPSec tunnel. IKEv1 and v2 static and dynamic peer are supported. Note that if the far end is policy-based VPN only, proxy-id needs to be configured, where local subnet could be any and remote is the assigned subnet. Palo Alto Networks Onboarding Guide: GlobalProtect Cloud Service for Remote Networks Datasheet 5

You should commit all your changes to Panorama and push the configuration changes to GlobalProtect cloud service. Click: Commit Commit to Panorama. List of VeloCloud SD-WAN components used in the validation: 1. VeloCloud Edge Models: Edge 510, Edge 520, Edge 540, Edge 840, Edge 2000, Virtual Edge 2. VeloCloud Gateway 3. VeloCloud Orchestrator GlobalProtect Cloud IPsec tunnel Servers VeloCloud Gateway Data center Internet Branch1 SD-WAN overlay tunnels Branch2 Client 1 Client 2 Steps to configure: 1. Establish connectivity from VeloCloud Gateway to Palo Alto GlobalProtect Cloud (GPC) service. a. Log in to the Enterprise customer account on the VeloCloud Orchestrator (VCO). b. Navigate to Configure Network Services. Go to the Non-VeloCloud Sites section and click New to create a new non-velocloud site. Palo Alto Networks Onboarding Guide: GlobalProtect Cloud Service for Remote Networks Datasheet 6

1. Configure a name and select Palo Alto as the type. b. Configure the public IP address of the firewall in GlobalProtect cloud service. c. Click on the Next button to create the site and generate the IKE/IPSec configuration and pre-shared key for the site. d. Once the site is created, click on the Advanced button to update the IKE/IPSec configuration. Also, add the site subnets that need to be protected. Palo Alto Networks Onboarding Guide: GlobalProtect Cloud Service for Remote Networks Datasheet 7

e. Click on the Enable Tunnel(s) checkbox and then Save Changes. f. You can view the detailed IKE/IPSec configuration needed to configure the Palo Alto Networks firewall by clicking the View IKE/IPSec Template button in the screenshot shown in step 1.f. The VeloCloud Gateway public IP address can be retrieved from this template. 2. Verify that the connectivity between the VeloCloud Gateway and the Palo Alto Networks firewall is successfully established. a. Go to Monitor Network Services. 3. Configure the customer profile to service-chain the Non-VeloCloud site to the customer s SD-WAN. a. Go to Configure Profiles <Profile_Name> and click on the Device tab. Palo Alto Networks Onboarding Guide: GlobalProtect Cloud Service for Remote Networks Datasheet 8

b. Enable the Cloud VPN feature to turn on VPN connectivity from the Branch and DC sites. c. Check Enable under the Branch to Non-VeloCloud Site section and select the configured Palo Alto GPC FW configured in Step 1. 4. Click Save Changes. At this stage, the Palo Alto firewall in GPC is successfully service-chained into the customer s VeloCloud SD-WAN. 5. Define application-aware business policies to redirect traffic through GlobalProtect cloud service. The following scenarios are covered: a. Redirect branch-to-internet or cloud traffic through Palo Alto Networks GlobalProtect cloud service. Configure a business policy to redirect internet traffic through Palo Alto Networks GlobalProtect cloud service. Palo Alto Networks Onboarding Guide: GlobalProtect Cloud Service for Remote Networks Datasheet 9

b. Redirect branch-to-data-center traffic through GlobalProtect cloud service. Configure a business policy to redirect data center traffic through GlobalProtect cloud service. c. Redirect branch-to-branch traffic through GlobalProtect cloud service. Configure a business policy to redirect branch traffic through GlobalProtect cloud service. 3000 Tannery Way Santa Clara, CA 95054 Main: +1.408.753.4000 Sales: +1.866.320.4788 Support: +1.866.898.9087 www.paloaltonetworks.com 2018 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto Networks. A list of our trademarks can be found at https://www. paloaltonetworks.com/company/trademarks.html. All other marks mentioned herein may be trademarks of their respective companies. velocloudintegration-guide-ds-030218

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback