Before configuring the Security Service Edge (SSE) automation, you must first configure IKE and IPsec profiles to be used by the SSE automation. This is required for initiating the tunnel from the Edge to Prisma Cloud. This is a one-time manual configuration that must be performed in the Palo Alto Networks Strata Cloud Manager portal.

Follow the below steps to configure IKE and IPsec profiles:
Note: This procedure is for guidance purpose only.

Prerequisites

There is no dedicated location in the Palo Alto Networks Strata Cloud Manager portal to configure the IKE and IPsec profiles. Hence, this configuration must be done in the Remote Networks configuration section.

You can reuse the existing profiles if they have been already configured and supported by the Edges. To create new profiles, refer to the below template:
  • AES 128 CBC
  • DH Group 14 (IKE Crypto Profile)
  • PFS configured (same as the DH Group value)
  • SHA 256
  • IKE SA Lifetime 1440 min
  • IPsec SA Lifetime 480 min
Note: This template is just an example. You can configure a stronger ecryption algorithm if needed.

Procedure

  1. Log into the Palo Alto Networks Strata Cloud Manager portal.
    The following screen is displayed:
  2. Navigate to Workflows > Prisma Access Setup > Remote Networks as shown in the above screenshot.
    The Remote Networks Setup screen appears.
  3. Click Add Remote Networks in the top right corner of the Remote Networks Setup screen.
  4. In the Add Remote Networks screen, ignore the mandatory fields and directly go to the IKE and IPsec profile configurations, by clicking Set Up in the Primary Tunnel section as shown below:
  5. In the Create IPsec Tunnel screen, click Create New.
  6. Ignore all the mandatory fields and scroll down to the bottom of this screen. Click IKE Advanced Options.
  7. Click Create New on the IKE Advanced Options screen.
    Note: Ignore all the pre-configured options. You must create a new IKE profile to be used for the VMware SSE automation.
  8. Clicking Create New displays the following screen:
  9. Enter the values based on the template provided in the pre-requisites section, and then click Save.
  10. Click Save on the IKE Advanced Options screen to save the IKE profile.
    This step takes you back to the Create IPsec Tunnel screen.
  11. On the Create IPsec Tunnel screen, click IPsec Advanced Options as shown below:
  12. Click Create New on the IPsec Advanced Options screen.
    Note: Ignore all the pre-configured options. You must create a new IPsec profile to be used for the VMware SSE automation.
  13. Clicking Create New displays the following screen:
  14. Enter the values based on the template provided in the pre-requisites section, and then click Save.
  15. Click Save on the IPsec Advanced Options screen to save the IPsec profile.

What to do next

You may now log into the Orchestrator to configure the Security Service Edge (SSE) and initiate the automation. For more information, see Security Service Edge (SSE).