Before configuring the Security Service Edge (SSE) automation, you must first configure IKE and IPsec profiles to be used by the SSE automation. This is required for initiating the tunnel from the Edge to Prisma Cloud. This is a one-time manual configuration that must be performed in the Palo Alto Networks Strata Cloud Manager portal.
Note: This procedure is for guidance purpose only.
Prerequisites
There is no dedicated location in the Palo Alto Networks Strata Cloud Manager portal to configure the IKE and IPsec profiles. Hence, this configuration must be done in the Remote Networks configuration section.
You can reuse the existing profiles if they have been already configured and supported by the Edges. To create new profiles, refer to the below template:
- AES 128 CBC
- DH Group 14 (IKE Crypto Profile)
- PFS configured (same as the DH Group value)
- SHA 256
- IKE SA Lifetime 1440 min
- IPsec SA Lifetime 480 min
Note: This template is just an example. You can configure a stronger ecryption algorithm if needed.
Procedure
What to do next
You may now log into the Orchestrator to configure the Security Service Edge (SSE) and initiate the automation. For more information, see Security Service Edge (SSE).