topic Tunnel monitor Prisma Access in Prisma Access Discussions

Tunnel monitor Prisma Access

JoeKwok — Sun, 18 Jul 2021 04:32:28 GMT

Hi All,

I build a service connection with Prisma Access (Panorama Managed) and on-prem PA firewall.

As I would like to setup a tunnel monitor, but it is required a IP address for tunnel interface and destination.

What IP should I input for destination? "Tunnel Monitor IP Address" show in "Service Infrastructure"?

And what IP should I assign for op-prem firewall tunnel interface? Since I cannot use any IP inside "infrastructure subnet" of Prisma Acess according to the deployment document.

Re: Tunnel monitor Prisma Access

NikolayDimitrov — Thu, 05 Aug 2021 10:39:40 GMT

For the prisma access you need to see under the Service Infrastructure as it automatically gives ip addresses to it objects like the Service Infrastructure CAN or Remote Network SPN or the Mobile Gateway. You can also select your local firewall to ping an IP address with the tunnel monitor that is in another site of yours that is again connected to the Prisma access as the idea for the tunnel monitor is to ping an ip address that the ping passthrough the tunnel to reach it.

On the Prisma Access side can you try to specify the tunnel monitor ip address to be a DNS server, LDAP server etc. that is in your local Data Center behind the Service Connection.

Re: Tunnel monitor Prisma Access

JoeKwok — Fri, 06 Aug 2021 01:42:49 GMT

Hi Nikolay,

I would like to know what IP should I assign for "tunnel interface" in on-prem firewall site?

For a normal both on-prem firewall site-to-site VPN setting, I would assign two side firewall tunnel interface IP in a same subnet.

However, "infrastructure subnet" of Prisma Access cannot be assigned in on-prem side according to the deployment document, that mean I cannot use the same subnet IP for both site-to-site VPN interface

Re: Tunnel monitor Prisma Access

NikolayDimitrov — Fri, 06 Aug 2021 09:49:21 GMT

Hello Just check the Palo Alto Prisma documentation as it covers such cases:

https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-panorama-admin/prepare-the-prisma-access-infrastructure/create-a-service-connection

https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-panorama-admin/prisma-access-for-networks/configure-prisma-access-for-networks

%%%%%%%%%%%%%%%%%%%

To enable tunnel monitoring for the service connection, select

Tunnel Monitor

Enter a
Destination IP
address.
Specify an IP address at your HQ or data center site to which Prisma Access can send ICMP ping requests for IPSec tunnel monitoring. Make sure that this address is reachable by ICMP from the entire Prisma Access infrastructure subnet.
If you use tunnel monitoring with a peer device that uses multiple proxy IDs, specify a
Proxy ID
or add a
New Proxy ID
that allows access from the infrastructure subnet to your HQ or data center site.

%%%%%%%%%%%%%%%%%%%%%%%

%%%%%%%%%%%%%%

You must configure a static route on your CPE to the Tunnel Monitor IP Address for tunnel monitoring to function. To find the destination IP address to use for tunnel monitoring from your data center or HQ network to Prisma Access, select

Panorama

Cloud Services

Status

Network Details

, click the

Service Infrastructure

radio button, and find the

Tunnel Monitor IP Address

%%%%%%%%%%%%%%%%%%%

Re: Tunnel monitor Prisma Access

JoeKwok — Sat, 07 Aug 2021 08:46:32 GMT

I know the destination IP of CPE side for tunnel monitor is "Tunnel Monitor IP Address" and how to find it.

My question is what is the IP should I assign for tunnel interface of CPE side (the source IP) which is required to enable tunnel monitoring function, Since Prisma access not allow me to use the IP of "infrastructure subnet".

Re: Tunnel monitor Prisma Access

ManojV5 — Fri, 10 Sep 2021 18:15:34 GMT

If I have not been mistaken, you can use the tunnel monitor IP address under the >status >network deatils