PANCast™ Episode 33: Prisma SD-WAN Instant-On Network Device Registration and Claiming Process

Showing results for 
Show  only  | Search instead for 
Did you mean: 
L4 Transporter
No ratings

Episode Transcript:



Hello, and welcome back to PANCast™. In today's episode, we will discuss Prisma SD-WAN and specifically the Device Registration and Claiming process. We have Suman with us who will tell us more. Before we get started, Suman, could you tell us a bit about yourself?



Thank you, John, for having me on this PANCast™ today. My name is Suman, and I have been working in the TAC support of Palo Alto Networks, specializing in SASE and Prisma SD-WAN product solutions.
Today, I am very excited to talk about the Prisma SD-WAN device registration and claiming process. It’s a complex backend operation; however, it appears very simple for the end customer, providing a good customer experience.

So let’s get started.

When an Instant-On Network or ION device is purchased — and before shipping to an end customer — a device-specific Manufacturer Installed Certificate or MIC is installed on the device at the manufacturer floor and registered to the customer. The uniqueness of the MIC is based on the device's serial number. Currently, the device is either UNCLAIMED or UNTRUSTED with no ability to join a customer network. Once the device is received at the customer location, installed, and powered ON, the device will reach out to the cloud controller over any available internet connection. The device and controller will mutually authenticate and establish a TLS 1.2 session using the installed MIC.

At this point the ION device is in an effective “quarantine” state: it has no ability to receive policy information from the controller, communicate with other ION devices on the network, or make any policy decisions. The device will show up in an “unclaimed inventory list” for the customer on the controller. At this point, the customer can CLAIM the device via the controller’s UI. When CLAIMING the device, the controller will generate a unique device ID for the device, generate a device-specific Customer Installed Certificate or CIC and register the unique device ID and CIC in the controller. The CIC is transmitted to the device over the existing TLS 1.2 session, which is then re-established between the device and the controller using the newly installed CIC.

Until now, the device is not yet participating in the network. In order to complete the operation, policies need to be attached to the device (via site binding) and any relevant device-specific configurations need to be configured on the device via the controller UI. Once the device configuration and policy assignment is complete, the device will establish VPN tunnels to other ION devices and can start data forwarding as per the defined policies.

The validity periods for both the MIC and CIC certificates are 10 years. All certificates are stored in an encrypted state at rest in the controller



Thanks Suman, so it sounds like there are different connections between the ION device and the cloud controller. Can you tell us more about those?

The different connections between ION device and the cloud controller



Sure John, so the Prisma SD-WAN ION device initiate 4 TLS 1.2 long-lived sessions to the controller for various services such as Message Routing Layer (MRL), statistics, flows, logs, and remote access of the device toolkit.

Let me explain the functionality of each of the session and their relevance.

  • Message Routing Layer (MRL): is used for all control messages between controller and ION devices.
    What’s that mean? If any config change is made on the controller UI, a unique etag value will generate and the controller will push the new configuration along with the unique etag id through this control channel. In this architecture, the controller is always the source of truth, hence all configuration has to come from the controller only.
  • Logs: All system logs from the device to the controller are sent over logs channel for centralized troubleshooting or debugging.
  • Stats for Flows: Flow records collected by the device are sent to the controller over this channel.
  • Stats for Metrics: All aggregated metrics are sent by the device to the controller over stats channel.
  • And the last connection( remote access) is an on-demand TLS session for the remote cli access from the UI of the controller. The connection is initiated through the MRL connection, hence MRL connection should remain up to get the remote cli access via the UI of the controller. The customer can initiate and connect a maximum of 16 concurrent remote access with the ION device
ION manages all connections dynamically, and any L3 interfaces are eligible to participate in these connections, and the ION can initiate each session separately as far as DNS IP is configured on them.



And what about Data Security?

About Data Security



Good question John. The data security is a common concern for all customers. All data in transit is protected using SSL/TLS encryption.
This includes:
  • API access from customer users to the Prisma SD-WAN controller
  • UI access from customer users to the Prisma SD-WAN controller
  • From ION devices to the Prisma SD-WAN controller
  • From services or pipelines within the Prisma SD-WAN controller to cloud storage, All data at rest in databases and cloud storage is encrypted

All Palo Alto Networks personnel access to data is protected using SSL/TLS connections and authenticated using internal directory services, multi-factor authentication, and IAM authentication. Palo Alto Networks has achieved SOC2 Type I certification for Prisma SD-WAN. Furthermore, the service is hosted in SOC 2 Type II certified data centers.


Good to know Suman, so finally what are the key takeaways for today?

Episode Key Takeaways



Yes, to summarize the takeaways are as follows:

  • Devices visible in your inventory are available for you to claim and then assign to sites.
  • The claim process authenticates and legitimizes the devices on each site.
  • The devices come online with enough knowledge to connect with the Prisma SD-WAN controller in the appropriate customer context and start forwarding flows.
  • Prisma SD-WAN Instant-On Network (ION) devices, in hardware and software form factors, enable the integration of a diverse set of WAN connection types, improve application performance and visibility, enhance security and compliance, and reduce the overall cost and complexity of the customer’s WAN.
  • ION manages all controller connections dynamically, and all L3 interfaces are eligible to participate in these connections.
  • The validity periods for the Certificates are for 10 years for both the MIC and CIC certificates.

With the key points in mind, I wish you a pleasant journey with ION’s complete claiming and registration lifecycle.


Thanks so much Suman. For our PANCasters out there, you can find the transcript and some useful links on under PANCast. Until next time.


Related Content:

Prisma SD-WAN 

Rate this article:
L2 Linker

Good overview on what takes place for SD-WAN ION devices