Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
07-17-2021 09:32 PM
Hi All,
I build a service connection with Prisma Access (Panorama Managed) and on-prem PA firewall.
As I would like to setup a tunnel monitor, but it is required a IP address for tunnel interface and destination.
What IP should I input for destination? "Tunnel Monitor IP Address" show in "Service Infrastructure"?
And what IP should I assign for op-prem firewall tunnel interface? Since I cannot use any IP inside "infrastructure subnet" of Prisma Acess according to the deployment document.
08-05-2021 03:39 AM
For the prisma access you need to see under the Service Infrastructure as it automatically gives ip addresses to it objects like the Service Infrastructure CAN or Remote Network SPN or the Mobile Gateway. You can also select your local firewall to ping an IP address with the tunnel monitor that is in another site of yours that is again connected to the Prisma access as the idea for the tunnel monitor is to ping an ip address that the ping passthrough the tunnel to reach it.
On the Prisma Access side can you try to specify the tunnel monitor ip address to be a DNS server, LDAP server etc. that is in your local Data Center behind the Service Connection.
08-05-2021 06:42 PM
Hi Nikolay,
I would like to know what IP should I assign for "tunnel interface" in on-prem firewall site?
For a normal both on-prem firewall site-to-site VPN setting, I would assign two side firewall tunnel interface IP in a same subnet.
However, "infrastructure subnet" of Prisma Access cannot be assigned in on-prem side according to the deployment document, that mean I cannot use the same subnet IP for both site-to-site VPN interface
08-06-2021 02:49 AM
Hello Just check the Palo Alto Prisma documentation as it covers such cases:
%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%
You must configure a static route on your CPE to the Tunnel Monitor IP Address for tunnel monitoring to function. To find the destination IP address to use for tunnel monitoring from your data center or HQ network to Prisma Access, select
, click the
radio button, and find the
.
%%%%%%%%%%%%%%%%%%%
08-07-2021 01:46 AM
I know the destination IP of CPE side for tunnel monitor is "Tunnel Monitor IP Address" and how to find it.
My question is what is the IP should I assign for tunnel interface of CPE side (the source IP) which is required to enable tunnel monitoring function, Since Prisma access not allow me to use the IP of "infrastructure subnet".
09-10-2021 11:15 AM
If I have not been mistaken, you can use the tunnel monitor IP address under the >status >network deatils
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
