About wprice

Hi Charles,    We do not tag the Remote Network prefixes with a community string, because we fully mesh the RNs to each Service connection. If all you want to do is identify which routes are RN's you can tag them by advertising them from the branch with a global or regional community string tag and we will advertise / preserve them to the SC with those Community value tags. If you want to identify which regions are which routes, you can advertise specific community tags for specific "regions" or "Geos".    I hope this helps.    Thanks, Wade ... View more

Hi Charles,    Here are replies inline to your questions:    1) Are the communities referred in it "65534:X " "65534:Y " "65534:Z " refers to the prisma mobile users IP pools allocation setting per region?   The routes are Mobile User User pool addresses you have onboarded in certain regions. We will split up those larger pools into /24 blocks and tag then with the Prisma Access AS number /Community Strings  (65534:x). The X/Y/Z is per Service Connection. You can say "regional" yes.    2) When we clicked on the BGP status, network detailed of the service connections, the community number shown in it refers to what? The X Y Z which i mentioned in point 1 above? I have 3 service connections (2 in US and 1 in EU and none in Asia).. these 3 service connections gave me different community numbers, so which is which region?   The community string tag it is using is an ID of the active FW for the original active Service Connection Firewall.  3) The document only mentioned about mobile users IP prefixes.. I also uses Remote Network (traditional IPSEC) into Prisma.. i like to control the return routes of which service connection to be use based on community.. how do we do what community is being set based on the Prisma Access Locations? Is there a list published somewhere on the community numbers? If i checked on the IP prefix of the remote site specifically, i do see a community tag to it... searching all the BGP Ip prefix will be a big chore, will be good if the community numbers tagging is published somewhere.   You can see the ID's in Panorama Managed Prisma Access GUI page:    Panorama >>> Cloud Services >>>Status >>> Network Details >>> Service Connection >>> Show BGP Status (Look at the Community field)    The community tags should be mostly static, so once you have mapped them out they should stay consistent unless you re-onboard the SC.    I hope this helps!   Wade ... View more

Hi Ram,    Thanks for your query! Are you speaking to the Tunnel Monitoring config using Proxy ID on Page 74 and 75 of the Prisma Access Panorama Admin guide?    https://docs.paloaltonetworks.com/content/dam/techdocs/en_US/pdf/prisma/prisma-access/prisma-access-panorama-admin/prisma-access-panorama-admin.pdf   The context here is around the Tunnel monitoring a Service Connection. This will probe the IP's specified to be sure traffic is not black-holed to a site that has gone down. For the Proxy ID config of your tunnel monitor traffic, The local subnet is your Infrastructure subnet since either the SC or RN when onboarded in our cloud will pull from this pool. The remote will the on-prem remote site subnet, etc..    If you are not using proxy IDs for tunnel monitoring you can just specify an IP that can be reached (can route to that remote IP) and is allowed (security policy allowed).    I hope this helps.    Wade ... View more