Prisma SD Wan Netskope Integration

Netskope Integraon Guide
1.0.0
docs.paloaltonetworks.com
Table of Contents
Table of Contents
Prisma SD-WAN Netskope Integraon........................................................ 4
Set up the Netskope Security Cloud...................................................................................... 5
Configure Prisma SD-WAN Tunnels to Netskope Security Cloud................................. 11
Create an IPsec Profile................................................................................................. 11
Create a Service Group................................................................................................ 12
Create an IPsec Tunnel.................................................................................................14
Create a Path Policy......................................................................................................17
Verify the Configuraon...............................................................................................18
Monitor Cybersecurity Events on the Netskope Portal................................................... 20
Netskope Integraon Guide Version 1.0.0 2 ©2022 Palo Alto Networks, Inc.
Table of Contents
Prisma SD-WAN Netskope Integraon
As enterprises rely on SaaS or Cloud-based delivery models for business-crical
applicaons, there is a compelling need for per-applicaon policy enforcement without
increasing remote office infrastructure. Tradional hardware-router based approaches
are limited by cumbersome policies for direct-to-internet versus policy enforcement
per-applicaon. Router-based approaches are packet-based versus applicaon-session
based and fail to meet applicaon session-symmetry requirements, causing network
and security outages.
You can integrate Prisma SD-WAN with Netskope Security Cloud to have a remote
office hardware, while sll having a full suite of applicaon-specific security policies.
4
Set up the Netskope Security Cloud

Integrate prisma SD-WAN with Netskope to have a lightweight remote office hardware footprint
along with a full suite of applicaon-specific security policies.
Set up the Netskope security cloud.

STEP 1 | Log in to Netskope.
STEP 2 | Navigate to Sengs.
STEP 3 | Select Security Cloud Plaorm.
STEP 4 | Select IPSec.
STEP 5 | Add a new IPsec tunnel.

1. Click Add New Tunnel.
2. Enter a name for the tunnel.

3. Enter the IP address or the unique FQDN of the Prisma SD-WAN tunnel endpoint.
4. Choose the geographically closest Netskope POP as the Primary and choose a failover
Netskope POP.
5. Enter a Pre-Shared key.
6. Configure an encrypon cipher.
7. Configure the Maximum BW to be used by the IPsec tunnel.
No rate liming happens based on the configured bandwidth.
8. Click Add.
When you click Add, the IPsec tunnel entry can be seen.
9. Verify the status of the tunnel.
An upward arrow indicates the tunnel is UP.
10. (Oponal) Click the ellipsis next to the tunnel entry to see addional opons to edit and
view tunnel configuraon parameters.
• The throughput capacity refers to the actual traffic going through the tunnel.
• Save the probe IP address to be used later in the Prisma SD-WAN endpoint
configuraon for liveliness checks.
Configure Prisma SD-WAN Tunnels to Netskope

Security Cloud
Use the following steps to configure Prisma SD-WAN tunnels to the Netskope security cloud.
STEP 1 | Create an IPsec profile.
STEP 2 | Create a service group.
STEP 3 | Create an IPsec tunnel.
STEP 4 | Create a path policy.
STEP 5 | Verify the configuraon.
Create an IPsec Profile

Create an IPsec profile on the Prisma SD-WAN web interface.
STEP 1 | Navigate to Policies > Stacked Policies > IPsec Profiles.
STEP 2 | Click Add IPsec Profile.
STEP 3 | On the Info tab, enter a name and an oponal descripon.
STEP 4 | Configure IKE sengs.
• Netskope Security Cloud supports IKEv2 configuraon only.

• Netskope supports the following encrypon ciphers: AES128-CBC,AES192-CBC, AES256-
CBC.
• Netskope supports the following hash algorithms: SHA256, SHA384,SHA512.
• Netskope supports the following DH Groups: 14, 15, 16, 18.
• DPD must be enabled.
STEP 5 | Click Next.
STEP 6 | Configure ESP Group sengs.
• Netskope supports the following encrypon ciphers: AES128-CBC,AES256-CBC, AES128-

GCM, AES192-GCM, AES256-GCM, Null.
• Netskope supports the following hash algorithms: SHA256, SHA384,SHA512.
• Netskope supports the following DH Groups:14, 15, 16, 18.
STEP 7 | Click Next.
STEP 8 | On the Authencaon tab, select None for Type.

This is because authencaon sengs will be configured locally on the device using an
IPsecauthencaon override.
STEP 9 | Click Next, review the sengs of the profile and then click Save & Exit.
Create a Service Group

A service group is a set of labels that associate the Prisma SD-WAN ION with a
NetskopeEndpoint.
STEP 1 | Navigate to Policies > Stacked Policies.
STEP 2 | Select Service & DC Groups.
STEP 3 | Click Endpoints.
STEP 4 | Change the view from Prisma SD-WAN to Standard VPN.
STEP 5 | Click Add Endpoint.
STEP 6 | Give the endpoint a name and check the Admin UP box.
STEP 7 | Click IPs & Hostnames.
STEP 8 | Enter a comma separated list of the Netskope Primary and Failover POP IP addresses and
click Done.
Prisma SD-WAN will check RTT for each of these IP addresses and will automacally choose
the desnaon with the lowest latency as the IPsec tunnel endpoint.
STEP 9 | Click Liveliness Probe.
STEP 10 | Configure the Probe IP Address from Netskope Tunnel configuraon along with ICMP ping
interval and failure count and click Done.
The probe IP address in the Netskope Security Cloud will be pinged to check liveliness of the
tunnel. In the example below, an ICMP packet will be sent once every 10 seconds. When 3
consecuve pings fail, the tunnel will be declared Down.
STEP 11 | Click Save & Exit.
STEP 12 | At the Groups tab, under the Domains column, against the Groups row, click Add to add a
new group.
STEP 13 | Select Standard VPN.
STEP 14 | Give the group a name and in the Endpoints drop-down, choose the endpoint that was just
configured.
STEP 15 | Click Save.
Create an IPsec Tunnel

STEP 1 | Navigate to Map > Claimed Devices.
STEP 2 | Click the ellipsis menu for the device to be configured with the IPsec tunnel and select
Configure the device.
STEP 3 | Select Interfaces.
STEP 4 | Click the + sign on the Interface panel.
STEP 5 | Select Standard VPN and click Add.
STEP 6 | On the tunnel configuraon page, configure the following:
• Give the tunnel a name.

• Configure the Standard VPN type as IPsec.
• Parent interface should be set to the outboundinterface.
• Inner Tunnel IP / Address Mask should be set to an internal IP behind your device that you
should allocate for the tunnel.
• Set the endpoint configured from the previous step.
• Peer IP can be used to configure the Netskope endpoint’s IP. This configuraon is skipped in
this example, since the endpoint configuraon in the previous step has the Netskope POP’s
IP addresses configured already.
• Select the IPSEC Profile that was created for Netskope.
• Add an IPSEC Authencaon Override to configure IPsec authencaon sengs local to
the site.
• Type should be Pre-Shared Key.

• Configure the same Pre-shared key at both the Prisma SD-WAN andNetskope endpoints.
• Local ID can be set to Interface IP Address or FQDN.

• To configure a local FQDN, choose Local ID Type as Custom andconfigure a FQDN under
Local ID.
STEP 7 | Click Create Standard VPN.
Create a Path Policy

Configure a path policy to allow traffic to flow through the IPsec VPN to Netskope Security Cloud.
STEP 1 | Navigate to Policies > Stacked Policies.
STEP 2 | Select Path and then Path Sets.
STEP 3 | Click Add Set.
STEP 4 | Give the path policy set a name and click Save.
STEP 5 | Click the policy set and click Add Rule.
STEP 6 | Give the policy rule a name.
STEP 7 | Navigate to the Apps tab next and choose the applicaons that you want to forward to the
Netskope Security Cloud over the Standard VPN.
STEP 8 | Navigate to the Paths tab and choose the overlay path Standard VPN on circuit category Any
Public.
STEP 9 | Navigate to the Service & DC Groups tab.
STEP 10 | Under Acve, choose the Group configured in the previous steps from the drop-down list.
STEP 11 | Verify the configuraon summary and click Save & Exit.
Verify the Configuraon

STEP 1 | Send traffic from the LAN side of the Prisma SD-WAN ION device.
STEP 2 | On the Prisma SD-WAN web interface, navigate to the Acvity tab.
STEP 3 | Verify analycs on the WAN path Standard VPN.
STEP 4 | Verify flows on the WAN path Standard VPN.
STEP 5 | Verify the status of the Servicelink using Device Toolkit.

Netskope ION# dump servicelink status sldev=sl1ServiceLink : sl1Interface :
Netskope-1Descripon :ID : 15748768634780249Type : service_link (ipsec)Admin State :
upAlarms : enabledNetworkContextID :Scope : localDirected Broadcast : falseMTU : 1400
IP : stacAddress : 192.168.1.1/31Parent Interface : 1Parent Device : eth5Service Endpoint :
NETSKOPE-IPSECIPSec Profile : NETSKOPE_IKEv2Authencaon Type : pskLocal ID
Type : local_ipKey Exchange : ikev2IKE Reauth : noIKE Lifeme : 24 hoursIKE Remote Port :
500IKE DH Group/Encrypon/Hash : modp2048/aes256/sha256ESP Lifeme : 8 hoursESP
Encapsulaon : AutoESP DH Group/Encrypon/Hash : modp2048/aes256/sha256DPD
Enabled : yesDPD Delay : 1DPD Timeout : 5Authencaon OverrideAuthencaon Type :
pskLocal ID Type : customLocal ID : cloudgenix@paloaltoDevice : sl1State : upLast Change :
2021-03-05 01:49:28.414 (8h10m28s ago)Address : 192.168.1.1/31Route : 0.0.0.0/0 via
192.168.1.1 metric 0
Extended State : tunnel_up
IPSec Algo : AES_CBC_256_HMAC_SHA2_256_128Ike Algo :
AES_CBC_256HMAC_SHA2_256_128Remote IP : 8.36.116.114Local
IP : 10.8.51.40IkeNextRekey : 2021-03-06 01:31:07.399431042 +0000
UTCIPsecLastRekeyed: 2021-03-05 09:01:02.793785216 +0000 UTCIPsecNextRekey :
2021-03-05 16:32:13.793786856 +0000 UTCPeer configured on service
endpointService endpoint name: NETSKOPE-IPSECOrder of connecon
Try:--------------------------------------------------------------------------------------------------------------------------
IP Address | Hostname | Reachable | Latency | Last LivelinessFailed | Hold Time |
-------------------------------------------------------------------------------------------------------------------------------
8.36.116.114 | | Yes | 5 | | || 163.116.133.38 | | Yes | 53
|------------------------------------------------------------------------------------------------------------------------------
Liveliness probe status---------------------------------------------------------------Type : icmpIpv4 :
192.168.104.144Status : trueLatency : 4Last updated : 2021-03-05T01:49:27
Monitor Cybersecurity Events on the Netskope Portal

STEP 1 | Login to the Security Admin portal.
STEP 2 | Configure security policies on the Policies tab.
STEP 3 | Go to the main dashboard and select Skope IT for granular security data.
The Sites tab shows URL analycs.
STEP 4 | Click the Network Events tab to show user informaon, applicaon accessed, acon taken
on this session and bytes transferred.
STEP 5 | Click on Alerts to see what policy was applied to a flow and what acon was taken on it and
if there were malicious objects detected in this flow.

Prisma SD Wan Netskope Integration

Uploaded by

Copyright:

Available Formats

Prisma SD Wan Netskope Integration

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Prisma SD Wan Netskope Integration

Uploaded by

Copyright:

Available Formats

Netskope Integraon Guide

Set up the Netskope Security Cloud

Set up the Netskope security cloud.

STEP 2 | Navigate to Sengs.

STEP 3 | Select Security Cloud Plaorm.

STEP 4 | Select IPSec.

STEP 5 | Add a new IPsec tunnel.

2. Enter a name for the tunnel.

Conﬁgure Prisma SD-WAN Tunnels to Netskope

STEP 2 | Create a service group.

STEP 3 | Create an IPsec tunnel.

STEP 4 | Create a path policy.

STEP 5 | Verify the conﬁguraon.

Create an IPsec Proﬁle

STEP 2 | Click Add IPsec Proﬁle.

STEP 3 | On the Info tab, enter a name and an oponal descripon.

STEP 4 | Conﬁgure IKE sengs.

• Netskope Security Cloud supports IKEv2 conﬁguraon only.

STEP 5 | Click Next.

STEP 6 | Conﬁgure ESP Group sengs.

• Netskope supports the following encrypon ciphers: AES128-CBC,AES256-CBC, AES128-

STEP 7 | Click Next.

STEP 8 | On the Authencaon tab, select None for Type.

Create a Service Group

STEP 2 | Select Service & DC Groups.

STEP 3 | Click Endpoints.

STEP 4 | Change the view from Prisma SD-WAN to Standard VPN.

STEP 5 | Click Add Endpoint.

STEP 7 | Click IPs & Hostnames.

STEP 9 | Click Liveliness Probe.

STEP 11 | Click Save & Exit.

STEP 13 | Select Standard VPN.

STEP 15 | Click Save.

Create an IPsec Tunnel

STEP 3 | Select Interfaces.

STEP 4 | Click the + sign on the Interface panel.

STEP 5 | Select Standard VPN and click Add.

STEP 6 | On the tunnel conﬁguraon page, conﬁgure the following:

• Give the tunnel a name.

• Type should be Pre-Shared Key.

• Local ID can be set to Interface IP Address or FQDN.

STEP 7 | Click Create Standard VPN.

Create a Path Policy

STEP 2 | Select Path and then Path Sets.

STEP 3 | Click Add Set.

STEP 5 | Click the policy set and click Add Rule.

STEP 6 | Give the policy rule a name.

STEP 9 | Navigate to the Service & DC Groups tab.

Verify the Conﬁguraon

STEP 3 | Verify analycs on the WAN path Standard VPN.

STEP 4 | Verify ﬂows on the WAN path Standard VPN.

STEP 5 | Verify the status of the Servicelink using Device Toolkit.

Monitor Cybersecurity Events on the Netskope Portal

STEP 2 | Conﬁgure security policies on the Policies tab.

You might also like