Integration of Nile Access Service with Palo Alto Prisma SASE Provider

overview this document guides the integration of the nile access service with palo alto networks prisma sase (secure access service edge) provider to enable seamless, secure connectivity and policy enforcement across campus and cloud environments with the increasing adoption of cloud based sase solutions, organizations require streamlined integration to protect infrastructure while simplifying network operations nile’s integration with palo alto prisma sase automates the setup of secure ipsec tunnels and traffic source subnets, allowing customers to easily forward traffic from selected network segments to prisma access cloud nodes for comprehensive security enforcement by configuring this integration, customers can leverage prisma sase’s advanced cloud delivered security capabilities alongside nile’s zero trust campus access service this ensures consistent policy application, enhanced visibility, and resilient connectivity across users, devices, and applications requirements active subscriptions and administrative rights to palo alto networks prisma access administrative rights to the nile control center service account credentials with network administrator and security administrator for all apps and services for setting up prisma access integration palo alto prisma access configuration log in to the prisma access administrative console https //stratacloudmanager paloaltonetworks com/ https //stratacloudmanager paloaltonetworks com/ navigate to settings > identity & access > add identity choose identity type service account , create a service account name, and click next save the client id and client secret for later use in nile control center choose all apps & services and role network administrator & security administrator nile access service configuration login to the nile control center as an administrator navigate to settings > global settings > integrations click on “+ setup integration ” you should be able to see “sse integration” click on the option if you don’t have access to the sse integration option, please reach out to nile support to ensure that you have the option enabled on the configuration instance menu, enter the name of the integration and select palo alto networks as the provider fill in the client id field using the palo alto networks service account client id obtained from the previous step enter the client secret using the value saved from the previous step fill in the tenant service group id using the numerical portion of the client id for example, if the client id is soleng@ 1581964182 iam panserviceaccount com, the tenant service group id will be 1581964182 enter the domain note that there is no domain validation, so any domain can be used you may use the preconfigured domain nilesecure com specify the desired bandwidth the default is 500 mbps, but you can adjust this if needed this bandwidth represents the minimum allocation for a prisma access (compute) location where the remote network is onboarded, if not already allocated click test and wait for the test to complete once the test completes successfully and the save button is enabled, click save the configuration will then be available for use note at this point, no tunnels are set up tunnel setup initiates when the first external rule is configured to forward a segment’s traffic to the sse please refer to the next section for setting up forwarding rules configuration to forward traffic from nile to prisma access once the sse account credentials setup is complete, the admin user can then create rules to forward traffic to prisma access log in to the nile portal as administrator go to “ global settings ” > “ access engine ” click on “ create rule ” > “ create external rule ” follow the workflow to set up the external rule select the “ source segment ” and then select the destination as “ all internet bound traffic ” on the action page, select the“ forward ” action, and the sse instance will be preselected choose whether to forward the traffic to the local upstream firewall in case of tunnel failure important note if this option is not enabled, then traffic will be dropped in the event of tunnel failure and end users/devices may lose network connectivity fill in the appropriate rule name fill in the appropriate description click save note all provisioning of prisma remote networks and tunnels is automated and may take up to 20 minutes if the remote network is not already created and available in a geo location monitoring on prisma access once the access engine rule configurations are saved in the nile control center, the nile access service automatically creates the following constructs in prisma access remote network a remote network is a resource instance created in prisma access to process network traffic and enforce policies in a geographic location close to the nile nsb (network service block) that is forwarding the traffic each remote network should have a name in the format < nile site name > < randomnumber > you can view existing remote networks in the prisma access portal by navigating to monitor > branch sites address the address instance represents an object corresponding to the subnet(s) belonging to the nile segment from which traffic is being forwarded each address object should have tags with "nile" , "\<nile site name>" , and "\<segment name>" these tags help classify traffic and enable the creation of consistent policies to access address objects in prisma access, navigate to manage > configuration > ngfw and prisma access > objects > addresses users can also monitor traffic and the corresponding actions applied to traffic within prisma for this, navigate to “ incidents and alerts ” > “ log viewer ” monitoring on the nile control center admin can check the integration logs using the rule logs present on the access engine page once the external rules are configured, admin can go to “ settings ” > “ global settings ” > “ access engine ” > “ rule logs ” admin can also directly access rule logs filtered for specific rules by clicking on the rule in the rule table, then selecting “view rule log” on the rule configuration page troubleshooting if tunnels are down, users can check the tunnel status in the prisma access monitoring section this section provides real time visibility into the health and connectivity of ipsec tunnels established between nile service block and prisma access administrators can also review rule logs directly from the nile control center by accessing the external rules configuration the rule logs show whether traffic from specific nile segments is hitting the intended forwarding rules to prisma access this helps verify that traffic is correctly routed and policy enforcement is functioning as expected, despite tunnel status recommendation for traffic management nile recommends using dynamic address groups for accurate and consistent policy application for this, the admin needs to create a dynamic address group using tags set on nile addresses for example, if the administrator wants to apply a specific set of policies to “\<segment name>” users, they can follow these recommended steps to access address groups in prisma access, navigate to manage > configuration > ngfw and prisma access > objects >address > address groups create a dynamic address group where tags used to filter traffic are “nile secure” and “\<segment name> use the dynamic address group in policies to apply policies as needed as the dynamic address groups are maintained automatically by the prisma access platform, when a new nile site is deployed and the segment is extended to a new site, policy application will automatically extend to the new site’s users/devices this is also true for site/segment deletions as well note changing segment names in nile control center is not recommended as tag recreation is not supported while the tunnels are created and are up