Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Palo Alto Prisma Access Integration for SASE Health (BETA)

You can integrate a Palo Alto Prisma Access account with Juniper Mist™ WAN Assurance for single-pane-of-glass troubleshooting directly from the Mist portal.

You can integrate a Palo Alto Prisma Access account with Juniper Mist™ WAN Assurance to get a single-pane-of-glass view for troubleshooting and debugging. This integration enables you to view Prisma Access events and tunnel statistics in real-time directly from the Mist portal, so you don't have to navigate between platforms while troubleshooting.

Palo Alto Prisma Access is a cloud-based security platform that ensures secure and fast access to applications and data for users regardless of their location. If you use both Prisma Access and Mist WAN Assurance, an IPsec tunnel is used for end-to-end communication between the two. For example, if standalone WAN Edge devices need to reach specific applications, they can do so securely through the IPsec tunnel between the devices and the Prisma cloud.

Mist automatically provisions these IPsec tunnels, which significantly reduces the amount of manual configuration required by you and also reduces risk of human error. This automatic tunnel provisioning means that you do not need to configure on both sides, as the configuration you do in Mist will be replicated in Strata Cloud Manager.

This integration delivers critical insights in real-time for your WAN Edge devices, Prisma Access, and applications. You can use these insights to quickly and efficiently diagnose and resolve site issues.

Figure 1: Traffic Inspection by Juniper Secure Edge

Benefits and Requirements

Table 1: Benefits and Requirements
Benefits
  • For Juniper Mist™ WAN Assurance customers:
    • No additional cost required
    • No additional subscription required

    • Minimal configuration required for automatic IPsec tunnel provisioning

    • The IPsec tunnel configuration in Mist is automatically replicated in the Strata Cloud Manager

  • Single-pane-of-glass for troubleshooting:
    • View alerts generated by Prisma Access
    • View tunnel statistics
    • Root cause analysis
  • Marvis Insights into network health
Requirements
  • Juniper Mist™ SD-WAN devices
  • Juniper Mist™ WAN Assurance subscription
  • Palo Alto Prisma Access managed by Strata Cloud Manager (SCM)
  • Palo Alto Prisma Access license
  • API Keys generated from Palo Alto

To integrate a Prisma Access account with Mist WAN Assurance, you must complete the following steps.

Configure User Access Role in the Prisma Strata Cloud Manager and Obtain Credentials for Mist

To control access to your applications and services, configure a user Access Role in Prisma. You'll set up the role through the Strata Cloud Manager. Then store the user credentials so that they can be entered into the Juniper Mist portal for account linking.

  1. In the Strata Cloud Manager, navigate to Identity & Access.
    For help, see the identify and access help topics in your Strata Cloud documentation on paloaltonetworks.com.
  2. Add a new identity as described in the Strata Cloud documentation.
  3. When the client credentials are displayed on the screen, copy the following values and store this information somewhere safe:

    • Client ID

    • Client Secret

    • TSG-ID—The Tenant/Service Group ID (TSG-ID) is the series of numbers directly after the @ symbol in the Client ID. You can also view the TSG-ID from the lefthand panel of the Strata Cloud Manager.

      Refer to the following example, but consult your Strata Cloud documentation for the latest information.

      Configuration screen for adding a new identity in Juniper. Displays Client ID Mist-Integration with numeric ID 1785313269 and domain iam.panserviceaccount.com. Client Secret field is hidden and cannot be copied after saving. Includes Download CSV File button, navigation tabs for Identity Information, Client Credentials, Assign Roles, and action buttons Remove, Back, Next. Highlights TSG-ID with arrow pointing to numeric ID.

    Later, you'll enter these values in the Mist portal to link a Prisma Access account.
  4. In Strata Cloud, assign a predefined role with the following information:

    • Apps & Services—Select Prisma Access & NGFW Configuration.

    • Role—Select Network Administrator.

      Note: The Network Administrator role is the minimum required access role to enable the link between Mist and Prisma APIs. With this role, Mist can access Prisma APIs for IPsec tunnel orchestration and can provide visibility into tunnel status, alerts, and incident notifications. If this role is not assigned, you must use the two separate dashboards (the Mist portal for Mist SD-WAN device troubleshooting and the Strata Cloud Manager for Prisma tunnel troubleshooting).

      Refer to the following example, but consult your Strata Cloud documentation for the latest information.

      Add New Identity interface showing Assign Roles section. Roles are being assigned for Apps and Services. Selected role is Network Administrator for Prisma Access and NGFW Configuration. Buttons for Back and Submit are at the bottom right.

Add Prisma Access Account as a Secure Edge Connector

Follow these steps to add the Prisma Access account to your Mist Organization.
  1. From the left menu of the Juniper Mist portal, select Organization > Admin > Settings.
  2. In the Secure WAN Edge Integration section, click Add Credentials.
  3. Enter the credentials you copied from the Prisma Strata Cloud Manager.
    1. Provider—Select Prisma Access.
    2. Add the Service Account Identity Address, Client Secret, and TSG-ID.
    3. Select the I Agree check box to consent to the terms.
    4. Add the Tunnel Probe Source IP Address Range—A randomly selected IP address from the specified range will be used to run a probe within the tunnel to measure key performance indicators (KPIs). Ensure that this IP is whitelisted in Prisma Access to allow the probe to pass through successfully.
    5. Click Save.

      Configuration interface to integrate with a network provider, showing fields for provider selection, account credentials, and consent to grant Juniper access for insights. Save and Cancel options available. Selected provider: Prisma Access Beta.

      Note:

      If any of the credentials you entered are incorrect or expired, you will receive an error message and will not be able to save the settings.

      The Prisma Access Provider and Username is then listed in the Secure WAN Edge Integration tile.

Auto Provision IPsec Tunnels

Mist's automatic Prisma tunnel provisioning requires very minimal configuration. You only need to configure in Mist, and that configuration will be replicated in the Strata Cloud Manager automatically.

Most aspects of the configuration are automatically set for you. All you have to do to configure your tunnel is enter a name, provider, and WAN interface. Some of the fields that are automatically configured for you include the Region, where Mist automatically finds your region for the tunnel based on your Prisma tenant information, and Data Center, where Mist automatically finds the closest geographically located Point of Presence (POP) to your service connection. However, you can configure these fields with other values if necessary.

Note: All configuration elements for auto tunnel creation can be manually overriden if needed by advanced users.
  1. Navigate to the WAN Edge template (Organization > WAN Edge Templates). In the SECURE EDGE CONNECTOR AUTO PROVISION SETTINGS tile, select the Prisma Access Account you just created.

    Secure Edge Connector Auto Provision Settings interface with dropdown for selecting Prisma Access Account labeled BETA and information icon for details.

  2. Configure an IPsec tunnel from the WAN Edge device to the Prisma Access cloud. To do this, you must first add a Provider.
    1. From the Secure Edge Connectors tile in the WAN Edge Template, select the Add Providers button.
    2. In the Add Provider window, enter the following information necessary for provisioning the tunnel:
      1. Name—Enter the name of the service.
      2. Provider—Select Prisma Access.
      3. Remote Networks—Select an existing network or create a new one.
      4. Probe IPs—Enter the destination probe IP address. You can use any well-known IP (Example: 8.8.8.8). Probes are used to send information such as jitter, latency, and roundtrip time to Prisma, and are used to construct the Peer Path Statistics that display on the WAN Edge Insights page.

      5. WAN Interfaces—Assign WAN interfaces for provisioning of primary and secondary tunnels. You can add multiple WAN interfaces, and the first interface in the list has priority. If the first interface is down, then the second interface is used to establish the tunnel.

      In the OVERRIDE AUTO PROVISION OPTIONS section, default parameters are automatically configured for you as part of this automatic Provider configuration process. Use the fields in this section if you need to change any of the parameters that would otherwise be automatically chosen for you:

      • Region—This indicates the geographic region for the Secure Edge instance. When the default "Auto" is selected, the nearest Prisma cloud region is automatically chosen for you.

      • IKE v2 Proposals—The encryption and authentication settings to be used for internet key exhange security association are automatically set for you, but you can change them if needed.

      • DH Group—The size of the keys to be used in the IKE negotiation to establish the tunnel is automatically set for you, but you can change it if needed.

      • IPsec Proposals—The encryption and authentication settings to be used for IPsec tunnels are automatically set for you, but you can change them if needed.

      • Data Center—This is set to "none" by default. As part of the automatic provisioning, Mist automatically selects the location of the nearest point of presence (POP) for you. In other words, Mist automatically selects the nearest POP for your application. However, you have the option to specify a particular data center if needed.

    3. Finally, select Add.
      Your Prisma Access provider is now listed in the Secure Edge Connectors tile.
    Note:

    The provider information you configured is automatically carried over to Prisma once the WAN Edge template is updated, so there is no need for manual configuration on the Prisma side. This is possible due to the account linking step.
    In addition to configuring a provider, you must also complete the steps below to set up an IPsec tunnel.

Configure Traffic Steering and Application Policies

  1. Navigate to the WAN Edge template (Organization > WAN > WAN Edge Templates).
  2. Scroll down to the Traffic Steering section and click Add Traffic Steering.
    Later, you'll add this traffic steering profile to an application policy to specify the path traffic can take to the destination.
    1. Enter the details for the traffic-steering path:
      • Name—Enter a name for the traffic-steering profile.
      • Strategy—Select a strategy. You can configure the traffic steering profile with any strategy (Ordered, Weighted, or ECMP), based on your topology and configuration.
      • PATHS—Click Add Paths and enter the following details.
        1. Type—Select Secure Edge Connector.
        2. Provider—Select Custom.
        3. Name—Select the Prisma Provider's name you created in step 2.
    2. Select the blue check mark to save the changes.
    3. Select Add.

      Configuration interface for adding traffic steering in a network management system with fields for rule name, strategy selection, path configuration, and buttons to add or cancel.

  3. Next, scroll down to the APPLICATION POLICIES tile on the WAN Edge Template and click Add Application Policy. An application policy defines the networks and users that can access an application and which path traffic takes to the destination.
    1. Give your application policy a name.
    2. Network/User—This is the LAN user that needs secure access to applications through the Prisma cloud.
    3. Action—Select an action of Allow for the traffic.
    4. Application/Destination—Select the applications that you want the Network/User to have access to.
    5. Traffic Steering—Select the traffic steering profile you created in step 3. This specifies the path that traffic is allowed to take to reach its destination.

    For more information about how to create Application Policies, see Configure Application Policies.

Tunnel Verification:

The IPsec configuration is pushed to any WAN Edge devices that belong to a site that has the template assigned, and a tunnel from the device to the closest Prisma cloud is brought up. To see the IPsec status, select WAN Edges > WAN Edges from the left menu, then click the WAN Edge device, and finally, click WAN Edge Insights.

You can verify the established tunnel's details on the WAN Edge Insights page of the device once the WAN Edge Tunnel Auto Provision Succeeded event appears under WAN Edge Events.

WAN monitoring dashboard for SRX320New under CTC-PROD-20 system showing data usage graph, timestamps, 48 events categorized as 33 Good, 0 Neutral, 11 Bad, and highlighted event at 2:58:04 PM August 11 2025 indicating successful tunnel update for Prisma_WAN1.

Prisma Events

You can view any WAN Edge Events including Prisma Access events under WAN Edge Events on the WAN Edge Insights page for the device that has the IPsec tunnel configured to the Prisma Access cloud.
Note: You must reach out to your account team in order to enable Prisma Access events. These events are disabled by default due to a notification profile issue at Prisma Access.

  • Juniper Mist supports the following Prisma Access Events:

    Remote Networks:

    • Prisma RN ECMP BGP Down

    • Prisma RN ECMP BGP Flap

    • Prisma RN ECMP Proxy Tunnel Down

    • Prisma RN ECMP Proxy Tunnel Flap

    • Prisma RN Primary WAN BGP Down

    • Prisma RN Primary WAN BGP Flap

    • Prisma RN Primary WAN BGP Up

    • Prisma RN Primary WAN Proxy Tunnel Down

    • Prisma RN Primary WAN Proxy Tunnel Flap

    • Prisma RN Primary WAN Tunnel Down

    • Prisma RN Primary WAN Tunnel Flap

    • Prisma RN Primary WAN Tunnel Up

    • Prisma RN Secondary WAN BGP Down

    • Prisma RN Secondary WAN BGP Flap

    • Prisma RN Secondary WAN BGP Up

    • Prisma RN Secondary WAN Proxy Tunnel Down

    • Prisma RN Secondary WAN Proxy Tunnel Flap

    • Prisma RN Secondary WAN Tunnel Down

    • Prisma RN Secondary WAN Tunnel Flap

    • Prisma RN Secondary WAN Tunnel Up

    Service Connection:

    • Prisma Service Connection Primary WAN BGP Down

    • Prisma Service Connection Primary WAN BGP Flap

    • Prisma Service Connection Primary WAN Proxy Tunnel Down

    • Prisma Service Connection Primary WAN Proxy Tunnel Flap

    • Prisma Service Connection Primary WAN Tunnel Down

    • Prisma Service Connection Primary WAN Tunnel Flap

    • Prisma Service Connection Secondary WAN Proxy Tunnel Down

    • Prisma Service Connection Secondary WAN Proxy Tunnel Flap

    • Prisma Service Connection Secondary WAN Tunnel Down

    • Prisma Service Connection Secondary WAN Tunnel Flap

    • Prisma Service Connection WAN BGP Down

    • Prisma Service Connection WAN BGP Flap

    Note:

    A Prisma Access icon displays next to any Prisma Access events received from Strata Cloud Manager. The information in the Prisma Access event comes directly from Strata Cloud Manager.

    • When you select a Prisma Access event, you have the View Prisma SCM Incidents button available to you. Select the button if you need to see more details about the Prisma incident from Prisma SCM.

      Network monitoring dashboard showing WAN edge events for device US_Prod_3, including a traffic graph with spikes, 13 events categorized as 5 good, 1 neutral, and 7 bad, and configuration issues like Prisma IKE and IPSEC mismatches.

Configuration Mismatch

Marvis constantly compares the site configuration in Mist to the configuration in Prisma. If any deviations are detected, a Prisma Access event is generated and appears in the WAN Edge Events.

WAN edge network monitoring interface for vSRX-Spoke-SAAS1 showing a traffic graph with port errors at 3 PM, events like Prisma IPSEC config mismatch and certificate regeneration, event details including remote network name AUSSIE_POP_RN1 and tunnel name AUS_TUN1, and filter options for event type and port.

Configuration Difference Alerts:

  • Prisma IKE Config Mismatch

  • Prisma IPsec Config Mismatch

Tunnel Statistics

You can view the Prisma tunnel statistics for both Session Smart Router (SSRs) and SRX Series Firewalls under Peer Path Stats on the WAN Edge Insights page.

Tunnel statistics use intelligent probing to a northbound resource and generate the near-real time Key Performance Indicator (KPI). You can see the customer's experience as they access an application through the tunnel in near-real time.

Note: Make sure you have the appropriate Probe IP and Source IP addresses configured in the provider configuration to ensure that data populates the chart.

When you hover over the Peer Path Stats chart, you get information about the path in the string that is displayed to you. You can decipher the string as follows:

egress device interface <--> Prisma tunnel name.

Network performance monitoring dashboard showing traffic overview, WAN edge events, latency, loss, and jitter graphs for multiple network paths. Highlights include 0 percent packet loss across all paths.

See Also