Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Palo Alto Prisma Access Integration for SASE Health (BETA)

You can integrate a Palo Alto Prisma Access account with Juniper Mist™ WAN Assurance for single-pane-of-glass troubleshooting directly from the Mist portal.

You can integrate a Palo Alto Prisma Access account with Juniper Mist™ WAN Assurance to get a single-pane-of-glass view for troubleshooting and debugging. This integration enables you to view Prisma Access events and tunnel statistics in real-time directly from the Mist portal, so you don't have to navigate between platforms while troubleshooting.

Palo Alto Prisma Access is a cloud-based security platform that ensures secure and fast access to applications and data for users regardless of their location. If you use both Prisma Access and Mist WAN Assurance, an IPsec tunnel is used for end-to-end communication between the two. Standalone WAN Edge devices can use this tunnel to reach specific applications securely.

Mist automatically provisions these IPsec tunnels, which significantly reduces the amount of manual configuration required, as well as reduces the risk of human error. This automatic tunnel provisioning means that you do not need to configure on both sides, as the configuration you do in Mist is replicated in Strata Cloud Manager.

This integration delivers critical insights in real-time for your WAN Edge devices, Prisma Access, and applications. You can use these insights to quickly and efficiently diagnose and resolve site issues.

Figure 1: Traffic Inspection by Juniper Secure Edge Traffic Inspection by Juniper Secure Edge

Benefits and Requirements

Table 1: Benefits and Requirements
Benefits
  • For Juniper Mist™ WAN Assurance customers:
    • No additional cost required
    • No additional subscription required

    • Minimal configuration required for automatic IPsec tunnel provisioning

    • The IPsec tunnel configuration in Mist is automatically replicated in the Strata Cloud Manager

  • Single-pane-of-glass for troubleshooting:
    • View alerts generated by Prisma Access
    • View tunnel statistics
    • Root cause analysis
  • Marvis Insights into network health
Requirements
  • Juniper Mist™ SD-WAN devices
  • Juniper Mist™ WAN Assurance subscription
  • Palo Alto Prisma Access managed by Strata Cloud Manager (SCM)
  • Palo Alto Prisma Access license
  • API Keys generated from Palo Alto

To integrate a Prisma Access account with Mist WAN Assurance, you must complete the following steps.

Configure User Access Role in the Prisma Strata Cloud Manager and Obtain Credentials for Mist

To control access to your applications and services, configure a user Access Role in Prisma. You'll set up the role through the Strata Cloud Manager. Then store the user credentials so that they can be entered into the Juniper Mist portal for account linking.

  1. In the Strata Cloud Manager, navigate to Identity & Access.
    For help, see the Identity & Access help topics in your Strata Cloud documentation on paloaltonetworks.com.
  2. Add a new identity as described in the Strata Cloud documentation.
    • Once you Add Identity and select Service Account as the identity type, the Client ID and Client Secret should be displayed in the credentials screen.
  3. When the client credentials are displayed on the screen, copy the following values and store this information somewhere safe:

    • Client ID

    • Client Secret

    • TSG-ID—The Tenant/Service Group ID (TSG-ID) is the series of numbers directly after the @ symbol in the Client ID. You can also view the TSG-ID from the lefthand panel of the Strata Cloud Manager.

      Refer to the following example, but consult your Strata Cloud documentation for the latest information.

      Configuration screen for adding a new identity in Juniper. Displays Client ID Mist-Integration with numeric ID 1785313269 and domain iam.panserviceaccount.com. Client Secret field is hidden and cannot be copied after saving. Includes Download CSV File button, navigation tabs for Identity Information, Client Credentials, Assign Roles, and action buttons Remove, Back, Next. Highlights TSG-ID with arrow pointing to numeric ID.

    Later, you'll enter these values in the Mist portal to link a Prisma Access account.
  4. In Strata Cloud, assign a predefined role with the following information:

    • Apps & Services—Select Prisma Access & NGFW Configuration.

    • Role—Select Network Administrator.

      Note: The Network Administrator role is the minimum required access role to enable the link between Mist and Prisma APIs. With this role, Mist can access Prisma APIs for IPsec tunnel orchestration and can provide visibility into tunnel status, alerts, and incident notifications. If this role is not assigned, you must use the two separate dashboards (the Mist portal for Mist WAN Edge device troubleshooting, and the Strata Cloud Manager for Prisma tunnel troubleshooting).

      Refer to the following example, but consult your Strata Cloud documentation for the latest information.

      Add New Identity interface showing Assign Roles section. Roles are being assigned for Apps and Services. Selected role is Network Administrator for Prisma Access and NGFW Configuration. Buttons for Back and Submit are at the bottom right.

Add the Prisma Access Account as a Secure Edge Connector

Follow these steps to add the Prisma Access account to your Mist Organization.
  1. From the left menu of the Juniper Mist portal, select Organization > Admin > Settings.
  2. In the Secure WAN Edge Integration section, click Add Credentials.
  3. Enter the credentials you copied from the Prisma Strata Cloud Manager.
    1. Provider—Select Prisma Access.
    2. Add the Service Account Identity Address, Client Secret, and TSG-ID.
    3. Add the Tunnel Probe Source IP Address Range—A randomly selected IP address from the specified range will be used to run a probe within the tunnel to measure key performance indicators (KPIs). Ensure that this IP is whitelisted in Prisma Access to allow the probe to pass through successfully.
    4. Select the I Agree check box to consent to the terms.
    5. Click Save.

      Configuration interface to integrate with a network provider, showing fields for provider selection, account credentials, and consent to grant Juniper access for insights. Save and Cancel options available. Selected provider: Prisma Access Beta.

      Note:

      If any of the credentials you entered are incorrect or expired, you will receive an error message and will not be able to save the settings.

      The Prisma Access Provider and Username is then listed in the Secure WAN Edge Integration tile.

Auto Provision IPsec Tunnels

Mist's automatic Prisma tunnel provisioning requires very minimal configuration. You only need to configure in Mist, and that configuration will be replicated in the Strata Cloud Manager automatically.

Most aspects of the configuration are automatically set for you. All you have to do to configure your tunnel is enter a name, provider, and WAN interface. Some of the fields that are automatically configured for you include the Region, where Mist automatically finds your region for the tunnel based on your Prisma tenant information, and Data Center, where Mist automatically finds the closest geographically located Point of Presence (POP) to your service connection. However, you can configure these fields with other values if necessary.

Note: All configuration elements for auto tunnel creation can be manually over-ridden if needed by advanced users.
  1. Navigate to the WAN Edge template (Organization > WAN Edge Templates). In the SECURE EDGE CONNECTOR AUTO PROVISION SETTINGS tile, select the Prisma Access Account you just created.

    Secure Edge Connector Auto Provision Settings interface with dropdown for selecting Prisma Access Account labeled BETA and information icon for details.

  2. Configure an IPsec tunnel from the WAN Edge device to the Prisma Access cloud. To do this, you must first add a Provider.
    1. From the Secure Edge Connectors tile in the WAN Edge Template, select the Add Provider button.
    2. In the Add Provider window, use Table 2 to guide you as you enter the following information for tunnel provisioning:
      Table 2: Add Provider Settings
      Field Value
      Name Enter the name of the service.
      Provider Select Prisma Access.
      Remote Networks Select an existing network or create a new one.
      Probe IPs Enter the destination probe IP address. You can use any well-known IP (Example: 8.8.8.8). Probes are used to send information such as jitter, latency, and roundtrip time to Prisma, and are used to construct the Probe Stats that display on the WAN Edge Insights page.
      WAN Interfaces Assign WAN interfaces for provisioning of primary and secondary tunnels. You can add multiple WAN interfaces, and the first interface in the list has priority. If the first interface is down, the second interface is used to establish the tunnel.

      In the OVERRIDE AUTO PROVISION OPTIONS section, default parameters are automatically configured for you as part of this automatic Provider configuration process. Use the fields in this section if you need to change any of the parameters that would otherwise be automatically chosen for you:

      Table 3: Add Provider Settings - Override Auto Provision Options
      Field Description
      Region This indicates the geographic region for the Secure Edge instance. When the default "Auto" is selected, the nearest Prisma cloud region is automatically chosen for you.
      IKE v2 Proposals The encryption and authentication settings to be used for internet key exchange security association.
      DH Group The size of the keys to be used in the IKE negotiation to establish the tunnel.
      IPsec Proposals The encryption and authentication settings to be used for IPsec tunnels.
      Data Center This is set to "none" by default. As part of the automatic provisioning, Mist automatically selects the location of the nearest point of presence (POP) for your application.

    3. Finally, select Add.
      Your Prisma Access provider is now listed in the Secure Edge Connectors section.
    Note:

    The provider information you configured is automatically carried over to Prisma once the WAN Edge template is updated, so there is no need for manual configuration on the Prisma side. This is possible due to the account linking step.
    In addition to configuring a provider, you must also complete the steps below to set up an IPsec tunnel.

Configure Traffic Steering and Application Policies

  1. Navigate to the WAN Edge template (Organization > WAN > WAN Edge Templates).
  2. Scroll down to the Traffic Steering section and click Add Traffic Steering.
    Later, you'll add this traffic steering profile to an application policy to specify the path traffic can take to the destination.
    1. Enter the details as described in Table 4 for the traffic-steering path:
      Table 4: Traffic Steering Settings
      Field Value
      Name Enter a name for the traffic-steering profile.
      Strategy Select a strategy. You can configure the traffic steering profile with any strategy (Ordered, Weighted, or ECMP), based on your topology and configuration.
      Paths Click Add Paths and enter the following details.
      1. Type—Select Secure Edge Connector.
      2. Provider—Select Prisma Access.
      3. Name—Select the Prisma Provider's name you created in step 2.
    2. Select the blue check mark in the Add Paths title bar to save the changes.
    3. Select Add.

      Configuration interface for adding traffic steering in a network management system with fields for rule name, strategy selection, path configuration, and buttons to add or cancel.

      For more information about how to create Traffic Steering rules, see Traffic Steering Rules.

  3. Next, scroll down to the Application Policies section and click Add Application Policy. An application policy defines the networks and users that can access an application, as well as which path traffic can take to reach its destination.

    Enter the details as described in Table 5 for the application policy:

    Table 5: Application Policy Settings
    Field Value
    Name Enter a name for the application policy.
    Network/User This is the LAN user that needs secure access to applications through the Prisma cloud.
    Action Select an action of Allow for the traffic.
    Application/Destination Select the applications that you want the Network/User to have access to.
    Traffic Steering Select the traffic steering profile you created in step 2. This specifies the path that traffic is allowed to take to reach its destination.

    For more information about how to create Application Policies, see Configure Application Policies.

Verify the Tunnel

The IPsec configuration is pushed to any WAN Edge devices that belong to a site that has the WAN Edge template assigned, and a tunnel from the device to the closest Prisma cloud is brought up.

To see the IPsec status, select WAN Edges > WAN Edges from the left menu, then click the WAN Edge device. Finally, click WAN Edge Insights.

You can verify the established tunnel's details on the WAN Edge Insights page of the device once the WAN Edge Tunnel Auto Provision Succeeded event appears under WAN Edge Events.

WAN monitoring dashboard for SRX320New under CTC-PROD-20 system showing data usage graph, timestamps, 48 events categorized as 33 Good, 0 Neutral, 11 Bad, and highlighted event at 2:58:04 PM August 11 2025 indicating successful tunnel update for Prisma_WAN1.

Prisma Access Events on the Mist Portal

You can view Prisma Access events on the Mist portal for the device that has the IPsec tunnel configured to the Prisma Access cloud. From the left menu, select WAN Edges > WAN Edges, then click the WAN Edge device. Finally, click WAN Edge Insights and scroll down to WAN Edge Events.
Note: You must reach out to your account team in order to enable Prisma Access events. These events are disabled by default due to a notification profile issue at Prisma Access.

Juniper Mist supports the following Prisma Access Events:

Table 6: Prisma Access Events by Type
Event Type Prisma Access Event
Remote Networks Prisma RN ECMP BGP Down
Prisma RN ECMP BGP Flap
Prisma RN ECMP Proxy Tunnel Down
Prisma RN ECMP Proxy Tunnel Flap
Prisma RN Primary WAN BGP Down
Prisma RN Primary WAN BGP Flap
Prisma RN Primary WAN BGP Up
Prisma RN Primary WAN Proxy Tunnel Down
Prisma RN Primary WAN Proxy Tunnel Flap
Prisma RN Primary WAN Tunnel Down
Prisma RN Primary WAN Tunnel Flap
Prisma RN Primary WAN Tunnel Up
Prisma RN Secondary WAN BGP Down
Prisma RN Secondary WAN BGP Flap
Prisma RN Secondary WAN BGP Up
Prisma RN Secondary WAN Proxy Tunnel Down
Prisma RN Secondary WAN Proxy Tunnel Flap
Prisma RN Secondary WAN Tunnel Down
Prisma RN Secondary WAN Tunnel Flap
Prisma RN Secondary WAN Tunnel Up
Service Connection Prisma Service Connection Primary WAN BGP Down
Prisma Service Connection Primary WAN BGP Flap
Prisma Service Connection Primary WAN Proxy Tunnel Down
Prisma Service Connection Primary WAN Proxy Tunnel Flap
Prisma Service Connection Primary WAN Tunnel Down
Prisma Service Connection Primary WAN Tunnel Flap
Prisma Service Connection Secondary WAN Proxy Tunnel Down
Prisma Service Connection Secondary WAN Proxy Tunnel Flap
Prisma Service Connection Secondary WAN Tunnel Down
Prisma Service Connection Secondary WAN Tunnel Flap
Prisma Service Connection WAN BGP Down
Prisma Service Connection WAN BGP Flap
Note:

A Prisma Access icon displays next to any Prisma Access events received from Strata Cloud Manager. The information in the Prisma Access event comes directly from Strata Cloud Manager.

When you select a Prisma Access event, you have the View Prisma SCM Incidents button available to you. Select the button if you need to see more details about the Prisma incident from Prisma SCM.

Network monitoring dashboard showing WAN Edge events for device US_Prod_3, including a traffic graph with spikes, 13 events categorized as 5 good, 1 neutral, and 7 bad, and configuration issues like Prisma IKE and IPSEC mismatches.

Configuration Mismatch

Marvis constantly compares the site configuration in Mist to the configuration in Prisma. If any deviations are detected, a Prisma Access event is generated and appears in the WAN Edge Events.

WAN Edge network monitoring interface for vSRX-Spoke-SAAS1 showing a traffic graph with port errors at 3 PM, events like Prisma IPSEC config mismatch and certificate regeneration, event details including remote network name AUSSIE_POP_RN1 and tunnel name AUS_TUN1, and filter options for event type and port.

Configuration Difference Alerts:

  • Prisma IKE Config Mismatch

  • Prisma IPsec Config Mismatch

Tunnel Statistics

You can view the Prisma tunnel statistics for both Session Smart Router (SSRs) and SRX Series Firewalls under Probe Stats on the WAN Edge Insights page.

Tunnel statistics use intelligent probing to a northbound resource and generate the near-real time Key Performance Indicator (KPI). You can see the customer's experience as they access an application through the tunnel in near-real time.

Note: Make sure you have the appropriate Probe IP and Source IP addresses configured in the provider configuration to ensure that data populates the chart.

When you hover over the Probe Stats chart, you get information about the path in the string that is displayed to you. You can decipher the string as follows:

egress device interface <--> Prisma tunnel name.

See Also