HPE SSE
Configuration > Cloud Services > HPE SSE
HPE Aruba Networking SSE is a cloud security service. EdgeConnect traffic can be service chained to HPE SSE for additional security inspection. Orchestrator supports IPSec tunnel mode for HPE SSE.
IMPORTANT: By default, the maximum limit is 100 tunnels per HPE SSE tenant. If you want to increase the limit, you must contact HPE Aruba Networking support for assistance.
The following table describes the fields on the HPE SSE tab.
Field | Description |
---|---|
Appliance | Name of the appliance to connect to HPE SSE. |
Interface Label | Interface label for the interfaces you want to connect to HPE SSE. |
Location | Physical location of the appliance to connect to HPE SSE. |
HPE SSE POP IPs | These are the HPE SSE endpoints to which the tunnels connect. This field is populated with discovered Public Service Edges based on the appliance’s geographical location. |
HPE SSE Deployment Status | Status of the HPE SSE deployment (Creating, Pending, or Deployed). Deployed indicates successful deployment. |
Connection Status | Status of the HPE SSE connection based on tunnel and IP SLA statuses. |
Configure HPE SSE
Before you configure HPE SSE, you must create an HPE SSE account and have an HPE SSE tenant provisioned. Contact HPE Aruba Networking support for assistance with provisioning an HPE SSE tenant.
Subscription
-
In Orchestrator, navigate to the HPE SSE tab (Configuration > Cloud Services > HPE SSE).
-
Click Subscription.
The Subscription dialog box opens. Leave the dialog box open, so you can paste your HPE SSE API token key in the API Token Key field.
-
In a new browser tab, go to https://auth.axissecurity.com/ and log in to your HPE SSE account.
-
From the Dashboard, click Settings and then click Admin API.
The Admin API page opens.
-
Click New API Token.
The New API Token dialog box opens.
-
Enter a Name for the new API token. The name should identify your Orchestrator.
-
Under Token Permissions, select Read and Write.
-
Under Token Scopes, select only Tunnels and Locations.
-
Under Token Expiration, enter 12.
-
Click Submit.
The New API Token dialog box opens and displays the token you created.
-
Copy the token.
-
In Orchestrator on the Subscription dialog box, paste the token into the API Token Key field.
-
In your HPE SSE account after you have copied the token, click OK.
-
In Orchestrator, enter the appropriate information in the remaining fields on the Subscription dialog box to reflect your HPE SSE account.
The following table describes the fields.
Field Description HPE SSE Indicates whether you are connected to your HPE SSE account. API Token Name Enter the name you assigned to the API token you created in your HPE SSE account.
NOTE: The name should match exactly what you entered in the HPE SSE dashboard.API Token Key Enter (paste) the API token you created in your HPE SSE account. This token is used to access the HPE SSE APIs. API Domain The domain name of the HPE SSE APIs that are used in tunnel creation. Leave the default setting. Tunnel Identifier A unique identifier for the tunnel that is used when building the tunnel IKE identifiers. Enter the domain name for your company. For example, arubanetworks.com. Location Suffix A unique identifier for the Orchestrator instance. This is used to distinguish between different Orchestrators and facilitates using a single HPE SSE account for multiple Orchestrators.
By default, this is the configured hostname for the Orchestrator. You can change this to be any string, but it should be entered in the format of a hostname (containing no spaces or special characters).Polling Interval Indicates how often Orchestrator should check for configuration changes in HPE SSE. The default polling interval is ten minutes. -
Click Save. The HPE SSE field should indicate Connected.
Interface Labels
Select the WAN interfaces you want to use for HPE SSE internet traffic. You can specify primary and backup interfaces as described below. If a primary interface is unavailable, Orchestrator will use a backup interface if specified. Optionally, you can specify secondary interfaces as well. In this case, the fallback order is primary, secondary, and then backup.
-
On the HPE SSE tab, click Interface Labels.
The Build HPE SSE Tunnels Using These Interfaces dialog box opens.
-
Drag the interfaces you want to use from the right side of the dialog box to the Primary and Backup areas. The interfaces are grayed out until you move them into the areas.
-
If you want to specify secondary interfaces, click Show Secondary to display the Secondary area, and then drag the appropriate interfaces to this area.
-
Click Save.
WARNING: This is service affecting. Any changes to the interface selection can cause previously built tunnels to be deleted and rebuilt.
Tunnel Settings
The Tunnel Settings button opens the HPE SSE Tunnel Setting dialog box, enabling you to define the tunnels associated with HPE SSE and EdgeConnect. The Mode field on the General tab allows you to select IPSec as the tunnel protocol for the specified WAN interface label. Use HPE SSE defaults for tunnel settings defined by the system.
NOTE: You can configure General, IKE, and IPSec tunnel settings. Settings are automatically generated, but you can change them if you want to.
IP SLA
Configure IP SLA for HPE SSE tunnels. This configuration ensures tunnel connectivity and internet availability between HPE SSE and Orchestrator. If the tunnel cannot reach HPE SSE, the tunnel is considered DOWN.
IMPORTANT: You must configure a loopback interface and a unique LAN-side label (such as “LOOPBACK”) for the orchestrated loopback interface before you can set up IP SLA for HPE SSE tunnels. See Loopback Orchestration and Interface Labels for more information.
-
On the HPE SSE tab, click IP SLA.
The HPE SSE Configuration dialog box opens.
-
If all fields are dimmed, click Enable IP SLA rule orchestration.
-
Select an orchestrated loopback label from the Source Interface field.
-
Accept the default values for the remaining fields and click Save.
Orchestrator builds the tunnels.
Sub-Locations
Sub-locations are a mechanism to configure and deploy different security policies to different types of traffic, at scale. When configuring a sub-location, you specify a subnet range to which the sub-location applies. Orchestrator then creates a corresponding sub-location in HPE SSE using that subnet range, and EdgeConnect appliances automatically provision the sub-location names.
From HPE SSE, you can apply policy rules to sub-locations. The policy rules are applied to all appliances that are configured as part of a sub-location regardless of physical location.
-
On the HPE SSE tab, click Sub-Locations.
The HPE SSE Sub Locations dialog box appears.
-
Click Add.
The Sub-Location Match Criteria dialog box opens. Enter the appropriate information for the following fields.
-
Enter a name for the sub-location in the Name field. This name will also be used for the corresponding sub-location in HPE SSE.
-
In the Appliances field, do one of the following to specify appliances to which the sub-location applies:
-
Start typing in the field and select “any”.
-
Enter “group” and select the name of an appliance group from the list.
-
To specify the appliances currently selected in the appliance tree, click Use Tree Selection. The appliance names appear beneath the Appliances field.
-
-
In the Internal IPs field, do one of the following to specify the subnet range for the sub-location:
-
Enter the name of a configured LAN label, firewall zone, or address group.
-
Enter an IP address or IP address range and click +Add.
-
-
Click Save.
The Sub-Location Match Criteria dialog box closes.
-
Click Save.
HPE SSE POP Override
You can override the automatically selected endpoints for specific sites. You have the option to add this exception to one or more sites within your network.
-
On the HPE SSE tab, click HPE SSE POP Override.
The HPE SSE POP Override dialog box opens.
-
Enter the appliance name, the interface label, and the primary and secondary FQDNs or IP addresses. Orchestrator will build tunnels to those endpoints.
Field Description Appliance Appliance for which to override HPE SSE endpoints. Interface Label Interface label from which tunnels are built. Primary FQDN or IP FQDN or IP address of the primary HPE SSE endpoint. Secondary FQDN or IP FQDN or IP address of the secondary HPE SSE endpoint. -
Click Save.
HPE SSE Association
The final step to configure the integration in Orchestrator is to associate EdgeConnect appliances to HPE SSE.
-
In the Orchestrator appliance tree, select one or more appliances to associate with HPE SSE.
-
On the HPE SSE tab, click HPE SSE Association.
The HPE SSE Appliance Association dialog box opens.
-
In the table, select one or more appliances you want to associate with HPE SSE, and then select the Add check box.
Select the Remove check box to remove HPE SSE association from selected appliances in the table.
-
Verify the changes, and then click Save.
Pause Orchestration
When troubleshooting, you can click Pause Orchestration and then click Save to pause orchestration. To restart, click Resume Orchestration.
Using HPE SSE for Breakout Traffic
Finally, you need to select the HPE SSE service in at least one Business Intent Overlay Breakout Traffic Policy to steer traffic to it.
-
Navigate to the Business Intent Overlays tab in Orchestrator (Configuration > Overlays & Security > Business Intent Overlays).
-
Click the overlay that breaks out traffic to HPE SSE.
The Overlay Configuration dialog box opens.
-
Click the Breakout Traffic to Internet & Cloud Services tab.
-
Drag HPE SSE Cloud from the Available Policies column to the Preferred Policy Order column.
Verify HPE SSE Deployment
After HPE SSE is configured, deployment will begin automatically. Navigate to the HPE SSE tab to verify successful deployment. The HPE SSE Deployment Status column should have a green status of Deployed, and the Connection status column should have a green status of Up. The Connection Status column indicates the status of the HPE SSE connection based on tunnel and IP SLA statuses.
NOTE: HPE SSE is deployed and orchestrated for an appliance based on the HPE SSE Appliance Association dialog box. Business Intent Overlays (BIOs) are used to configure breakout internet policies to HPE SSE. This is used for automatic load distribution and failover.
You can also verify that your HPE SSE tunnels have been successfully deployed on the Tunnels tab. The Passthrough Tunnel column should list your HPE SSE tunnels, and the Status column should have a green status of up – active.
You can view the Audit Log to check for orchestration errors. Navigate to Orchestrator > Audit Logs and enter hpesse
in the search field above the table.