Aruba SD-WAN Solution Guide
Focus
Focus
Prisma Access

Aruba SD-WAN Solution Guide

Table of Contents

Aruba SD-WAN Solution Guide

Where Can I Use This?
What Do I Need?
  • Prisma Access (Cloud Management)
  • Prisma Access (Panorama Managed)
A common network architecture today is to tunnel traffic between an organization’s HQ and branches over either MPLS or dedicated encrypted VPN links. As more and more services are cloud-based, and more information is available on the internet, it makes less sense to tunnel traffic back to an aggregation point before routing it to its final destination.
Breaking out traffic locally from the branches (as opposed to an on-premises appliance) would allow traffic to reach its destination faster, and make a more efficient use of bandwidth. However, allowing traffic directly between devices in the branch and the internet may introduce security issues.
The integration between the Aruba Branch Gateways and Prisma Access makes it possible to set up a secure connection between the branch networks and one or several cloud-hosted enforcement points. The Aruba Branch gateway (BGW) can bring up secure tunnels to the Prisma Access firewall and redirect selected traffic flows through Prisma Access to provide advanced threat protection in an efficient and scalable way.
At the same time, the integration between ClearPass and Prisma Access enables sharing the user context with the firewall, facilitating the creation of role-centric security policy rules.
The integration between BGWs and Prisma Access consists on intelligently routing traffic through the nearest firewall node to use the breath of security features Palo Alto firewalls can provide. The combined solution can offer the following benefits:
  • Unified security management for campus and branch networks.
  • Context-aware security policy rules driven by ClearPass.
  • Intelligent routing of traffic based on user-role and application.

Reference Architectures Supported with the Aruba and Prisma Access Deployment

The SD-branch and Prisma Access integration supports the following deployment scenarios.

Branch Gateways to Prisma Access

Aruba BGWs can establish tunnels to one or several Prisma Access nodes (in different regions, as shown in the following figure) to secure user traffic going to public cloud services or to the internet, thus providing high availability. The solution allows for active/active cloud firewalls.

Regional Hub to Prisma Access

A common deployment type is one where branch traffic is aggregated at a local hub and then routed to the internet or to other corporate resources. This case is especially common when using private WAN networks. In such scenarios, Aruba VPNCs can set up tunnels to the nearest Prisma Access firewall to have branch traffic go through the distributed security service, as shown in the following figure.

Supported IKE and IPSec Cryptographic Profiles

The following table documents the IKE/IPSec crypto settings that are supported with Prisma Access and the Aruba SD-WAN. A check mark indicates that the profile or architecture type is supported; a dash (—) indicates that it's not supported. Default and Recommended settings are noted in the table.
For a list of cryptographic profiles that have been tested and validated, see Validated IKE and IPSec Cryptographic Profiles.
Crypto Profiles
Prisma Access
Aruba
Tunnel Type
IPSec Tunnel
GRE Tunnel
N/A
Routing
Static Routes
Dynamic Routing (BGP)
Dynamic Routing (OSPF)
IKE Versions
IKEv1
Not recommended
IKEv2
IPSec Phase 1 DH-Group
Group 1
Group 2
(Default)
Group 5
Group 14
Group 19
Group 20
(Recommended)
IPSec Phase 1 Auth
If you use IKEv2 with certificate-based authentication, only SHA1 is supported in IKE crypto profiles (Phase 1).
MD5
SHA1
(Default)
(SHA196, 168)
SHA256
SHA384
SHA512
(Recommended)
IPSec Phase 1 Encryption
DES
3DES
(Default)
AES-128-CBC
(Default)
AES-192-CBC
AES-256-CBC
(Recommended)
IPSec Phase 1 Key Lifetime Default
(8 Hours)
IPSec Phase 1 Peer Authentication
Pre-shared key
Certificate
IKE Peer Identification
FQDN
IP address
User FQDN
IKE Peer
As Static Peer
As Dynamic Peer
Options
NAT Traversal
Passive Mode
Ability to Negotiate Tunnel
Per Subnet Pair
Per Pair of Hosts
Per Gateway Pair
IPSec Phase 2 DH-Group
Group 1
Group 2
(Default)
Group 5
Group 14
(Default)
Group 19
Group 20
(Recommended)
No PFS
IPSec Phase 2 Auth
MD5
SHA1
(Default)
SHA256
SHA384
SHA512
(Recommended)
None
IPSec Phase 2 Encryption
DES
3DES
(Default)
AES-128-CBC
(Default)
AES-192-CBC
AES-256-CBC
AES-128-CCM
AES-128-GCM
AES-256-GCM
(Recommended)
NULL
IPSec Protocol
ESP
AH
IPSec Phase 2 Key Lifetime Default
(1 Hour)
(2 Hours)
Tunnel Monitoring Fallback
Dead Peer Detection (DPD)
(for the tunnel)
ICMP
(for the uplink)
Bidirectional Forwarding Detection (BFD)
SD-WAN Architecture Type
With Regional Hub/Gateway/Data Center
N/A
No Regional Hub/Gateway/Data Center
NA

Validated IKE and IPSec Cryptographic Profiles

Both the Aruba Branch Gateways and Prisma Access support several options when it comes to setting up VPN tunnels. The following table provides the configurations that have been validated for this solution, and offer a good compromise between performance, flexibility, and security (considering the integration is mostly for internet-bound traffic).
Crypto Profile
Phase 1
Phase 2
Confidentiality
AES-256
You configure this setting as
aes-256-cbc
in Prisma Access.
AES-256
You configure this setting as
aes-256-cbc
in Prisma Access.
Integrity
SHA256
SHA1
Authentication
Username/Password
N/A
Key Exchange Method
Diffie-Helman
Diffie-Helman
Diffie-Helman Group
14
14
NAT-Transversal
Enabled
N/A
Dead Peer Detection (DPD)
Enabled
Perfect Forward Secrecy (PFS)
N/A
Yes
VPN Type
N/A
Policy-based VPN

Recommended For You