Remote Network Locations with WAN Link

If you have a deployment where the HQ and remote network location(s) are directly connected over a WAN link and each of these locations is secured by the GlobalProtect cloud service, to ensure optimal routing (with eBGP) you must:
  • Add a static route to the eBGP router address. In addition to the default route that sends all traffic to the GlobalProtect cloud service, you must add a static route locally on the IPSec capable device or router at the remote network(s).
  • Filter the routes that are advertised from the IPSec capable device or router at HQ to the eBGP peers at other directly connected locations. As a best practice, configure the BGP router at HQ to only advertise routes that you want to allow across the WAN link; you ensure that the eBGP router at HQ does not advertise the routes it learns from the GlobalProtect cloud service to other remote network location(s) secured by the GlobalProtect cloud service. In this example, the eBGP router at HQ only advertises routes that employees from the branch office will need to connect to the servers (subnets) at HQ.
The following illustration shows a retail business with two paths to the servers at the HQ location. One path is a WAN link that provides direct connectivity for employees accessing servers at HQ, and the other path secures traffic generated by other users at this location. For example, traffic generated by customers accessing the retailer’s website over Wifi or using the kiosk at the branch office to check inventory. This traffic is sent through the tunnel to the GlobalProtect cloud service firewall and on to HQ.
qc-wan-ebgp.png
To set up this configuration, follow the instructions to Configure the GlobalProtect Cloud Service for Remote Networks and Set Up Access to Your Corporate Network to onboard the remote network and HQ locations. The details below show how to set up the router configuration at each location to ensure optimal routing:
  1. Add the static routes on your router or on-premises IPSec capable device at the remote network location.
    If you have a Palo Alto Networks firewalls at the edge of the WAN link, on NetworkVirtual RoutersStatic Routes, Add the static routes:
    qc-static-routes.png
  2. Configure the routes that you want to advertise to another directly connected location over the WAN link.
    In this example, you need to configure this on the at HQ location. If you have an on-premises Palo Alto Networks firewall at the edge of the WAN link, you can set up route redistribution and configure which BGP routes to export on NetworkVirtual RoutersBGP.
    qc-route-export.png

Related Documentation