For information about Prisma SD-WAN (formerly CloudGenix) integration with Prisma
Access, see the Prisma Access & Prisma SD-WAN CloudBlade Integration guides
on the Prisma SD-WAN Technical Documentation
page.
As organizations expand geographically, balancing cost, performance, and
security in their networks becomes critical. Software-defined WAN (SD-WAN)
simplifies WAN management by separating hardware from control, enabling
higher-performance networks with lower-cost internet access.
However, the widespread adoption of SD-WAN, driven by direct internet and
cloud application connectivity, introduces significant security challenges for
remote networks and mobile users. While SD-WAN offers benefits like cost savings and
agility, it also exposes branch offices and users to increased cyber threats. To
address this, organizations can integrate their SD-WAN deployments with Prisma
Access for robust security.
Third-party SD-WAN integrations with Prisma Access can be accomplished either
manually or with automated solutions. Automated solutions, as detailed below are
especially beneficial for organizations managing several branch sites.
Manual Integrations
Organizations have the option to connect their SD-WAN devices to Prisma
Access by manually setting up IPSec tunnels for each location. This process requires
administrators to configure settings in both the SD-WAN system and Prisma Access,
using separate management interfaces (UI and/or CLI). It is the administrator's
responsibility to guarantee that all configuration details, such as IP addresses,
pre-shared keys, and high availability setups, match on both sides to achieve the
intended results.
The following are some of the available manual integration options.
Strata Cloud Manager (SCM) offers the following automated integrations with Prisma
Access through SD-WAN vendors’ APIs. These integrations facilitate seamless tunnel
provisioning, routing data exchange, and policy alignment between platforms.
Real-time discovery and synchronized policy updates across SD-WAN and Prisma Access
are included. Refer to each integration's documentation for supported deployment
topologies.
The following automated integration is initiated from the an SD-WAN
vendor's user interface. Utilizing Prisma Access APIs, these integrations enable
automated tunnel provisioning, routing data exchange, and consistent policy
application across different platforms. Refer to each integration's documentation
for supported deployment topologies.
SD-WAN technology uses the principles of software-defined networking (SDN) and
separates the management plane and the dataplane. Based on this principle, SD-WAN
deployments generally consist of the following two components:
A controller that administrators use to centrally configure WAN topologies
and define traffic path rules.
An SD-WAN edge device, either physical or virtual, resides at every site and
acts as the connection and termination point of the SD-WAN fabric.
This section describes two different types of SD-WAN architectures:
Type 1 (Branch and headquarters deployment)—At each branch site,
organizations can deploy one or more SD-WAN edge devices and connect them to
form an SD-WAN fabric or an SD-WAN overlay. Administrators use the SD-WAN
controller, based either in the cloud or on the organization’s premises, to
manage and configure these edge devices and define the traffic forwarding
policy rules at each site.
Type 2 (branch, headquarters, and regional data center
deployment)—This architecture adds SD-WAN devices in regional data
centers, along with the SD-WAN devices at each branch and headquarters site.
These regional data centers can be public or private cloud environments.
SD-WAN devices at the regional data center aggregate network traffic for
smaller sites in that region. Organizations use this deployment when there
are multiple regional branch sites with lower bandwidth connections to the
internet.
Secure SD-WAN Deployments with Prisma Access Overview
Prisma Access provides a flexible way to effectively secure SD-WAN deployments. By
delivering security from the cloud and closer to the branch sites, Prisma Access
lets you optimize networking and security with the same protections that you have at
corporate headquarters.
It supports standard IPSec tunnels from third-party SD-WAN edge devices using IKE and
IPSec Crypto profiles.
While Palo Alto Networks has technology partnerships and jointly-qualified security
integrations with SD-WAN vendors, this implementation is designed to be compatible
with any SD-WAN as long as the SD-WAN supports creating third-party IPSec tunnels
using standard IKE/IPSec.
To secure SD-WAN deployments, use the following workflow:
Onboard the branch sites by setting up site-to-site IPSec tunnels between the
SD-WAN edge devices and Prisma Access.
For a Type 1 (branch and headquarters) deployment, set up IPSec
tunnels between the SD-WAN edge device at each branch and
headquarters site and Prisma Access.
For a Type 2 (branch, headquarters, and regional data center)
deployment, set up the IPSec tunnels between the SD-WAN edge device
at each data center and Prisma Access.
Use the SD-WAN controller to create traffic forwarding policy rules or rules
for the SD-WAN devices. The SD-WAN edge devices at each site use these rules to
determine the traffic to send to Prisma Access for security and threat
prevention.