Integrate Third-Party SD-WANs with Prisma Access
Focus
Focus
Prisma Access

Integrate Third-Party SD-WANs with Prisma Access

Table of Contents

Integrate Third-Party SD-WANs with Prisma Access

How to integrate third-party SD-WANs with Prisma Access.
Where Can I Use This?What Do I Need?
  • Prisma Access (Managed by Strata Cloud Manager)
  • Prisma Access (Managed by Panorama)
For information about Prisma SD-WAN (formerly CloudGenix) integration with Prisma Access, see the Prisma Access & Prisma SD-WAN CloudBlade Integration guides on the Prisma SD-WAN Technical Documentation page.
As organizations expand geographically, balancing cost, performance, and security in their networks becomes critical. Software-defined WAN (SD-WAN) simplifies WAN management by separating hardware from control, enabling higher-performance networks with lower-cost internet access.
However, the widespread adoption of SD-WAN, driven by direct internet and cloud application connectivity, introduces significant security challenges for remote networks and mobile users. While SD-WAN offers benefits like cost savings and agility, it also exposes branch offices and users to increased cyber threats. To address this, organizations can integrate their SD-WAN deployments with Prisma Access for robust security.
Third-party SD-WAN integrations with Prisma Access can be accomplished either manually or with automated solutions. Automated solutions, as detailed below are especially beneficial for organizations managing several branch sites.

Manual Integrations

Organizations have the option to connect their SD-WAN devices to Prisma Access by manually setting up IPSec tunnels for each location. This process requires administrators to configure settings in both the SD-WAN system and Prisma Access, using separate management interfaces (UI and/or CLI). It is the administrator's responsibility to guarantee that all configuration details, such as IP addresses, pre-shared keys, and high availability setups, match on both sides to achieve the intended results.
The following are some of the available manual integration options.

Strata Cloud Manager Automated Integrations

Strata Cloud Manager (SCM) offers the following automated integrations with Prisma Access through SD-WAN vendors’ APIs. These integrations facilitate seamless tunnel provisioning, routing data exchange, and policy alignment between platforms. Real-time discovery and synchronized policy updates across SD-WAN and Prisma Access are included. Refer to each integration's documentation for supported deployment topologies.

SD-WAN Vendor-Driven Automated Integrations

The following automated integration is initiated from the an SD-WAN vendor's user interface. Utilizing Prisma Access APIs, these integrations enable automated tunnel provisioning, routing data exchange, and consistent policy application across different platforms. Refer to each integration's documentation for supported deployment topologies.

SD-WAN Deployment Architecture Types

SD-WAN technology uses the principles of software-defined networking (SDN) and separates the management plane and the dataplane. Based on this principle, SD-WAN deployments generally consist of the following two components:
  • A controller that administrators use to centrally configure WAN topologies and define traffic path rules.
  • An SD-WAN edge device, either physical or virtual, resides at every site and acts as the connection and termination point of the SD-WAN fabric.
This section describes two different types of SD-WAN architectures:
  • Type 1 (Branch and headquarters deployment)—At each branch site, organizations can deploy one or more SD-WAN edge devices and connect them to form an SD-WAN fabric or an SD-WAN overlay. Administrators use the SD-WAN controller, based either in the cloud or on the organization’s premises, to manage and configure these edge devices and define the traffic forwarding policy rules at each site.
  • Type 2 (branch, headquarters, and regional data center deployment)—This architecture adds SD-WAN devices in regional data centers, along with the SD-WAN devices at each branch and headquarters site. These regional data centers can be public or private cloud environments. SD-WAN devices at the regional data center aggregate network traffic for smaller sites in that region. Organizations use this deployment when there are multiple regional branch sites with lower bandwidth connections to the internet.

Secure SD-WAN Deployments with Prisma Access Overview

Prisma Access provides a flexible way to effectively secure SD-WAN deployments. By delivering security from the cloud and closer to the branch sites, Prisma Access lets you optimize networking and security with the same protections that you have at corporate headquarters.
It supports standard IPSec tunnels from third-party SD-WAN edge devices using IKE and IPSec Crypto profiles.
While Palo Alto Networks has technology partnerships and jointly-qualified security integrations with SD-WAN vendors, this implementation is designed to be compatible with any SD-WAN as long as the SD-WAN supports creating third-party IPSec tunnels using standard IKE/IPSec.
To secure SD-WAN deployments, use the following workflow:
  1. Onboard the branch sites by setting up site-to-site IPSec tunnels between the SD-WAN edge devices and Prisma Access.
    • For a Type 1 (branch and headquarters) deployment, set up IPSec tunnels between the SD-WAN edge device at each branch and headquarters site and Prisma Access.
    • For a Type 2 (branch, headquarters, and regional data center) deployment, set up the IPSec tunnels between the SD-WAN edge device at each data center and Prisma Access.
  2. Use the SD-WAN controller to create traffic forwarding policy rules or rules for the SD-WAN devices. The SD-WAN edge devices at each site use these rules to determine the traffic to send to Prisma Access for security and threat prevention.