Silver Peak SD-WAN Solution Guide
The following sections describe how you use
Silver Peak EdgeConnect with Prisma Access to provide next-generation security
on internet-bound traffic:
If
you have any issues after you complete these tasks, Troubleshoot the Silver
Peak Remote Network.
Supported Software Versions and Requirements
The Silver Peak-Prisma Access solution is
qualified with the following Silver Peak software versions:
- 8.1.9.0
Supported IKE and IPSec Cryptographic Profiles
You onboard your SD-WAN edge devices using
a remote network connection between the edge device at the branch
site, HQ, or hub to Prisma Access. Use Prisma Access to create a
remote network and configure IPSec and IKE crypto profiles; then,
set up an IPSec tunnel between the SD-WAN edge device and Prisma
Access, using the same crypto profiles you used in Prisma Access.
The
following table documents the IKE/IPSec crypto settings that are
supported with Prisma Access and Silver Peak SD-WAN. A check mark indicates
that the profile or architecture type is supported; a dash (—) indicates
that it is not supported. Default and Recommended settings are noted
in the table.
Crypto Profiles | Prisma Access | Silver Peak EdgeConnect | |
|---|---|---|---|
Tunnel Type | IPSec Tunnel | √ | √ |
GRE Tunnel | — | — | |
Routing | Static Routes | √ | √ |
Dynamic Routing (BGP) | √ | — | |
Dynamic Routing (OSPF) | — | — | |
IKE Versions | IKE v1 | √ | √ |
IKE v2 | √ | — | |
IPSec Phase 1 DH-Group | Group 1 | √ | √ |
Group 2 | √ | √ | |
Group 5 | √ | √ | |
Group 14 | √ | √ | |
Group 19 | √ | √ | |
Group 20 | √ | — | |
IPSec Phase 1 Auth If
you use IKEv2 with certificate-based authentication, only SHA1 is
supported in IKE crypto profiles (Phase 1). | MD5 | √ | — |
SHA1 | √ | √ | |
SHA256 | √ | √ | |
SHA384 | √ | √ | |
SHA512 | √ | √ | |
IPSec Phase 1 Encryption | DES | √ | — |
3DES | √ | — | |
AES-128-CBC | √ | √ | |
AES-192-CBC | √ | — | |
AES-256-CBC | √ | √ | |
IPSec Phase 1 Key Lifetime Default | √ | √ | |
IPSec Phase 1 Peer Authentication | Pre-Shared Key | √ | Pre-Shared Key |
Certificate | √ | — | |
IKE Peer Identification | FQDN | √ | √ |
IP Address | √ | √ | |
User FQDN | √ | √ | |
IKE Peer | As Static Peer | √ | √ |
As Dynamic Peer | √ | — | |
Options | NAT Traversal | √ | √ |
Passive Mode | √ | — | |
Ability to Negotiate Tunnel | Per Subnet Pair | √ | — |
Per Pair of Hosts | √ | — | |
Per Gateway Pair | √ | √ | |
IPSec Phase 2 DH-Group | Group 1 | √ | √ |
Group 2 | √ | √ | |
Group 5 | √ | √ | |
Group 14 | √ | √ | |
Group 19 | √ | √ | |
Group 20 | √ | — | |
No PFS | √ | √ | |
IPSec Phase 2 Auth | MD5 | √ | — |
SHA1 | √ | √ | |
SHA256 | √ | √ | |
SHA384 | √ | √ | |
SHA512 | √ | √ | |
None | √ | — | |
IPSec Phase 2 Encryption | DES | √ | — |
3DES | √ | — | |
AES-128-CBC | √ | √ | |
AES-192-CBC | √ | — | |
AES-256-CBC | √ | √ | |
AES-128-CCM | √ | — | |
AES-128-GCM | √ | — | |
AES-256-GCM | √ | — | |
NULL | √ | √ | |
IPSec Protocol | ESP | √ | √ |
AH | √ | — | |
IPSec Phase 2 Key Lifetime Default | √ | √ Lifebytes also supported | |
Tunnel Monitoring Fallback | Dead Peer Detection (DPD) | √ | √ |
ICMP | — | √ | |
Bidirectional Forwarding Detection (BFD) | — | — | |
SD-WAN Architecture Type | With Regional Hub/Gateway/Data Center | N/A | √ |
No Regional Hub/Gateway/Data Center | NA | √ | |
SD-WAN Deployment Architectures Supported by Silver Peak
Silver Peak supports the following deployment
architectures for use with Prisma Access. a dash (—) indicates that
the deployment is not supported.
Use Case | Architecture | Supported? |
|---|---|---|
Securing traffic from each branch site with 1
WAN link (Type 1) Use an IPSec tunnel from each branch to Prisma Access.
Use a Silver Peak EdgeConnect device at the branch. |  | Yes |
Securing branch and HQ sites with active/backup SD-WAN
connections |  | Yes |
Securing branch and HQ sites with active/active
SD-WAN connections |  | Yes |
Securing branch and HQ sites with SD-WAN edge
devices in HA mode |  | Yes |
Securing SD-WAN deployments with Regional Hub/POP architecture
(Type 2) |  | Yes |
