Aruba SD-WAN Solution Guide
The following sections describe how you secure an Aruba SD-WAN with Prisma Access to provide next-generation security:
Aruba Networks Integration With Prisma Access
A common network architecture today is to tunnel traffic between an organization’s HQ and branches over either MPLS or dedicated encrypted VPN links. As more and more services are cloud-based, and more information is available on the internet, it makes less sense to tunnel traffic back to an aggregation point before routing it to its final destination.
Breaking out traffic locally from the branches (as opposed to an on-premises appliance) would allow traffic to reach its destination faster, and make a more efficient use of bandwidth. However, allowing traffic directly between devices in the branch and the Internet may introduce security issues.
The integration between the Aruba Branch Gateways and Prisma Access makes it possible to set up a secure connection between the branch networks and one or several cloud-hosted enforcement points. The Aruba Branch gateway (BGW) can bring up secure tunnels to the Prisma Access firewall and redirect selected traffic flows through Prisma Access to provide advanced threat protection in an efficient and scalable way.
At the same time, the integration between ClearPass and Prisma Access enables sharing the user context with the firewall, facilitating the creation of role-centric security policies.
The integration between BGWs and Prisma Access consists on intellingently routing traffic through the nearest firewall node to leverage the breath of security features Palo Alto firewalls can provide. The combined solution can offer the following benefits:
- Unified security management for campus and branch networks.
- Context-aware security policies driven by ClearPass.
- Intelligent routing of traffic based on user-role and application.
Reference Architectures Supported with the Aruba and Prisma
The SD-Branch and Prisma Access integration supports the following deployment scenarios.
Branch Gateways to Prisma Access
Aruba BGWs can establish tunnels to one or several Prisma Access nodes (in different regions, as shown in the following figure) to secure user traffic going to public cloud services or to the Internet, thus providing high availabilty. The solution allows for active-active cloud firewalls.
Regional Hub to Prisma Access
A common deployment type is one where branch traffic is aggregated at a local hub and then routed to the Internet or to other corporate resources. This case is especially common when using private WAN networks. In such scenarios, Aruba VPNCs can set up tunnels to the nearest Prisma Access firewall to have branch traffic go through the distributed security service, as shown in the following figure.
Supported IKE and IPSec Cryptographic Profiles
The following table documents the IKE/IPSec crypto settings that are supported with Prisma Access and the Aruba SD-WAN. A check mark indicates that the profile or architecture type is supported; a dash (—) indicates that it is not supported. Default and Recommended settings are noted in the table.
Dynamic Routing (BGP)
Dynamic Routing (OSPF)
IPSec Phase 1 DH-Group
IPSec Phase 1 Auth
If you use IKEv2 with certificate-based authentication, only SHA1 is supported in IKE crypto profiles (Phase 1).
IPSec Phase 1 Encryption
IPSec Phase 1 Key Lifetime Default
IPSec Phase 1 Peer Authentication
IKE Peer Identification
As Static Peer
As Dynamic Peer
Ability to Negotiate Tunnel
Per Subnet Pair
Per Pair of Hosts
Per Gateway Pair
IPSec Phase 2 DH-Group
IPSec Phase 2 Auth
IPSec Phase 2 Encryption
IPSec Phase 2 Key Lifetime Default
Tunnel Monitoring Fallback
Dead Peer Detection (DPD)
(for the tunnel)
(for the uplink)
Bidirectional Forwarding Detection (BFD)
SD-WAN Architecture Type
With Regional Hub/Gateway/Data Center
No Regional Hub/Gateway/Data Center
SD-WAN Deployment Architectures Supported by Aruba
The following table shows the SD-WAN supported by the Aruba SD-WAN. For more detailed information about supported architectures, see Reference Architectures Supported with the Aruba and Prisma Access Deployment.
Securing traffic from each branch site with 1 WAN link (Type 1)
For branch-to-branch traffic, traffic from the branch first goes to the hub site and then is routed to the other branch. As of now, direct branch-to-branch is not supported.
Securing branch and HQ sites with active/backup SD-WAN connections
Securing branch and HQ sites with active/active SD-WAN connections
Securing branch and HQ sites with SD-WAN edge devices in HA mode
Active- active HA is supported at the branch, and there can be active uplinks between both HA gateways and Prisma Access.
Securing SD-WAN deployments with Regional Hub/POP architecture (Type 2)
Recommended For You
Recommended videos not found.