Aruba SD-WAN Solution Guide
The following sections describe how you secure an Aruba
SD-WAN with Prisma Access to provide next-generation security:
Aruba Networks Integration With Prisma Access
A common network architecture today is to tunnel traffic
between an organization’s HQ and branches over either MPLS or dedicated
encrypted VPN links. As more and more services are cloud-based,
and more information is available on the internet, it makes less
sense to tunnel traffic back to an aggregation point before routing
it to its final destination.
Breaking out traffic locally from the branches (as opposed to
an on-premises appliance) would allow traffic to reach its destination
faster, and make a more efficient use of bandwidth. However, allowing
traffic directly between devices in the branch and the Internet
may introduce security issues.
The integration between the Aruba Branch Gateways and Prisma
Access makes it possible to set up a secure connection between the
branch networks and one or several cloud-hosted enforcement points.
The Aruba Branch gateway (BGW) can bring up secure tunnels to the
Prisma Access firewall and redirect selected traffic flows through
Prisma Access to provide advanced threat protection in an efficient and
scalable way.
At the same time, the integration between ClearPass and Prisma
Access enables sharing the user context with the firewall, facilitating
the creation of role-centric security policies.
The integration between BGWs and Prisma Access consists on intellingently routing
traffic through the nearest firewall node to leverage the breath
of security features Palo Alto firewalls can provide. The combined
solution can offer the following benefits:
- Unified security management for campus and branch networks.
- Context-aware security policies driven by ClearPass.
- Intelligent routing of traffic based on user-role and application.
Reference Architectures Supported with the Aruba and Prisma
Access Deployment
The SD-Branch and Prisma Access integration supports
the following deployment scenarios.
Branch Gateways to Prisma Access
Aruba BGWs can establish tunnels to one or several Prisma
Access nodes (in different regions, as shown in the following figure)
to secure user traffic going to public cloud services or to the
Internet, thus providing high availabilty. The solution allows for
active-active cloud firewalls.
Regional Hub to Prisma Access
A common deployment type is one where branch traffic
is aggregated at a local hub and then routed to the Internet or
to other corporate resources. This case is especially common when
using private WAN networks. In such scenarios, Aruba VPNCs can set
up tunnels to the nearest Prisma Access firewall to have branch
traffic go through the distributed security service, as shown in
the following figure.
Supported IKE and IPSec Cryptographic Profiles
The following table documents the IKE/IPSec crypto settings
that are supported with Prisma Access and the Aruba SD-WAN. A check
mark indicates that the profile or architecture type is supported;
a dash (—) indicates that it is not supported. Default and Recommended
settings are noted in the table.
For a list of cryptographic profiles that have been tested
and validated, see Validated IKE and IPSec Cryptographic Profiles.
Crypto Profiles | Prisma Access | Aruba | |
|---|---|---|---|
Tunnel Type | IPSec Tunnel |  | |
GRE Tunnel | — | N/A | |
Routing | Static Routes | | |
Dynamic Routing (BGP) | | — | |
Dynamic Routing (OSPF) | — | — | |
IKE Versions | IKE v1 | | Not recommended |
IKE v2 | | | |
IPSec Phase 1 DH-Group | Group 1 | | |
Group 2 | | | |
Group 5 | | — | |
Group 14 | | | |
Group 19 | | | |
Group 20 | | | |
IPSec Phase 1 Auth If
you use IKEv2 with certificate-based authentication, only SHA1 is
supported in IKE crypto profiles (Phase 1). | MD5 | | |
SHA1 | | | |
SHA256 | | | |
SHA384 | | | |
SHA512 | | — | |
IPSec Phase 1 Encryption | DES | | |
3DES | | | |
AES-128-CBC | | | |
AES-192-CBC | | | |
AES-256-CBC | | | |
IPSec Phase 1 Key Lifetime Default | | | |
IPSec Phase 1 Peer Authentication | Pre-Shared Key | | |
Certificate | | | |
IKE Peer Identification | FQDN | | |
IP Address | | | |
User FQDN | | | |
IKE Peer | As Static Peer | | |
As Dynamic Peer | | | |
Options | NAT Traversal | | |
Passive Mode | | | |
Ability to Negotiate Tunnel | Per Subnet Pair | | |
Per Pair of Hosts | | | |
Per Gateway Pair | | | |
IPSec Phase 2 DH-Group | Group 1 | | |
Group 2 | | | |
Group 5 | | — | |
Group 14 | | | |
Group 19 | | | |
Group 20 | | | |
No PFS | | — | |
IPSec Phase 2 Auth | MD5 | | |
SHA1 | | | |
SHA256 | | | |
SHA384 | | | |
SHA512 | | — | |
None | | | |
IPSec Phase 2 Encryption | DES | | |
3DES | | | |
AES-128-CBC | | | |
AES-192-CBC | | | |
AES-256-CBC | | | |
AES-128-CCM | | — | |
AES-128-GCM | | — | |
AES-256-GCM | | — | |
NULL | | — | |
IPSec Protocol | ESP | | |
AH | | | |
IPSec Phase 2 Key Lifetime Default | | | |
Tunnel Monitoring Fallback | Dead Peer Detection (DPD) | | |
ICMP | — | | |
Bidirectional Forwarding Detection (BFD) | — | — | |
SD-WAN Architecture Type | With Regional Hub/Gateway/Data Center | N/A | |
No Regional Hub/Gateway/Data Center | NA | — | |
SD-WAN Deployment Architectures Supported by Aruba
The following table shows the SD-WAN supported by the
Aruba SD-WAN. For more detailed information about supported architectures,
see Reference Architectures Supported with the Aruba and Prisma Access Deployment.
Use Case | Architecture | Supported? |
|---|---|---|
Securing traffic from each branch site with
1 WAN link (Type 1) |  | Yes For branch-to-branch traffic, traffic
from the branch first goes to the hub site and then is routed to the
other branch. As of now, direct branch-to-branch is not supported. |
Securing branch and HQ sites with active/backup SD-WAN connections |  | Yes |
Securing branch and HQ sites with active/active SD-WAN connections |  | Yes |
Securing branch and HQ sites with SD-WAN edge devices
in HA mode |  | Yes Active- active HA is supported at the branch,
and there can be active uplinks between both HA gateways and Prisma Access. |
Securing SD-WAN deployments with Regional Hub/POP architecture (Type
2) |  | Yes |
