Nuage Networks SD-WAN Solution Guide
The following sections describe how you secure a Nuage
Networks SD-WAN with Prisma Access to provide next-generation security:
To learn how Nuage Networks monitors the remote network connection,
and to try to address any issues you have with remote network configuration, Monitor and Troubleshoot the Nuage Networks Remote Network.
Nuage Networks Overview
Nuage Networks Virtualized Network Services (VNS) is
an SD-WAN 2.0 solution that automates the provisioning, configuration,
and management of WAN connections to provide the optimal application
performance at the lowest cost, while meeting strict business policy
and security requirements for each application. Nuage Networks VNS
can provide this policy-based automation while seamlessly connecting
WAN branch sites to on-premises data centers and private clouds,
public clouds, and provider-managed VPN networks. VNS relies on
a central policy repository to define business and application specific
rules that dynamically optimize WAN links and remote branch appliances
or devices.
To secure your organization’s access to resources outside the
SD-WAN and to the internet, you can deploy a Nuage Networks SD-WAN
with Prisma Access, a cloud-based security infrastructure that uses
next-generation security features. Using a shared ownership model,
Palo Alto Networks manages the Prisma Access infrastructure, while
you manage the process of connecting the Nuage Networks SD-WAN to
Prisma Access.
You integrate Prisma Access with the Nuage networks SD-WAN by
creating a remote network connection as an IPSec tunnel between
Prisma Access and the SD-WAN. You create matching IKE crypto profiles, IPSec crypto profiles,
and IKE gateway settings on
each side of the IPSec tunnel in the Nuage Networks SD-WAN and Prisma
Access. You set up these connections on the Nuage Networks side
directly from the customer premises equipment (CPE) to Prisma Access
without the need of SD-WAN gateways to perform WAN functionality.
Nuage Networks’ solution differs from other SD-WAN vendors in that
it uses customer premises equipment (CPE) that enables more advanced
capabilities. These fully-functional CPEs can scale, set up a full
mesh, and perform direct internet breakout to internet directly.
The Nuage Networks SD-WAN does not require gateways or hubs to enable
WAN functionality.
Supported Software Versions and Requirements
The Nuage Networks-Prisma Access solution is qualified
with the following Nuage Networks software versions:
- 5.2.3
Nuage Networks have three types of NSGs:
- NSG-C Series
- NSG-E Series
- NSG-X Series
All of the listed NSGs work with Prisma Access. The only differences
are the resources that they have and the access and WAN interfaces
that they support. For more information, refer to the NSG series
product information at http://www.nuagenetworks.net/resources/product-information/.
The NSG series consists of NSG-C (small), NSG-E (medium), and NSG-X (large).
Supported IKE and IPSec Cryptographic Profiles
You onboard your SD-WAN edge devices using a remote
network connection between the edge device at the branch site, HQ,
or hub to Prisma Access. Use Panorama to create a remote network
connection and create IKE and IPSec crypto profiles; then, set up
an IPSec tunnel between the SD-WAN edge device and Prisma Access,
using the same crypto profiles you used in Panorama.
The following table documents the IKE/IPSec crypto settings that
are supported with Prisma Access and the Nuage Networks SD-WAN.
In addition, the supported architecture types are listed at the
end of the table. A check mark indicates that the profile or architecture
type is supported; a dash (—) indicates that it is not supported.
Default and Recommended settings are noted in the table.
Crypto Profiles | Prisma Access | Nuage Networks | |
|---|---|---|---|
Tunnel Type | IPSec Tunnel |  | |
GRE Tunnel | — | | |
Routing | Static Routes | | |
Dynamic Routing (BGP) | | | |
Dynamic Routing (OSPF) | — | | |
IKE Versions | IKE v1 | | |
IKE v2 | | | |
IPSec Phase 1 DH-Group | Group 1 | | |
Group 2 | | | |
Group 5 | | | |
Group 14 | | | |
Group 19 | | — | |
Group 20 | | — | |
IPSec Phase 1 Auth If
you use IKEv2 with certificate-based authentication, only SHA1 is
supported in IKE crypto profiles (Phase 1). | MD5 | | — |
SHA1 | | | |
SHA256 | | | |
SHA384 | | — | |
SHA512 | | — | |
IPSec Phase 1 Encryption | DES | | — |
3DES | | | |
AES-128-CBC | | | |
AES-192-CBC | | | |
AES-256-CBC | | | |
IPSec Phase 1 Key Lifetime Default | | | |
IPSec Phase 1 Peer Authentication | Pre-Shared Key | | |
Certificate | | — | |
IKE Peer Identification | FQDN | | |
IP Address | | | |
User FQDN | | | |
IKE Peer | As Static Peer | | |
As Dynamic Peer | | | |
Options | NAT Traversal | | |
Passive Mode | | | |
Ability to Negotiate Tunnel | Per Subnet Pair | | — |
Per Pair of Hosts | | — | |
Per Gateway Pair | | — | |
IPSec Phase 2 DH-Group There
is no separate option on the Nuage Networks side for a Phase 2 DH-Group;
however, if you enable PFS, the network can process Phase 2 DH-Group keys. | Group 1 | | |
Group 2 | | | |
Group 5 | | | |
Group 14 | | | |
Group 19 | | — | |
Group 20 | | — | |
No PFS | | | |
IPSec Phase 2 Auth | MD5 | | |
SHA1 | | | |
SHA256 | | | |
SHA384 | | — | |
SHA512 | | | |
None | | — | |
IPSec Phase 2 Encryption | DES | | — |
3DES | | | |
AES-128-CBC | | | |
AES-192-CBC | | | |
AES-256-CBC | | | |
AES-128-CCM | | — | |
AES-128-GCM | | — | |
AES-256-GCM | | — | |
NULL | | | |
IPSec Protocol | ESP | | |
AH | | — | |
IPSec Phase 2 Key Lifetime Default | | | |
Tunnel Monitoring Fallback | Dead Peer Detection (DPD) | | |
ICMP | — | — | |
Bidirectional Forwarding Detection (BFD) | — | — | |
SD-WAN Architecture Type | With Regional Hub/Gateway/Data Center | N/A | |
No Regional Hub/Gateway/Data Center | NA | | |
SD-WAN Deployment Architectures Supported by Nuage Networks
Nuage Networks supports the following deployment architectures
for use with Prisma Access. a dash (—) indicates that the deployment is
not supported.
Use Case | Architecture | Supported? |
|---|---|---|
Securing traffic from each branch site with
1 WAN link (Type 1) |  | Yes |
Securing branch and HQ sites with active/backup SD-WAN connections |  | Yes |
Securing branch and HQ sites with active/active SD-WAN connections |  | Yes |
Securing branch and HQ sites with SD-WAN edge devices
in HA mode |  | Yes |
Securing SD-WAN deployments with Regional Hub/POP architecture (Type
2) |  | Yes |
