Secure Third-Party SD-WANs with Prisma Access Overview

How to integrate SD-WANs with Prisma Access (Panorama Managed).
The following sections provide an overview of SD-WANs and describe how to deploy them with Prisma Access.
For information about Prisma SD-WAN (formerly CloudGenix) integration with Prisma Access, see the Prisma Access & Prisma SD-WAN CloudBlade Integration guides on the Prisma SD-WAN Technical Documentation page.

SD-WAN Overview

As organizations grow across different geographical locations, choosing a network becomes a delicate balancing act of cost, performance, and security. A software-defined WAN (SD-WAN) simplifies the management and operation of a WAN by separating the networking hardware (the
data plane
) from its control mechanism (the
control plane
). SD-WAN technology allows companies to build higher-performance WANs using lower-cost internet access.
With the adoption of SD-WANs, organizations are increasingly connecting directly to the internet, introducing security challenges to protect remote networks and mobile users. Additionally, the deployment of SaaS applications has exploded, with many organizations directly connecting to cloud applications, introducing security challenges. The adoption of SD-WAN technology introduces many benefits in cost savings, and enables organizations to be agile and optimized. However, it also makes branch offices and users targets of cyber attacks.
SD-WAN security needs to be as flexible as the networking, but it’s not always easy to adapt traditional methods.
In a traditional campus network design, there is a full stack of network security appliances at the internet perimeter that can protect the branch, as long as all traffic is brought through the core network. SD-WANs don’t always use this design, especially when you integrate cloud applications.
An alternative to the traditional approach is to deploy network security appliances at the branch office, which complicates the deployment but brings security closer to the branch.
To understand the best way to secure an SD-WAN deployment, you should understand the different SD-WAN deployment architectures.

SD-WAN Deployment Architecture Types

SD-WAN technology uses the principles of software-defined networking (SDN) and separates the control plane and the data plane. Based on this principle, SD-WAN deployments generally consists of the following two components:
  • A controller that administrators use to centrally configure WAN topologies and define traffic path rules.
  • SD-WAN edge devices, either physical or virtual, that reside at every site and act as the connection and termination points of the SD-WAN fabric.
This section describes two different types of SD-WAN architectures:
  • Type 1 (Branch and headquarters deployment)
    —At each branch site, organizations can deploy one or more SD-WAN edge devices and connect them to form an SD-WAN fabric or SD-WAN overlay. Administrators use the SD-WAN controller, based either in the cloud or on the organization’s premises, to manage and configure these edge devices and define the traffic forwarding policies at each site.
  • Type 2 (branch, headquarters, and regional data center deployment)
    —This architecture adds SD-WAN devices in regional data centers, along with the SD-WAN devices at each branch and headquarters site. These regional data centers can be public or private cloud environments. SD-WAN devices at the regional data center aggregate network traffic for smaller sites in that region. Organizations use this deployment when there are multiple regional branch sites with lower bandwidth connections to the internet.

Secure SD-WAN Deployments with Prisma Access Overview

Prisma Access provides a flexible way to effectively secure SD-WAN deployments. By delivering security from the cloud and closer to the branch sites, Prisma Access lets you optimize networking and security with the same protections that you have at corporate headquarters.
Prisma Access supports standard IPSec tunnels from third-party SD-WAN edge devices using Internet Key Exchange (IKE) and IPSec crypto profiles. For a complete list of IKE and IPSec crypto profiles supported by Palo Alto Networks, refer to the following documents:
While Palo Alto Networks has technology partnerships and jointly-qualified security integrations with SD-WAN vendors, this implementation is designed to be compatible with any SD-WAN as long as the SD-WAN supports creating third-party IPSec tunnels using standard IKE/IPSec.
To secure SD-WAN deployments, use the following workflow:
  1. Onboard the branch sites by setting up site-to-site IPSec tunnels between the SD-WAN edge devices and Prisma Access.
    • For a Type 1 (branch and headquarters) deployment, set up IPSec tunnels between the SD-WAN edge device at each branch and headquarters site and Prisma Access.
    • For a Type 2 (branch, headquarters, and regional data center) deployment, set up the IPSec tunnels between the SD-WAN edge device at each data center and Prisma Access.
  2. Use the SD-WAN controller to create traffic forwarding policies or rules for the SD-WAN devices. The SD-WAN edge devices at each site use these rules to determine the traffic to send to Prisma Access for security and threat prevention.

Recommended For You