Branch HA with Dual Internet and Next Gen Firewalls

Lets learn about the Branch HA with Dual Internet and Next Gen Firewalls in Prisma SD-WAN.
This configuration has two internet circuits and redundant Next Gen firewalls. The firewalls and the Layer 3 switches could be configured in an active /active or active/backup fashion from a routing/traffic flow perspective, but both are providing advanced security features (e.g. URL filtering, IPS/IDS, client based rules, etc.), which requires they remain in place when Prisma SD-WAN is inserted into this site.
There are two options to address this use case:
  1. If there is a desire to retire the firewall in favor of a cloud security service like Zscaler, Palo Alto GPCS, Symantec, etc., then follow the guidance in the appropriate deployment guide for Standard VPN tunnel and policy configuration.
  2. If the firewalls cannot be removed, leave them in place south of the ION devices.
The IONs will each terminate 1 internet circuit and take on the public IP of each ISP. The same HA configuration as Topology 3 – Dual Internet with an L3 Switch. Except in this scenario leave the Layer 3 switch configuration and the LAN side configuration of the firewalls as is. Basically, we will treat the firewalls as the Layer 3 switch from the ION device’s perspective. Below is a sample physical topology and IP address scheme.
In the above image the switches between the IONs and Firewalls, and Firewalls and L3 switches are a logical representation of the same physical L3 switches but L2 switch ports in the appropriate VLANs. Also, the HSRP/VRRP configuration on the LAN side of the firewalls and L3 switches is just an example and not required.
The following are the changes reflected in the above sample image:
  • Remove the public IP address on each firewall’s WAN interface.
  • Configure these public IP addresses on both IONs and respectively
  • Provision an internal subnet to facilitate the communication between the ION’s LAN interfaces and the firewalls’ WAN interfaces and configure the IP’s on each device accordingly:
    VLAN 255 – subnet
    Run HSRP/VRRP between the firewalls on WAN side interfaces.
  • Create a static default route on the firewalls that point to the ION LAN IP address (

Recommended For You