Branch HA with Dual Internet and Next Gen Firewalls
Lets learn about the Branch HA with Dual Internet and
Next Gen Firewalls in Prisma SD-WAN.
This configuration has two internet circuits
and redundant Next Gen firewalls. The firewalls and the Layer 3
switches could be configured in an active /active or active/backup
fashion from a routing/traffic flow perspective, but both are providing
advanced security features (e.g. URL filtering, IPS/IDS, client
based rules, etc.), which requires they remain in place when Prisma
SD-WAN is inserted into this site.
There are two options to address this use case:
If there is a desire to retire the firewall in favor
of a cloud security service like Zscaler, Palo Alto GPCS, Symantec, etc.,
then follow the guidance in the appropriate deployment guide for
Standard VPN tunnel and policy configuration.
If the firewalls cannot be removed, leave them in place south
of the ION devices.
The IONs will each terminate 1 internet circuit and take on the
public IP of each ISP. The same HA configuration as Topology 3 – Dual
Internet with an L3 Switch. Except in this scenario leave
the Layer 3 switch configuration and the LAN side configuration of
the firewalls as is. Basically, we will treat the firewalls as the
Layer 3 switch from the ION device’s perspective. Below is a sample physical
topology and IP address scheme.
In the above image the switches between the IONs and Firewalls,
and Firewalls and L3 switches are a logical representation of the
same physical L3 switches but L2 switch ports in the appropriate
VLANs. Also, the HSRP/VRRP configuration on the LAN side of the
firewalls and L3 switches is just an example and not required.
The following are the changes reflected in the above sample image:
Remove the public IP address on each firewall’s WAN interface.
Configure these public IP addresses on both IONs 22.214.171.124/30
and 126.96.36.199/30 respectively
Provision an internal subnet to facilitate the communication
between the ION’s LAN interfaces and the firewalls’ WAN interfaces
and configure the IP’s on each device accordingly:
– subnet 10.10.255.0/29.
Run HSRP/VRRP between the firewalls
on WAN side interfaces.
Create a static default route on the firewalls that point
to the ION LAN IP address (10.10.255.5).