Configure Branch HA with a Firewall on Internet, MPLS, and
a Layer 2 LAN Switch
Learn more about Configure Branch HA with a Firewall
on Internet, MPLS, and a Layer 2 LAN Switch in Prisma SD-WAN.
A branch site with Internet and MPLS with
a firewall to terminate the internet connection. The firewall provides basic
zone-based firewall protection and backup VPN connections to other
corporate sites or remote locations. Also, all Internet traffic must
go through a central corporate site, since the MPLS router is the
HSRP/ VRRP master so traffic will flow in a steady-state via the MPLS.
The firewall may also provide port forwarding / static NAT to some
applications/services sitting in a DMZ.
topology and use case can be converted to a Prisma SD-WAN HA topology
without the need to keep the firewall in place since Prisma SD-WAN
provides all of these functions. Follow the guidance for Topology
2 –Internet and MPLS with an Layer 2 Switch from an HA configuration
and deployment perspective.
Configure a network policy.
To meet the internet traffic backhaul requirements, make
sure to craft the appropriate network path policy that allows/ forces traffic
to transit through a Prisma SD-WAN data center, and attach that
policy to the site. In the network path policy, allow the direct-to-internet path
for all traffic or the applications of interest (e.g. selective
internet offload for trusted applications).
Configure an appropriate security policy and attach it
to a site.
If zones are bound at the interface level instead of the
site level then make sure to do the binding per device. To know
more about zone-based firewalls, see Binding Zones to Devices.