Configure Branch HA with a Firewall on Internet, MPLS, and a Layer 2 LAN Switch

Learn more about Configure Branch HA with a Firewall on Internet, MPLS, and a Layer 2 LAN Switch in Prisma SD-WAN.
A branch site with Internet and MPLS with a firewall to terminate the internet connection. The firewall provides basic zone-based firewall protection and backup VPN connections to other corporate sites or remote locations. Also, all Internet traffic must go through a central corporate site, since the MPLS router is the HSRP/ VRRP master so traffic will flow in a steady-state via the MPLS. The firewall may also provide port forwarding / static NAT to some applications/services sitting in a DMZ.
The above topology and use case can be converted to a Prisma SD-WAN HA topology without the need to keep the firewall in place since Prisma SD-WAN provides all of these functions. Follow the guidance for Topology 2 –Internet and MPLS with an Layer 2 Switch from an HA configuration and deployment perspective.
  1. Configure a network policy.
    To meet the internet traffic backhaul requirements, make sure to craft the appropriate network path policy that allows/ forces traffic to transit through a Prisma SD-WAN data center, and attach that policy to the site. In the network path policy, allow the direct-to-internet path for all traffic or the applications of interest (e.g. selective internet offload for trusted applications).
  2. Configure an appropriate security policy and attach it to a site.
    If zones are bound at the interface level instead of the site level then make sure to do the binding per device. To know more about zone-based firewalls, see Binding Zones to Devices.
  3. Configure a NAT Policy.

Recommended For You