Branch HA with a Firewall on Internet, MPLS, and a Layer
3 LAN Switch
Learn more about the Branch HA with a Firewall on Internet,
MPLS, and a Layer 3 LAN Switch in Prisma SD-WAN.
This topology consists of a branch site
with Internet and MPLS and a firewall to terminate the internet
connection. The firewall provides basic zone-based firewall protection
and backup VPN connections to other corporate sites or third-party
locations. Also, all Internet traffic must go through a central
corporate site, since the MPLS router is the HSRP/ VRRP master so
traffic will flow in a steady state via the MPLS. There are Layer
3 switches and the default route points to the firewall, such that
in steady-state Internet-bound traffic is offloaded. The firewall
provides basic zone-based firewall protection and is a backup path
via VPNs to corporate locations.
The above topology and use case can be converted to a Prisma
SD-WAN HA topology without the need to keep the firewall in place since
Prisma SD-WAN provides all of these functions.
From a traffic forwarding and firewall services perspective,
the same process can be followed as Configure Branch HA with a Firewall
on Internet, MPLS, and a Layer 2 LAN Switch with the exception of
the network path policy change to allow the direct-to-internet path
for all traffic or the applications of interest (example, selective
internet offload for trusted applications).