Branch HA with a Next-Generation Firewall on Internet, MPLS, and a Layer 3 LAN Switch

Let us learn more about the Branch HA with a Next-Generation Firewall on Internet, MPLS, and a Layer 3 LAN Switch in Prisma SD-WAN.
This topology consists of a branch site with Internet and MPLS and a next-generation firewall to terminate the internet connection. The next-generation firewall performs advanced services such as URL filtering, IPS/IDS, user-based rules, etc.All Internet traffic must go through a central corporate site, since the MPLS router is the HSRP/ VRRP master, so traffic will flow in a steady state via the MPLS. There are Layer 3 switches and the default route points to the firewall, such that in steady-state Internet-bound traffic is offloaded.
There are two options to address this use case:
  • If there is a desire to retire the firewall in favor of a cloud security service like Zscaler, Palo Alto GPCS, Symantec, and so on, then follow the guidance in the appropriate Integration Guide.
  • If the firewall cannot be removed, leave it in place north of the Prisma SD-WAN ION device on the left and configure No-NAT action for the NAT rule on the Internet ports of the ION.

Recommended For You