Branch HA with a Next-Generation Firewall on Internet, MPLS,
and a Layer 3 LAN Switch
Let us learn more about the Branch HA with a Next-Generation
Firewall on Internet, MPLS, and a Layer 3 LAN Switch in Prisma SD-WAN.
This topology consists of a branch site
with Internet and MPLS and a next-generation firewall to terminate
the internet connection. The next-generation firewall performs advanced
services such as URL filtering, IPS/IDS, user-based rules, etc.All
Internet traffic must go through a central corporate site, since
the MPLS router is the HSRP/ VRRP master, so traffic will flow in
a steady state via the MPLS. There are Layer 3 switches and the
default route points to the firewall, such that in steady-state Internet-bound
traffic is offloaded.
There are two options to address this use case:
If there is a desire to retire the firewall in favor
of a cloud security service like Zscaler, Palo Alto GPCS, Symantec, and
so on, then follow the guidance in the appropriate Integration Guide.
If the firewall cannot be removed, leave it in place north
of the Prisma SD-WAN ION device on the left and configure No-NAT
action for the NAT rule on the Internet ports of the ION.