Prisma Access
Integrate Third-Party SD-WANs with Prisma Access
Table of Contents
Integrate Third-Party SD-WANs with Prisma Access
How to integrate third-party SD-WANs with Prisma Access.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
|
For information about Prisma SD-WAN (formerly CloudGenix) integration with Prisma
Access, see the Prisma Access & Prisma SD-WAN CloudBlade Integration guides
on the Prisma SD-WAN Technical Documentation
page.
As organizations grow across different geographical locations, choosing a network
becomes a delicate balancing act of cost, performance, and security. A
software-defined WAN (SD-WAN) simplifies the management and operation of a WAN by
separating the networking hardware (the dataplane) from its control mechanism
(the management plane). SD-WAN technology allows companies to build
higher-performance WANs using lower-cost internet access.
With the adoption of SD-WANs, organizations are increasingly connecting directly to
the internet, introducing security challenges to protect remote networks and mobile
users. Additionally, the deployment of SaaS applications has exploded, with many
organizations directly connecting to cloud applications, introducing security
challenges. The adoption of SD-WAN technology introduces many benefits in cost
savings, and enables organizations to be agile and optimized. However, it also makes
branch offices and users targets of cyber attacks.
SD-WAN security needs to be as flexible as the networking, but it’s not always easy
to adapt traditional methods.
In a traditional campus network design, there is a full stack of network security
appliances at the internet perimeter that can protect the branch, as long as all
traffic is brought through the core network. SD-WANs don’t always use this design,
especially when you integrate cloud applications.
An alternative to the traditional approach is to deploy network security appliances
at the branch office, which complicates the deployment but brings security closer to
the branch.
To understand the best way to secure an SD-WAN deployment, you should understand the
different SD-WAN deployment architectures.
SD-WAN Deployment Architecture Types
SD-WAN technology uses the principles of software-defined networking (SDN) and
separates the management plane and the dataplane. Based on this principle,
SD-WAN deployments generally consist of the following two components:
- A controller that administrators use to centrally configure WAN topologies and define traffic path rules.
- SD-WAN edge devices, either physical or virtual, that reside at every site and act as the connection and termination points of the SD-WAN fabric.
This section describes two different types of SD-WAN architectures:
- Type 1 (Branch and headquarters deployment)—At each branch site, organizations can deploy one or more SD-WAN edge devices and connect them to form an SD-WAN fabric or SD-WAN overlay. Administrators use the SD-WAN controller, based either in the cloud or on the organization’s premises, to manage and configure these edge devices and define the traffic forwarding policy rules at each site.
![]()
- Type 2 (branch, headquarters, and regional data center deployment)—This architecture adds SD-WAN devices in regional data centers, along with the SD-WAN devices at each branch and headquarters site. These regional data centers can be public or private cloud environments. SD-WAN devices at the regional data center aggregate network traffic for smaller sites in that region. Organizations use this deployment when there are multiple regional branch sites with lower bandwidth connections to the internet.
![]()
Secure SD-WAN Deployments with Prisma Access Overview
Prisma Access provides a flexible way to effectively secure SD-WAN deployments.
By delivering security from the cloud and closer to the branch sites, Prisma
Access lets you optimize networking and security with the same protections that
you have at corporate headquarters.
Prisma Access supports standard IPSec tunnels from third-party SD-WAN edge
devices using IKE and IPSec Crypto profiles.
While Palo Alto Networks has technology partnerships and jointly-qualified
security integrations with SD-WAN vendors, this implementation is designed to be
compatible with any SD-WAN as long as the SD-WAN supports creating third-party
IPSec tunnels using standard IKE/IPSec.
To secure SD-WAN deployments, use the following workflow:
- Onboard the branch sites by setting up site-to-site IPSec tunnels between the SD-WAN edge devices and Prisma Access.
- For a Type 1 (branch and headquarters) deployment, set up IPSec tunnels between the SD-WAN edge device at each branch and headquarters site and Prisma Access.
![]()
- For a Type 2 (branch, headquarters, and regional data center) deployment, set up the IPSec tunnels between the SD-WAN edge device at each data center and Prisma Access.
![]()
Use the SD-WAN controller to create traffic forwarding policy rules or rules for the SD-WAN devices. The SD-WAN edge devices at each site use these rules to determine the traffic to send to Prisma Access for security and threat prevention.
