Aruba SD-WAN Solution Guide
Focus
Focus
Prisma Access

Aruba SD-WAN Solution Guide

Table of Contents

Aruba SD-WAN Solution Guide

Where Can I Use This?What Do I Need?
  • Prisma Access (Managed by Strata Cloud Manager)
  • Prisma Access (Managed by Panorama)
A common network architecture today is to tunnel traffic between an organization’s HQ and branches over either MPLS or dedicated encrypted VPN links. As more and more services are cloud-based, and more information is available on the internet, it makes less sense to tunnel traffic back to an aggregation point before routing it to its final destination.
Breaking out traffic locally from the branches (as opposed to an on-premises appliance) would allow traffic to reach its destination faster, and make a more efficient use of bandwidth. However, allowing traffic directly between devices in the branch and the internet may introduce security issues.
The integration between the Aruba Branch Gateways and Prisma Access makes it possible to set up a secure connection between the branch networks and one or several cloud-hosted enforcement points. The Aruba Branch gateway (BGW) can bring up secure tunnels to the Prisma Access firewall and redirect selected traffic flows through Prisma Access to provide advanced threat protection in an efficient and scalable way.
At the same time, the integration between ClearPass and Prisma Access enables sharing the user context with the firewall, facilitating the creation of role-centric security policy rules.
The integration between BGWs and Prisma Access consists on intelligently routing traffic through the nearest firewall node to use the breath of security features Palo Alto firewalls can provide. The combined solution can offer the following benefits:
  • Unified security management for campus and branch networks.
  • Context-aware security policy rules driven by ClearPass.
  • Intelligent routing of traffic based on user-role and application.

Reference Architectures Supported with the Aruba and Prisma Access Deployment

The SD-branch and Prisma Access integration supports the following deployment scenarios.

Branch Gateways to Prisma Access

Aruba BGWs can establish tunnels to one or several Prisma Access nodes (in different regions, as shown in the following figure) to secure user traffic going to public cloud services or to the internet, thus providing high availability. The solution allows for active/active cloud firewalls.

Regional Hub to Prisma Access

A common deployment type is one where branch traffic is aggregated at a local hub and then routed to the internet or to other corporate resources. This case is especially common when using private WAN networks. In such scenarios, Aruba VPNCs can set up tunnels to the nearest Prisma Access firewall to have branch traffic go through the distributed security service, as shown in the following figure.

Supported IKE and IPSec Cryptographic Profiles

The following table documents the IKE/IPSec crypto settings that are supported with Prisma Access and the Aruba SD-WAN. A check mark indicates that the profile or architecture type is supported; a dash (—) indicates that it's not supported. Default and Recommended settings are noted in the table.
For a list of cryptographic profiles that have been tested and validated, see Validated IKE and IPSec Cryptographic Profiles.
Crypto ProfilesPrisma AccessAruba
Tunnel TypeIPSec Tunnel
GRE TunnelN/A
RoutingStatic Routes
Dynamic Routing (BGP)
Dynamic Routing (OSPF)
IKE VersionsIKEv1
Not recommended
IKEv2
IPSec Phase 1 DH-GroupGroup 1
Group 2
(Default)
Group 5
Group 14
Group 19
Group 20
(Recommended)
IPSec Phase 1 Auth
If you use IKEv2 with certificate-based authentication, only SHA1 is supported in IKE crypto profiles (Phase 1).
MD5
SHA1
(Default)
(SHA196, 168)
SHA256
SHA384
SHA512
(Recommended)
IPSec Phase 1 EncryptionDES
3DES
(Default)
AES-128-CBC
(Default)
AES-192-CBC
AES-256-CBC
(Recommended)
IPSec Phase 1 Key Lifetime Default
(8 Hours)
IPSec Phase 1 Peer AuthenticationPre-shared key
Certificate
IKE Peer IdentificationFQDN
IP address
User FQDN
IKE PeerAs Static Peer
As Dynamic Peer
OptionsNAT Traversal
Passive Mode
Ability to Negotiate TunnelPer Subnet Pair
Per Pair of Hosts
Per Gateway Pair
IPSec Phase 2 DH-GroupGroup 1
Group 2
(Default)
Group 5
Group 14
(Default)
Group 19
Group 20
(Recommended)
No PFS
IPSec Phase 2 AuthMD5
SHA1
(Default)
SHA256
SHA384
SHA512
(Recommended)
None
IPSec Phase 2 EncryptionDES
3DES
(Default)
AES-128-CBC
(Default)
AES-192-CBC
AES-256-CBC
AES-128-CCM
AES-128-GCM
AES-256-GCM
(Recommended)
NULL
IPSec ProtocolESP
AH
IPSec Phase 2 Key Lifetime Default
(1 Hour)
(2 Hours)
Tunnel Monitoring FallbackDead Peer Detection (DPD)
(for the tunnel)
ICMP
(for the uplink)
Bidirectional Forwarding Detection (BFD)
SD-WAN Architecture TypeWith Regional Hub/Gateway/Data CenterN/A
No Regional Hub/Gateway/Data CenterNA

Validated IKE and IPSec Cryptographic Profiles

Both the Aruba Branch Gateways and Prisma Access support several options when it comes to setting up VPN tunnels. The following table provides the configurations that have been validated for this solution, and offer a good compromise between performance, flexibility, and security (considering the integration is mostly for internet-bound traffic).
Crypto ProfilePhase 1Phase 2
ConfidentialityAES-256
You configure this setting as aes-256-cbc in Prisma Access.
AES-256
You configure this setting as aes-256-cbc in Prisma Access.
IntegritySHA256SHA1
AuthenticationUsername/PasswordN/A
Key Exchange MethodDiffie-HelmanDiffie-Helman
Diffie-Helman Group1414
NAT-TransversalEnabledN/A
Dead Peer Detection (DPD)Enabled
Perfect Forward Secrecy (PFS)N/AYes
VPN TypeN/APolicy-based VPN