Prisma Access
Aruba SD-WAN Solution Guide
Table of Contents
Aruba SD-WAN Solution Guide
| Where Can I Use This? | What Do I Need? |
|---|---|
|
|
A common network architecture today is to tunnel traffic between an organization’s HQ and
branches over either MPLS or dedicated encrypted VPN links. As more and more services
are cloud-based, and more information is available on the internet, it makes less sense
to tunnel traffic back to an aggregation point before routing it to its final
destination.
Breaking out traffic locally from the branches (as opposed to an on-premises appliance)
would allow traffic to reach its destination faster, and make a more efficient use of
bandwidth. However, allowing traffic directly between devices in the branch and the
internet may introduce security issues.
The integration between the Aruba Branch Gateways and Prisma Access makes it possible to
set up a secure connection between the branch networks and one or several cloud-hosted
enforcement points. The Aruba Branch gateway (BGW) can bring up secure tunnels to the
Prisma Access firewall and redirect selected traffic flows through Prisma Access to
provide advanced threat protection in an efficient and scalable way.
At the same time, the integration between ClearPass and Prisma Access enables sharing the
user context with the firewall, facilitating the creation of role-centric security
policy rules.
The integration between BGWs and Prisma Access consists on intelligently routing traffic
through the nearest firewall node to use the breath of security features Palo Alto
firewalls can provide. The combined solution can offer the following benefits:
- Unified security management for campus and branch networks.
- Context-aware security policy rules driven by ClearPass.
- Intelligent routing of traffic based on user-role and application.
Reference Architectures Supported with the Aruba and Prisma Access Deployment
The SD-branch and Prisma Access integration supports the following deployment scenarios.
Branch Gateways to Prisma Access
Aruba BGWs can establish tunnels to one or several Prisma Access nodes (in different regions, as
shown in the following figure) to secure user traffic going to public cloud
services or to the internet, thus providing high availability. The solution
allows for active/active cloud firewalls.
Regional Hub to Prisma Access
A common deployment type is one where branch traffic is aggregated at a local hub and then routed
to the internet or to other corporate resources. This case is especially common
when using private WAN networks. In such scenarios, Aruba VPNCs can set up
tunnels to the nearest Prisma Access firewall to have branch traffic go through
the distributed security service, as shown in the following figure.
Supported IKE and IPSec Cryptographic Profiles
The following table documents the IKE/IPSec crypto settings that are supported with Prisma Access
and the Aruba SD-WAN. A check mark indicates that the profile or architecture type
is supported; a dash (—) indicates that it's not supported. Default and Recommended
settings are noted in the table.
For a list of cryptographic profiles that have been tested and validated, see Validated IKE and IPSec Cryptographic Profiles.
| Crypto Profiles | Prisma Access | Aruba | |
|---|---|---|---|
| Tunnel Type | IPSec Tunnel | √ | √ |
| GRE Tunnel | — | N/A | |
| Routing | Static Routes | √ | √ |
| Dynamic Routing (BGP) | √ | — | |
| Dynamic Routing (OSPF) | — | — | |
| IKE Versions | IKEv1 | √ | √ Not recommended |
| IKEv2 | √ | √ | |
| IPSec Phase 1 DH-Group | Group 1 | √ | √ |
| Group 2 | √ (Default) | √ | |
| Group 5 | √ | — | |
| Group 14 | √ | √ | |
| Group 19 | √ | √ | |
| Group 20 | √ (Recommended) | √ | |
| IPSec Phase 1 Auth If
you use IKEv2 with certificate-based authentication, only SHA1 is
supported in IKE crypto profiles (Phase 1). | MD5 | √ | √ |
| SHA1 | √ (Default) | √ (SHA196, 168) | |
| SHA256 | √ | √ | |
| SHA384 | √ | √ | |
| SHA512 | √ (Recommended) | — | |
| IPSec Phase 1 Encryption | DES | √ | √ |
| 3DES | √ (Default) | √ | |
| AES-128-CBC | √ (Default) | √ | |
| AES-192-CBC | √ | √ | |
| AES-256-CBC | √ (Recommended) | √ | |
| IPSec Phase 1 Key Lifetime Default | √ (8 Hours) | √ | |
| IPSec Phase 1 Peer Authentication | Pre-shared key | √ | √ |
| Certificate | √ | √ | |
| IKE Peer Identification | FQDN | √ | √ |
| IP address | √ | √ | |
| User FQDN | √ | √ | |
| IKE Peer | As Static Peer | √ | √ |
| As Dynamic Peer | √ | √ | |
| Options | NAT Traversal | √ | √ |
| Passive Mode | √ | √ | |
| Ability to Negotiate Tunnel | Per Subnet Pair | √ | √ |
| Per Pair of Hosts | √ | √ | |
| Per Gateway Pair | √ | √ | |
| IPSec Phase 2 DH-Group | Group 1 | √ | √ |
| Group 2 | √ (Default) | √ | |
| Group 5 | √ | — | |
| Group 14 | √ | √ (Default) | |
| Group 19 | √ | √ | |
| Group 20 | √ (Recommended) | √ | |
| No PFS | √ | — | |
| IPSec Phase 2 Auth | MD5 | √ | √ |
| SHA1 | √ (Default) | √ | |
| SHA256 | √ | √ | |
| SHA384 | √ | √ | |
| SHA512 | √ (Recommended) | — | |
| None | √ | √ | |
| IPSec Phase 2 Encryption | DES | √ | √ |
| 3DES | √ (Default) | √ | |
| AES-128-CBC | √ (Default) | √ | |
| AES-192-CBC | √ | √ | |
| AES-256-CBC | √ | √ | |
| AES-128-CCM | √ | — | |
| AES-128-GCM | √ | — | |
| AES-256-GCM | √ (Recommended) | — | |
| NULL | √ | — | |
| IPSec Protocol | ESP | √ | √ |
| AH | √ | √ | |
| IPSec Phase 2 Key Lifetime Default | √ (1 Hour) | √ (2 Hours) | |
| Tunnel Monitoring Fallback | Dead Peer Detection (DPD) | √ | √ (for the tunnel) |
| ICMP | — | √ (for the uplink) | |
| Bidirectional Forwarding Detection (BFD) | — | — | |
| SD-WAN Architecture Type | With Regional Hub/Gateway/Data Center | N/A | √ |
| No Regional Hub/Gateway/Data Center | NA | — | |
Validated IKE and IPSec Cryptographic Profiles
Both the Aruba Branch Gateways and Prisma Access support several options when it
comes to setting up VPN tunnels. The following table provides the configurations
that have been validated for this solution, and offer a good compromise between
performance, flexibility, and security (considering the integration is mostly for
internet-bound traffic).
| Crypto Profile | Phase 1 | Phase 2 |
|---|---|---|
| Confidentiality | AES-256 You configure this setting as
aes-256-cbc in Prisma
Access. | AES-256 You configure this setting as
aes-256-cbc in Prisma
Access. |
| Integrity | SHA256 | SHA1 |
| Authentication | Username/Password | N/A |
| Key Exchange Method | Diffie-Helman | Diffie-Helman |
| Diffie-Helman Group | 14 | 14 |
| NAT-Transversal | Enabled | N/A |
| Dead Peer Detection (DPD) | Enabled | |
| Perfect Forward Secrecy (PFS) | N/A | Yes |
| VPN Type | N/A | Policy-based VPN |