Paloalto Prisma SD-WAN
Paloalto is an American company is a network security equipment manufacturer based in Santa Clara, California. The main products of this company are Next Generation Firewalls, which are based on single pass compatible architecture. In this way, this company offers a unique capability in the industry.
One of the features of this company’s licensed products is that it enables the integration of Global Protect mobile security services and the integration of information security services (URL, Threat Detection). Integration with the malware analysis environment (Wildfire) using products helps in facing threats and reacting to risks.
One of the biggest issues in the world of virtualization and Cloud is the issues based on the security of this space, which is one of the most important challenges for Cloud experts today. Paloalto has given considerable reassurance to concerns in this area with its Cloud security product series.
Software-Defined Wide Area Network (SD-WAN) is a technology that enables the use of multiple Internet and personal services to create a smart and dynamic WAN that helps reduce costs and improve application quality and usability. Starting with PAN-OS 9.1, Paloalto Networks offers robust security as an SD-WAN overlay in a single management system.
Instead of using expensive and time-consuming MPLS with components such as routers, firewalls, WAN path controllers, and WAN optimizers to connect your WAN to the Internet, licensed SD-WAN firewalls from Paloalto Networks allow you to get cheaper internet service and fewer devices. It may be used. No need to purchase and maintain other WAN components.
PAN-OS security with SD-WAN features
The SD-WAN plug-in integrates with PAN-OS to provide PAN-OS firewall security and SD-WAN functionality from a single source. The SD-WAN layer supports the dynamic selection of intelligent paths based on the applications and services and the link conditions that each application or service may use. Path health monitoring for each link includes delay, jitter, and packet loss.
Detailed application and service inspection in the licensed Paloalto prisma SD-WAN allows you to prioritize applications, for example, based on whether they are business critical, latency sensitive, or meet certain health criteria. Dynamic path selection avoids node outages and outages when sessions switch to a better performing path in less than a second.
The SD-WAN layer works with all PAN-OS security features such as User-ID and App-ID to give the branch office complete security control. A complete set of application identity features (application identity decoder, application identity cache, external destination dynamic list (list of IP addresses) defines applications for application-based management of SD-traffic WAN.
Firewalls can be implemented with zero-trust traffic segmentation in the licensed Paloalto prisma SD-WAN. You can configure and manage SD-WAN hubs from the Panorama web interface or the Panorama REST API. You may have a cloud-based service and want your Internet traffic to flow directly from the branch office to the cloud through a directly connected ISP, instead of having your Internet traffic flow from the branch office to your hub in the cloud. Internet access from these points is Direct Internet Access.
No need to spend hub bandwidth and money for internet traffic. Branch firewalls provide security, so you don’t need a hub firewall to provide security for Internet traffic. Use Direct Internet Access (DIA) per branch for SaaS, web browsing, or bandwidth-consuming applications that do not require forwarding to the hub. The following figure shows a virtual DIA interface with three links from a branch to the cloud. The figure also shows a 4-link VPN virtual tunnel interface connecting the branch office to the central hub.
Panorama SD-WAN provides configuration and management tools to configure multiple options across multiple geographically dispersed firewalls much faster and easier than configuring individual firewalls. Instead of configuring each firewall individually, you can make network configuration changes in one place. Automatic VPN configuration in this licensed solution allows Panorama to configure branches and hubs with secure IKE / IPSec connections. A VPN cluster defines hubs and branches that connect to each other in a geographic area. The firewall uses the VPN tunnel to monitor the state of the path between branches and hubs to be aware of outage detection.
The Panorama Dashboard provides insight into SD-WAN links and performance, allowing you to improve performance by adjusting path quality thresholds and other aspects of SD-WAN. Centralized metrics and reports include application and link performance metrics, route health metrics, and trend analysis and targeted views of application and link issues.
Start by understanding SD-WAN usage scenarios, then review SD-WAN components, how traffic is distributed, and plan your SD-WAN configuration. To significantly speed up the setup, we recommend that you export an empty SD-WAN device to CSV and enter information such as the branch office IP address, the virtual router used, the name of the firewall site, the zone the firewall belongs to, and information about the BGP route. Panorama uses CSV files to configure SD-WAN hubs and branches and automatically establishes VPN tunnels between hubs and branches.