greg jorgensen(Panorama Managed)
Routing and SD-WAN Design
Dynamic routing is deployed internally in the cloud for routing and eBGP is used to peer with customer on-premises equipment.
- Remote networks form a full mesh of routing and IPSec tunnels with other remote networks and service connections.
- Dynamic routing is deployed internally in the cloud and eBGP is used to peer with customer on-premises equipment.
- This implementation provides complete fault tolerance for all components, provided there are sufficient cloud nodes.
MU-SPNs and portals always connect to the geographically closest SC-CAN.
Through this SC-CAN, mobile users can reach any remote network within a single hop.
Routing Modes:
With Prisma Access, you can choose between the default routing mode and hot-potato routing mode.
COLD POTATO
Prisma Access supports default routing mode, where the Prisma Access cloud will use dynamic routing best path-selection mechanisms without adjusting any BGP attributes to deliver the traffic through the best RN-SPN or SC-CAN for delivery to the customer’s network.
In this mode, Prisma Access honours any attribute that is advertised by the customer-premises equipment (CPE).
*This approach ensures that traffic is subject to Prisma Access security policies and inspection for a more extended period, potentially providing better security and visibility.
HOT POTATO
Prisma Access also supports the configuration for SC-CANs to function with hot-potato routing. In hot-potato routing mode, Prisma Access uses service connections to pass traffic to your organisation's network as quickly as possible. Use this routing method if you want your organisation’s network to perform the majority of routing decisions.
The principle is that the customer network may have better options to move the traffic to its ultimate destination.
*Traffic is passed via SC-CANs, because SC-CANs are unmetered
Basically, use the default method (it’s default for a reason dummy), but you may use Hot-Potato if the customer has better, more direct routing than Prisma Access does or if the organisation prioritises lower latency for remote users or branch offices accessing resources or the internet.
Traffic Steering:
Traffic steering allows a customer to use the Prisma Access high-speed network while continuing to use its existing on-premises security stack.
With default route traffic steering, you can configure service connections as an alternate destination rather than sending traffic to the internet.
You can use routing and traffic-forwarding rules to steer traffic. (Traffic steering always has higher preference than routing.)
You can apply traffic steering to mobile users and remote network sessions.
The default behaviour of Prisma Access is to reject a default route from an SC-CAN or RN-SPN.
Advantages:
- This option simplifies the routing of all user traffic via data centres.
- No IP allow lists are required for Prisma Access egress IP addresses.
Disadvantages:
- Because all traffic is forwarded to the data centres (backhaul), user experience and network performance might be affected.
Enable Default-Route Traffic Steering
Some customers might need to inspect all user traffic (i.e., all ports and protocols) to the internet with an on-premises customized security stack, and also to capture all user traffic (to fulfil corporate policy and compliance requirements).
To support both requirements, you can route all mobile user traffic and remote network traffic (to the internet) via one or more on-premises data centres. When this option is enabled, Prisma Access forwards all traffic to the participating SC-CANs, but you are responsible for routing the traffic to the internet and back to Prisma Access.
Traffic Steering with Traffic-Forwarding Rules
Traffic steering allows you to route traffic based upon flow-match criteria. EDLs (IP type) and dynamic address groups can be used under the source and destination address fields.
Steering of user traffic based on flow-match criteria:
- Source address
- User-ID
- Destination address
- URL and custom URL category
- Service type
By default, the mobile user security processing nodes (MU-SPNs) and remote network security processing nodes (RN-SPNs) forward internet-bound traffic directly to the internet, subject to security rules and threat scanning.
Goals of SD-WAN
An SD-WAN can:
- Simplify branch connectivity by automating the deployment and management of WAN connections, reducing the need for manual configuration and maintenance.
- Optimize application performance by dynamically selecting the best WAN link based on real-time network conditions, such as latency, packet loss, and available bandwidth.
- Enhance security by integrating with Palo Alto Networks' next-generation firewalls and Prisma Access, providing advanced threat protection, visibility, and consistent security policies across all branch locations.
- Reduce costs by leveraging lower-cost broadband connections alongside or in place of traditional MPLS links, while maintaining the required performance and reliability.
SD-WAN deployments generally consist of two components:
- a controller that administrators use to centrally configure WAN topologies and to define traffic path rules
- SD-WAN edge devices that reside at every site and act as the connection and termination points of the SD-WAN fabric.
Organisations can deploy one or more SD-WAN edge devices at each branch site and connect the devices to an SD-WAN fabric or SD-WAN overlay.
Administrators use the SD-WAN controller, based either in the cloud or on the organisation’s premises, to manage and configure these edge devices and define the traffic forwarding policies at each site.
To secure SD-WAN deployments, use the following workflow:
Step 1
Onboard the branch sites as remote networks by setting up site-to-site IPsec tunnels between the SD-WAN edge devices and Prisma Access.
Step 2
Set up an IPsec tunnel as a remote network between the SD-WAN edge device at headquarters and Prisma Access. By setting up the tunnel as a remote network, you trigger another RN-SPN to be spun up.
Step 3
Use the SD-WAN controller to create traffic-forwarding policies or rules for the SD-WAN devices.
The SD-WAN edge devices at each site use these rules to determine the traffic to send to Prisma Access for security and threat prevention.
Next-Generation SD-WAN Solution: Prisma SD-WAN
(formerly known as CloudGenix)
“the industry’s first next-generation SD-WAN solution” 😀
Advantages include a single web interface for Prisma Access onboarding, including VPN configuration and the ability to steer voice traffic over the most durable and chatter-free circuits while letting the applications that are less sensitive to latency, such as FTP, use other, less-reliable transport circuits.
- Panorama and Prisma Access Integration
Prisma SD-WAN can integrate with Panorama and Prisma Access directly to provision remote networks.
- Comprehensive SASE Solution
The combination of Prisma Access and Prisma SD-WAN provides the most comprehensive SASE solution in the industry.
- Vendor Tools Integration
Prisma SD-WAN also integrates with other vendors' tools.
- Application-Based Traffic Steering and Monitoring
- Robust Logging and Reporting
- ADEM Integration (SEIM system)
Application-based traffic steering and monitoring (”next-gen”):
This approach focuses on the specific applications running on the network, like web browsing, video streaming, or VoIP calls.
Traffic is prioritized and steered based on application requirements, such as latency, bandwidth, and reliability.
This method allows for more granular control over network traffic.
Layer 3 or circuit-based traffic steering (old, bad, sad):
This approach focuses on the underlying network connections (circuits) and their characteristics, like bandwidth, latency, and cost.
Traffic steering decisions are made based on the performance of the circuits, without considering the specific applications generating the traffic.
This method provides a more generalized approach to traffic management, without prioritizing specific applications or adjusting to real-time network conditions.