https://live.paloaltonetworks.com/t5/prisma-access-discussions/fw-at-branch-with-sase/m-p/378240#M162 <P>Thanks <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/167333">@tabner</a>&nbsp; that's pretty quick.</P><P>&nbsp;</P><P>Really appreciate your feedback</P> Wed, 06 Jan 2021 20:38:58 GMT FWPalolearner 2021-01-06T20:38:58Z https://live.paloaltonetworks.com/t5/prisma-access-discussions/fw-at-branch-with-sase/m-p/378191#M158 <P>Hello ,</P><P>&nbsp;</P><P>We have a customer having branches all across the globe but very very less MPLS . 95 % they are con,nected via IPSEC VPN Tunnels</P><P>&nbsp;</P><P>They have Fortinet Fortigate FWs at their Branches and DCs</P><P>&nbsp;</P><P>Does Prisma Access need Palo Alto FW at each Branch ?&nbsp; I believe only thing needed is to make an IPSEC Connection from Branch to the SASE cloud which even a Router at Branch can make . But just confirming ?</P><P>&nbsp;</P><P>Also I know Prisma Access need Panorama but does it need any PAN GW also ? In my case , all the GW at branches and DC are Fortigate ( Non PAN ) .</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 06 Jan 2021 19:04:46 GMT https://live.paloaltonetworks.com/t5/prisma-access-discussions/fw-at-branch-with-sase/m-p/378191#M158 FWPalolearner 2021-01-06T19:04:46Z https://live.paloaltonetworks.com/t5/prisma-access-discussions/fw-at-branch-with-sase/m-p/378221#M159 <P><SPAN>The only requirement at the branch is that the CPE can build an IPSec tunnel to Prisma Access.&nbsp; So it doesn't matter which vendor it is.</SPAN></P><P>&nbsp;</P><P>You don't need a PAN NGFW or any other FW at the branches unless you need local (east-West) segmentation/security or to inspect traffic that you aren't sending to Prisma Access(e.g. MPLS traffic that won't traverse Prisma Access).&nbsp; You could use a router to forward all traffic via an IPSec tunnel to Prisma Access.</P><P>&nbsp;</P><P>The only recommendation for on-prem FWs is for sites where you have service connections.&nbsp; These are the&nbsp;connections to data centers for the branches and users to access internal shared resources (e.g. AD).&nbsp; &nbsp;The service connections are not subjected to policy so its recommended that you have a FW terminating the Service Connections</P> Wed, 06 Jan 2021 19:30:28 GMT https://live.paloaltonetworks.com/t5/prisma-access-discussions/fw-at-branch-with-sase/m-p/378221#M159 tabner 2021-01-06T19:30:28Z https://live.paloaltonetworks.com/t5/prisma-access-discussions/fw-at-branch-with-sase/m-p/378226#M160 <P>Ok thanks a lot,</P><P>&nbsp;</P><P>So the fw where service.connection has to be terminated has to be a PANFw or any FW Like fortigate etc ?</P><P>&nbsp;</P><P>Also , this means that only Palo Alto component needed other than primsa access cloud is panorama ?</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 06 Jan 2021 20:09:08 GMT https://live.paloaltonetworks.com/t5/prisma-access-discussions/fw-at-branch-with-sase/m-p/378226#M160 FWPalolearner 2021-01-06T20:09:08Z https://live.paloaltonetworks.com/t5/prisma-access-discussions/fw-at-branch-with-sase/m-p/378227#M161 <P>Yup, any FW.&nbsp; You must have Panorama and you also must have Cortex Data Lake for logging.&nbsp; When you purchase Prisma Access, it always comes with data lake for logging.&nbsp; You don't do hardly anything with the data lake after initial setup and that is pretty simple.</P> Wed, 06 Jan 2021 20:22:38 GMT https://live.paloaltonetworks.com/t5/prisma-access-discussions/fw-at-branch-with-sase/m-p/378227#M161 tabner 2021-01-06T20:22:38Z https://live.paloaltonetworks.com/t5/prisma-access-discussions/fw-at-branch-with-sase/m-p/378240#M162 <P>Thanks <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/167333">@tabner</a>&nbsp; that's pretty quick.</P><P>&nbsp;</P><P>Really appreciate your feedback</P> Wed, 06 Jan 2021 20:38:58 GMT https://live.paloaltonetworks.com/t5/prisma-access-discussions/fw-at-branch-with-sase/m-p/378240#M162 FWPalolearner 2021-01-06T20:38:58Z