Secure and Optimize Your Cloud Connectivity with PANOS SD-WAN and Palo Alto Networks VM-Series on OCI

Introduction

Organizations are increasingly embracing cloud environments for their flexibility, scalability, and cost-effectiveness. However, securing and optimizing connectivity across these distributed locations can be a challenge. This is where Palo Alto Networks® (PAN) OS SD- WAN with VM-Series firewalls deployed on Oracle Cloud Infrastructure (OCI) comes in.

This document describes different deployment options which can be used to connect an on- prem branch/datacenter to a cloud environment, and connectivity between multi cloud infrastructure.

What is PANOS SD-WAN?

The SD-WAN plugin is integrated with PAN-OS, so that you get the security features of a PAN- OS firewall and SD-WAN functionality from a single vendor.

The SD-WAN overlay supports dynamic, intelligent path selection based on applications and services and the conditions of links that each application or service is allowed to use. The path health monitoring for each link includes latency, jitter, and packet loss.

Granular application and service controls allow you to prioritize applications based on whether the application is mission-critical, latency-sensitive, or meets certain health criteria, for example.

Dynamic path selection avoids brownout and node failure problems because sessions fail over to a better performing path in less than one second.

PANOS SD-WAN is a software solution that delivers intelligent path selection, application-aware routing, and dynamic orchestration for WAN connections. It empowers you to:

• Optimize application performance: By dynamically routing traffic across the best available path based on real-time conditions like latency, jitter, and packet loss.
• Improve security posture: Leveraging the industry-leading security capabilities of Palo Alto Networks firewalls to protect your applications and data.
• Simplify network management: Centralized management simplifies configuration, monitoring, and troubleshooting across your entire WAN.

Benefits of VM-Series on OCI

The Palo Alto VM-Series firewall is a next-generation security solution available as a virtual appliance. Deploying VM-Series on OCI offers several advantages:

Scalability: Easily scale your security resources up or down to meet your changing needs.
Cost-effectiveness: Pay only for the resources you use, reducing upfront costs.
High availability: Leverage OCI's robust infrastructure for increased uptime and redundancy.
Seamless integration: VM-Series integrates seamlessly with other OCI services like Virtual Cloud Networks (VCNs) and Flexible Network Load Balancers.

Deployment and Configuration

Deploying VM-Series on OCI can be achieved through the OCI Console or by leveraging Infrastructure as Code (IaC) tools like Terraform.

Above architecture shows, two PA-VM in HA acting as a HUB over OCI Platform and one Branch VM deployed on-prem.

We have created SDWAN tunnels between Hub-Spoke Firewall to achieve resiliency, scalable and secure channel to communicate.

For detailed instructions, refer to the Palo Alto Networks documentation: VM-Series Deployment Guide.

Supported SD-WAN Features

While not all PANOS SD-WAN features are supported on VM-Series, key functionalities like:

• Dynamic path selection
• Application awareness
• Centralized management

Use-Cases of PAN-OS SDWAN:

1. Improved Branch Office Connectivity: PAN-OS SD-WAN can leverage multiple internet connections (e.g., cable, DSL, MPLS) at branch offices. It intelligently steers traffic across the best performing link based on real-time metrics like latency, jitter, and packet loss. This redundancy ensures consistent application performance and business continuity.
2. Cost Optimization: By using multiple internet connections, businesses can potentially reduce their reliance on expensive MPLS circuits. PAN-OS SDWAN optimizes traffic flow, potentially leading to lower overall bandwidth costs.
3. Application Performance: PAN-OS SD-WAN prioritizes business-critical applications like VoIP and video conferencing by allocating bandwidth and selecting the most suitable path. This ensures smooth user experience for these essential applications.
4. Security Integration: A key advantage of PAN-OS SD-WAN is its tight integration with Palo Alto Networks next-generation firewalls. This provides consistent security policies across the entire network, from branch offices to data centers.
5. Simplified Management: PAN-OS SD-WAN offers a centralized management console for provisioning, configuration, and monitoring of all SD-WAN devices. This simplifies network administration and reduces complexity.
6. Saas Quality testing for Critical App
   1. Concept for this Use-Case Link [docs.paloaltonetworks.com]
   2. If your organization is leveraging a business-critical SaaS application at a branch
      firewall location, you can configure a SaaS Quality profile and associate it with a
      SD-WAN policy rule to monitor the latency, jitter, and packet loss health metrics
      of the critical SaaS application and swap links from an SD-WAN branch firewall
      to a SaaS application on a Direct Internet Access (DIA) link to ensure application
      usability.
   3. If the business-critical SaaS application DIA link health metric thresholds are
      exceeded, the link is swapped to the next DIA link configured in the Traffic
      Distribution profile for all new sessions. The existing session on the degraded DIA
      link is not swapped over to the next DIA link.
7. Distribute Unmatched Sessions
   1. Concept for this Use-Case Link [docs.paloaltonetworks.com]
   2. Path Quality Profile that sets very high latency, jitter, and packet loss thresholds
      that will never be exceeded. For example, 2,000ms latency, 1,000ms jitter, and
      99% packet loss.
   3. Traffic Distribution Profile that specifies the SD-WAN link tags you want to use, in
      the order in which you want the links associated with those link tags to be used
      by unmatched sessions.
   4. A catch-all SD-WAN policy rule and on the Application/Service tab, specify the
      Path Quality Profile that you created along with Traffic Distribution Profile.
8. Direct Internet Access (DIA) use-case
   1. Concept link [docs.paloaltonetworks.com]
   2. Configure policy for few internet/public applications to access via internet using
      DIA link
9. SD-WAN Error Correction Profiles
   1. Concept for this Use-Case Link [docs.paloaltonetworks.com]
   2. Packet Duplication
   3. SD-WAN also supports packet duplication as an alternative method of error
      correction. Packet duplication performs a complete duplication of an application
      session from one tunnel to a second tunnel. Packet duplication requires more
      resources than FEC and should be used only for critical applications that have
      low tolerance for dropped packets

Conclusion

PANOS SD-WAN with Palo Alto Networks VM-Series on OCI provides a powerful and secure solution for optimizing and protecting your cloud connectivity. This combination delivers the scalability, cost-efficiency, and security needed for organizations of all sizes to thrive in today's dynamic cloud environment.

References:

Palo Alto Networks VM-Series on OCI Documentation: Link
VM-Series Deployment Guide: Link
How VM-Series Integrates with OCI Flexible Network Load Balancer: Link
System Requirement for SDWAN: Link
Set-up Panorama & Firewall for SDWAN: Link
Troubleshoot App Performance
Troubleshoot Link Performance
Upgrading SD-WAN Firewalls
Upgrading SD-WAN Plugin
Uninstalling SD-WAN Plugin