Prisma SD-WAN vs PAN-OS SD-WAN - Focused on SASE

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Prisma SD-WAN vs PAN-OS SD-WAN - Focused on SASE

L4 Transporter

Prisma SD-WAN vs PAN-OS SDWAN ... Focused on SASE


Hi good afternoon, as always, thanks for the time to answer and the good vibes. Today there is some confusion regarding these different variables, whether to use Prisma SD-WAN i.e. CloudGenix ION, to put together a sd-wan based network and/or to use PAN-OS SD-WAN.

 

Thinking about an environment with 30 branches, some sites with 2 links, the most critical ones, others with only one, that have Palo Alto FWs, connected by IPSEC currently to the Central HQ site and another 5 or 6 sites, with non Palo Alto FWs ( Standard IPSEC connection ) and a couple of edge routers in branches, with IPSEC. NO PANORAMA.

 

Now thinking about the above scenario, which is more convenient to use PAN-OS SDWAN to put together the SDWAN architecture, thinking about adding the SDWAN subscription or use Prisma-SDWAN with ION Cloudgenix ? ( I Know Panorama it is not obligation,if it makes everything more friendly and practical, but PANORAMA is not obligation - If I am in error at this point, please let me know, thank you )  

 

With PAN-OS SDWAN, I have firewall with full coverage, while with cloudgenix I only have a device that its purpose is sd-wan connectivity but not security, as a firewall gives me.

 

On the other hand, as the title indicates, thinking about the approach of jumping on the "SASE" bandwagon, and in the future... having the VPN Global Protect connections in Prisma Access, but currently they are in the PA, or HA pair in the Central site, what would be the best planning strategy because or which products/subscriptions/services do you target, according to the environment and infra before commented ? With Prima access/Prisma SD-WAN can I integrate FWs, routers or third party devices with IPSEC and integrate them to the SDWAN architecture?

 

Thanks as always for the good vibes, collaboration and for the time.

 

Best regards

High Sticker
2 REPLIES 2

L2 Linker

Hi @Metgatz 

I will try to describe the possible solutions with some general use cases. 

 

PANOS-SD-WAN 

  • With Panos-SDWAN you can replace most wan facing hardware and a couple of firewalls will cover your needs at almost all locations.
  • All traffic can be inspected for EAST-WEST and NORTH-SOUTH  directions which helps for zero trust. 
  • Creating and managing the SDWAN fabric is a bit complex task, and someone with good knowledge of PAN-OS will be easy to deploy and manage infra. 
  • The major drawback of this option is the analytics and reporting part which are better with Prisma SDWAN.

Prisma-SDWAN + Prisma Access

  • Compared to PAN-OS SDWAN Prisma SDWAN is easy to deploy and manage and will leverage your visibility in the network at a much granular level which helps to address network and application issues with minimal turnaround time. 
  • With Prisma SDWAN at branches, you may not get the full fledge firewall but this does support zone base firewall features. 
  • EAST-WEST traffic can be inspected by Prisma SDWAN and NORTH-SOUTH can be addressed by Prisma Access to cover you for all firewall features.

If an organization is looking for Zero trust in all aspects then using PAN-OS SDWAN will be a good use case too. But if the organization is looking for SASE with all core SDWAN features I will recommend using the Prisma SDWAN+Prisma access Cloud managed.

Hope the above comments help you make a decision if you need more details please let us know or feel free to reach out to salses team for presentations on both solutions. 

Thanks 
KN

 

L4 Transporter

Hello @kn first of all thank you for your prompt response and for the details provided.

 

I have some additional doubts, which I would greatly appreciate if you could help me with your specific answers.

Is it possible to have a Hybrid environment? That is, for example, in my HQ have SD-WA PAN-OS and in the branches ION Prisma access? Is this compatible? Will I be able to manage the SDWAN part from the Cloud Prisma Controller of the PAN-OS SDWAN (HA FWs) from Prisma SD-WAN or will I only have the Management Plane of the IONs from the cloud?

 

-Is it mandatory to have PANORAMA to manage Prisma Access / Prisma SDWAN and for PAN-OS SDWAN? I understand that no, since the first ones are already full from the Cloud portal and from PAN-OS SDWAN it can be done manually from the FW GUI.

 

-Now thinking about SASE, with If I integrate my remote locations, or my remote Networks, so that they are processed by Prisma Access, the proxy policies that are established will be global for all the remote networks, that is, for all that network? or can you filter by IP Source of that remote location/remote network ? And thinking about remote networks, thinking about the traffic between the branches, that is to say, for example, the traffic of remote Networks A that communicates with B and B with A and C, and C, with A and B, the security filtering, of the traffic between these connections would already be through the SDWAN network, not through Prisma Access, right? since if so, with Prisma access it should have "Service Connection" for that additional communication between the branches.

 

- Now thinking about licensing issues, when you license the Mobily Users part, I understand that the least number of users is 200. Those 200 have the right to use what features? FWas a service to filter the output to the Internet through Prisma Access? Will they also have the right to use SWG to use proxy?

 

- For remote networks/branches, thinking about licensing, strictly licensing, and what I understand is by bandwidth, in these cases, what bandwidth is accounted for by remote networks? the clean ? the processed? the bandwidth of the remote networks, against example the HQ, by means of a service connection, because for example a remote network needs to access the DNS, AD, internal systems, fileshare, among others of HQ? or what exactly is the use of bandwidth that is charged as consumption of bandwidth license? The processing by the SWG as a proxy for the remote network ?

 

-If I have my data center and I have to configure a Service Connection, since my remote users and my remote networks, through Prisma Access, need to reach a resource in the HQ/DC, it is enough to create a Services Network Connection to Prisma Access level, or for this example, for the DC/HQ, both must be generated, that is, the HQ/DC is treated as if it were one more Remote Network Connection and additionally a Service Connection must also be created? o Only the Service Connection for the DC/HQ is enough? or is both types of connections mandatory?

 

I know that they are thank you very much, but first of all I thank you very much for the time and for the one who can review and be able to answer the mentioned points.

 

Thank you very much for your collaboration, I am attentive to your comments

 

Best regards

High Sticker
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!