Prisma SD-WAN vs PAN-OS SDWAN ... Focused on SASE
Hi good afternoon, as always, thanks for the time to answer and the good vibes. Today there is some confusion regarding these different variables, whether to use Prisma SD-WAN i.e. CloudGenix ION, to put together a sd-wan based network and/or to use PAN-OS SD-WAN.
Thinking about an environment with 30 branches, some sites with 2 links, the most critical ones, others with only one, that have Palo Alto FWs, connected by IPSEC currently to the Central HQ site and another 5 or 6 sites, with non Palo Alto FWs ( Standard IPSEC connection ) and a couple of edge routers in branches, with IPSEC. NO PANORAMA.
Now thinking about the above scenario, which is more convenient to use PAN-OS SDWAN to put together the SDWAN architecture, thinking about adding the SDWAN subscription or use Prisma-SDWAN with ION Cloudgenix ? ( I Know Panorama it is not obligation,if it makes everything more friendly and practical, but PANORAMA is not obligation - If I am in error at this point, please let me know, thank you )
With PAN-OS SDWAN, I have firewall with full coverage, while with cloudgenix I only have a device that its purpose is sd-wan connectivity but not security, as a firewall gives me.
On the other hand, as the title indicates, thinking about the approach of jumping on the "SASE" bandwagon, and in the future... having the VPN Global Protect connections in Prisma Access, but currently they are in the PA, or HA pair in the Central site, what would be the best planning strategy because or which products/subscriptions/services do you target, according to the environment and infra before commented ? With Prima access/Prisma SD-WAN can I integrate FWs, routers or third party devices with IPSEC and integrate them to the SDWAN architecture?
Thanks as always for the good vibes, collaboration and for the time.
I will try to describe the possible solutions with some general use cases.
Prisma-SDWAN + Prisma Access
If an organization is looking for Zero trust in all aspects then using PAN-OS SDWAN will be a good use case too. But if the organization is looking for SASE with all core SDWAN features I will recommend using the Prisma SDWAN+Prisma access Cloud managed.
Hope the above comments help you make a decision if you need more details please let us know or feel free to reach out to salses team for presentations on both solutions.
Hello @kn first of all thank you for your prompt response and for the details provided.
I have some additional doubts, which I would greatly appreciate if you could help me with your specific answers.
Is it possible to have a Hybrid environment? That is, for example, in my HQ have SD-WA PAN-OS and in the branches ION Prisma access? Is this compatible? Will I be able to manage the SDWAN part from the Cloud Prisma Controller of the PAN-OS SDWAN (HA FWs) from Prisma SD-WAN or will I only have the Management Plane of the IONs from the cloud?
-Is it mandatory to have PANORAMA to manage Prisma Access / Prisma SDWAN and for PAN-OS SDWAN? I understand that no, since the first ones are already full from the Cloud portal and from PAN-OS SDWAN it can be done manually from the FW GUI.
-Now thinking about SASE, with If I integrate my remote locations, or my remote Networks, so that they are processed by Prisma Access, the proxy policies that are established will be global for all the remote networks, that is, for all that network? or can you filter by IP Source of that remote location/remote network ? And thinking about remote networks, thinking about the traffic between the branches, that is to say, for example, the traffic of remote Networks A that communicates with B and B with A and C, and C, with A and B, the security filtering, of the traffic between these connections would already be through the SDWAN network, not through Prisma Access, right? since if so, with Prisma access it should have "Service Connection" for that additional communication between the branches.
- Now thinking about licensing issues, when you license the Mobily Users part, I understand that the least number of users is 200. Those 200 have the right to use what features? FWas a service to filter the output to the Internet through Prisma Access? Will they also have the right to use SWG to use proxy?
- For remote networks/branches, thinking about licensing, strictly licensing, and what I understand is by bandwidth, in these cases, what bandwidth is accounted for by remote networks? the clean ? the processed? the bandwidth of the remote networks, against example the HQ, by means of a service connection, because for example a remote network needs to access the DNS, AD, internal systems, fileshare, among others of HQ? or what exactly is the use of bandwidth that is charged as consumption of bandwidth license? The processing by the SWG as a proxy for the remote network ?
-If I have my data center and I have to configure a Service Connection, since my remote users and my remote networks, through Prisma Access, need to reach a resource in the HQ/DC, it is enough to create a Services Network Connection to Prisma Access level, or for this example, for the DC/HQ, both must be generated, that is, the HQ/DC is treated as if it were one more Remote Network Connection and additionally a Service Connection must also be created? o Only the Service Connection for the DC/HQ is enough? or is both types of connections mandatory?
I know that they are thank you very much, but first of all I thank you very much for the time and for the one who can review and be able to answer the mentioned points.
Thank you very much for your collaboration, I am attentive to your comments
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!