This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

FW at branch with SASE

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

FW at branch with SASE

Go to solution
FWPalolearner
L4 Transporter

‎01-06-2021 11:04 AM

Hello ,

 

We have a customer having branches all across the globe but very very less MPLS . 95 % they are con,nected via IPSEC VPN Tunnels

 

They have Fortinet Fortigate FWs at their Branches and DCs

 

Does Prisma Access need Palo Alto FW at each Branch ?  I believe only thing needed is to make an IPSEC Connection from Branch to the SASE cloud which even a Router at Branch can make . But just confirming ?

 

Also I know Prisma Access need Panorama but does it need any PAN GW also ? In my case , all the GW at branches and DC are Fortigate ( Non PAN ) .

 

 

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
tabner
L1 Bithead
In response to FWPalolearner

‎01-06-2021 12:22 PM

Yup, any FW.  You must have Panorama and you also must have Cortex Data Lake for logging.  When you purchase Prisma Access, it always comes with data lake for logging.  You don't do hardly anything with the data lake after initial setup and that is pretty simple.

View solution in original post

0 Likes Likes
4 REPLIES 4

Go to solution
tabner
L1 Bithead

‎01-06-2021 11:30 AM

The only requirement at the branch is that the CPE can build an IPSec tunnel to Prisma Access.  So it doesn't matter which vendor it is.

 

You don't need a PAN NGFW or any other FW at the branches unless you need local (east-West) segmentation/security or to inspect traffic that you aren't sending to Prisma Access(e.g. MPLS traffic that won't traverse Prisma Access).  You could use a router to forward all traffic via an IPSec tunnel to Prisma Access.

 

The only recommendation for on-prem FWs is for sites where you have service connections.  These are the connections to data centers for the branches and users to access internal shared resources (e.g. AD).   The service connections are not subjected to policy so its recommended that you have a FW terminating the Service Connections

0 Likes Likes

Go to solution
FWPalolearner
L4 Transporter
In response to tabner

‎01-06-2021 12:09 PM

Ok thanks a lot,

 

So the fw where service.connection has to be terminated has to be a PANFw or any FW Like fortigate etc ?

 

Also , this means that only Palo Alto component needed other than primsa access cloud is panorama ?

 

 

0 Likes Likes

Go to solution
tabner
L1 Bithead
In response to FWPalolearner

‎01-06-2021 12:22 PM

Yup, any FW.  You must have Panorama and you also must have Cortex Data Lake for logging.  When you purchase Prisma Access, it always comes with data lake for logging.  You don't do hardly anything with the data lake after initial setup and that is pretty simple.

0 Likes Likes

Go to solution
FWPalolearner
L4 Transporter
In response to tabner

‎01-06-2021 12:38 PM

Thanks @tabner  that's pretty quick.

 

Really appreciate your feedback

0 Likes Likes
  • 1 accepted solution
  • 4886 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks