We have a customer having branches all across the globe but very very less MPLS . 95 % they are con,nected via IPSEC VPN Tunnels
They have Fortinet Fortigate FWs at their Branches and DCs
Does Prisma Access need Palo Alto FW at each Branch ? I believe only thing needed is to make an IPSEC Connection from Branch to the SASE cloud which even a Router at Branch can make . But just confirming ?
Also I know Prisma Access need Panorama but does it need any PAN GW also ? In my case , all the GW at branches and DC are Fortigate ( Non PAN ) .
Solved! Go to Solution.
The only requirement at the branch is that the CPE can build an IPSec tunnel to Prisma Access. So it doesn't matter which vendor it is.
You don't need a PAN NGFW or any other FW at the branches unless you need local (east-West) segmentation/security or to inspect traffic that you aren't sending to Prisma Access(e.g. MPLS traffic that won't traverse Prisma Access). You could use a router to forward all traffic via an IPSec tunnel to Prisma Access.
The only recommendation for on-prem FWs is for sites where you have service connections. These are the connections to data centers for the branches and users to access internal shared resources (e.g. AD). The service connections are not subjected to policy so its recommended that you have a FW terminating the Service Connections
Ok thanks a lot,
So the fw where service.connection has to be terminated has to be a PANFw or any FW Like fortigate etc ?
Also , this means that only Palo Alto component needed other than primsa access cloud is panorama ?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!