SD-WAN: Secure, High-Performance, Simple
Easily adopt an end-to-end SD-WAN architecture with natively integrated, world-class security and connectivity
The effects of the cloud on network and security transformation are undeniable. As the number of devices at branch locations grows and applications become more bandwidth-intensive, businesses are forced to spend more to accommodate demand. As a result, traditional wide area network (WAN) architectures with multiprotocol label switching (MPLS), which tend to eat up bandwidth as they backhaul traffic from branches to the cloud, render legacy approaches ineffective.
Software-defined wide area networking (SD-WAN), an approach that uses commodity links and allows you to intelligently manage as well as control connectivity between branches and cloud instances, is now a necessity for distributed enterprises. According to Gartner, by 2023, more than 90% of WAN edge infrastructure refreshes will be based on vCPE platforms or SD-WAN vs. traditional routers.1 However, with its benefits, SD-WAN also brings many challenges, such as lack of security, unreliable performance, and complexity. When security is an afterthought, it tends to be either subpar or bolted on, introducing management complexity. Moreover, network performance becomes less reliable because enterprises use the congested internet as the WAN middle mile—and when they try to address this by building their own SD-WAN hub infrastructures, they run into complexity. Ultimately, enterprises turn to multiple vendors or service providers to solve performance issues, which increases costs while decreasing control and visibility.
- Implement SD-WAN safely with natively integrated, industryleading security.
- Adopt SD-WAN easily by enabling it on your existing firewalls and consuming Prisma Access SD-WAN hub as a service.
- Deliver an exceptional end-user experience by leveraging Prisma Access SD-WAN hub to optimize performance.
Secure Branch Connectivity Directly from Your Firewall
Solve the problems of traditional SD-WAN solutions with industry-leading:
Get industry-leading security natively integrated to SD-WAN.
Minimize latency and ensure reliability to deliver exceptional end-user experience.
Easily enable SD-WAN on your existing firewalls.
Secure SD-WAN by Palo Alto Networks
Palo Alto Networks SD-WAN offering lets you easily adopt an end-to-end SDWAN architecture with natively integrated, world-class security and connectivity. Using Prisma™ Access as the SD-WAN hub, you can optimize the performance of your entire network. This minimizes latency and ensures reliability, resulting in an exceptional user experience at the branches. You can consume our secure Prisma Access SD-WAN hub as a service, eliminating the complexity of building your SDWAN hub infrastructure, or you can build the hub and interconnect infrastructure yourself using Palo Alto Networks Next-Generation Firewalls. Regardless of your deployment model, our tight integration will allow you to manage security and SD-WAN on a single, intuitive interface.
Figure 1: Palo Alto Networks SD-WAN cloud-based approach
Optimized Connectivity for Improved User Experience
Palo Alto Networks SD-WAN lets you measure and monitor specific paths as well as dynamically move sessions to the optimal path, guaranteeing the best branch user experience. You can simply enable the SD-WAN subscription on your Next-Generation Firewalls and begin intelligently, securely routing branch traffic to your cloud applications.
Greater Performance with SD-WAN Hub
SD-WAN leverages commodity links, such as broadband internet, LTE, and more. However, while these links are cost-effective, they lack the reliable performance of dedicated, private links.
With Prisma Access acting as the SD-WAN hub, users can essentially go through a private network, bypassing the congested, unpredictable internet. By using a reliable, cloud native global backbone as your WAN middle mile, you ensure the best performance and user experience.
Central Management for Security and Connectivity
Eliminate the need to manage multiple, disparate consoles from different vendors by using Panorama™ network security management for both security and connectivity. Integrated SD-WAN configuration and monitoring allows you to leverage the familiar Panorama user and application workflow, cutting the time you need to spend reconfiguring policies and visualizations. Additionally, you get granular SD-WAN monitoring data and a dedicated configuration tree, giving you greater visibility into your network.
Simplified Branch Onboarding
Provisioning a new branch requires IT staff to configure and deploy appliances. Doing this on a large scale, and at distributed locations, makes branch onboarding costly and slow.
With zero touch provisioning (ZTP), you can automate tedious onboarding processes. Appliances can be drop-shipped to your branch locations, where they are powered up and connected to the internet. To complete onboarding, administrators simply need to register on a web portal. Then, administrators can immediately start managing deployment and configuration from a single location through Panorama.
Flexible Deployment Options
Palo Alto Networks supports multiple SD-WAN deployment options, including mesh, hub-and-spoke, and cloud-based deployments. Furthermore, you can consume Prisma Access SD-WAN hub as a service or simply enable the SD-WAN subscription on your Next-Generation Firewalls.
SD-WAN Software Licenses
- (Required) SD-WAN subscription on all physical appliances that will participate in the SD-WAN deployment. This license requires PAN-OS® 9.1.
- (Required to use Prisma Access for SD-WAN hub) Prisma Access SD-WAN Branch Interconnect license.
|Table 1: Palo Alto Networks SD-WAN Supported Features and Capabilities|
|AAA/Authentication||RADIUS, local authentication and authorization, multitenant 3-tier RBAC architecture, auditing, roles and privileges|
|Availability||Hardware high availability in active/passive mode|
|Network services||IPv4, DNS, DHCP client, DHCP server, DHCP relay, NAT|
|Dynamic QoS/traffic shaping||QoS shaping, policing, and rate limiting with per-flow queueing and separate cleartext and tunnel treatment. Support for 8 queues, type of service (ToS) and DSCP code points with patented bidirectional session-based DSCP tagging|
|SD-WAN high availability||Active/passive HA; dual power supply|
|Connectivity architecture||Hub-and-spoke IPsec tunnels with automatic configuration|
|Management||Single pane of glass for security and SD-WAN management
* Coming soon with new SKUs
† Coming soon
|Table 2: SD-WAN Edge Device Specifications‡|
|Branch office bandwidth
|1–150 Mbps||1–150 Mbps||50–500 Mbps||50–700 Mbps|
|Max. overlay IPsec tunnels||1K||1K||1K||1K|
|Max. concurrent sessions||64K||64K||128K||196K|
|Max. number of routes||2.5K||2.5K||5K||5K|
|LAN/WAN 1G RJ-45||8||6||4||4|
|LAN/WAN 1G SFP||—||2||8||4|
|LAN/WAN 1G/10G SFP||—||—||—||4|
|LAN/WAN 40G QSFP||—||—||—||—|
|Serial console port
USB console port
|HA - dual power input||Optional||Optional||No||Yes|
‡ Any box can be used as a hub or branch
|Table 3: SD-WAN Hub Device Specifications|
|IPsec overlay performance with App-ID||2.0 Gbps||2.3 Gbps||3.5 Gbps||7.4 Gbps||15.2 Gbps||21.8 Gbps||21.8 Gbps||1.8 Gbps||4 Gbps||6.1 Gbps|
|Max. overlay IPsec tunnels||2K||3K||3K||3K||4K||5K||5K||1K||1K||8K|
|Max. concurrent sessions||1M||2M||3M||4M||8M||32M||32M||819,200||2M||10M|
|Max. number of routes||16K||16K||44K||100K||100K||100K||100K||10K||32K||100K|
|LAN/WAN 1G/10G SFP||8||8||8||16||16||16||16||—||—||—|
|LAN/WAN 40/100G QSFP28||—||—||4||4 (40G only)||4||4||4||—||—||—|
|Serial console port
|HA - dual power input||Optional||Optional||Optional||Yes||Yes||Yes||Yes||—||—||—|
To compare performance and specifications for all our firewall offerings, visit paloaltonetworks.com/products/product-selection.
Download the Palo Alto Networks SD-WAN Datasheet (PDF).