SD-WAN

 View Only
last person joined: yesterday 

Forum to discuss HPE Aruba EdgeConnect SD-WAN and SD-Branch solutions. This includes SD-WAN Orchestration WAN edge network functions - routing, security, zone-based firewall, segmentation and WAN optimization, micro-branch solutions, best practics, and third-party integrations. All things SD-WAN!
Back to discussions
Expand all | Collapse all

NGFW integration

This thread has been viewed 46 times

  • 1.  NGFW integration

    Posted Jan 09, 2023 11:35 AM
    I want to provide good edge security to my network, so I would normally use some form of NGFW (e.g. Palo Alto) at each point of connection to the internet. As I understand it, Edge Connect appliances provide encryption and stateful firewalling, but while I could just rely on tht, if I have high-security traffic, I need to either put the Edge Connect behind an NGFW before I connect the Internet, or backhaul the traffic to a central site, then access the Internet via a single (ha-pair) of NGWF, though this means that on-site DIA internet connection (local breakout) is not possible.

    Is my understandng correct, or is there some element of NGFW *inside* the Edge Connect

    Thanks

    Roo

    ------------------------------

    ------------------------------


  • 2.  RE: NGFW integration

    EMPLOYEE
    Posted Jan 10, 2023 03:54 AM
    Check this video and this datasheet. Edge Connect has built-in NGFW features, can integrate with cloud security (SASE/SSE), can policy based route through an on-premise external NGFW, and allows backhauling traffic as well, so you have full flexibility. I can't see your exact requirements, but with these options I'm confident that you can meet those. Please work with your local Aruba partner or Aruba Sales team to design your optimal solution.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


  • 3.  RE: NGFW integration

    EMPLOYEE
    Posted Jan 10, 2023 02:10 PM
    That is a solid understanding.  There are many new NGFW features in our latest version of code.  IDS/IPS, DDOS, Zone Based Firewall, VRF, Zero Trust are now features.  The other possible solution is granularly breaking out some traffic that is trusted (SaaS applications) while sending other non-trusted traffic to a Prisma Zscaler like solution through our automated 3rd party integration.  We can also simply backhaul that traffic to a DC firewall as well.

    ------------------------------
    Duane Henigin
    ------------------------------

    Original Message


  • 4.  RE: NGFW integration

    EMPLOYEE
    Posted Mar 04, 2023 09:44 AM

    not sure i understand your question right or not, your concern is place the EC in front of NGFW and create some security issues. please take note that, whether FW in front of EC or behind EC will have the same secuirty design, as the traffc will pass both FW and EC. and I personally will recommend you to place EC in front of FW:

    • most of FW is active standby, while EC supports active/active, if you place FW in front of EC, EC cannot do Active/active, unless there is swtich in between;
    • for some site where public IP address is limited, you probabaly only have 1 public IP, you should configure public IP over EC WAN interface, as EC need that for IPsec tunnel; if you place FW in front of EC, you need to configure port foorwarding on the firewall for IPsec tunnel build.
    • there will be additional firewall rule need to be open such as UDP port for IPSec tunnel, if FW were placed in front of EC.

    Original Message


  • 5.  RE: NGFW integration

    Posted Mar 06, 2023 11:16 AM

    I can see how some could argue that a dedicated NGFW like PA might be better suited(more of a proven trackrecord atleast) to "face" Internet than an EC device.

    One option might be to put a Palo Alto in L2 mode in front of the EC. That way you may still be able to gain some of the security benefits from having PA face the Internet, but avoid some of the drawbacks from nat etc. since L2PA will be transparent to your SDWAN EC devices.



    ------------------------------
    Regards
    Jonnie
    ------------------------------

    Original Message


  • 6.  RE: NGFW integration

    Posted Mar 06, 2023 11:50 AM

    Why put a PA in front In L2? 

    ECOS v9.2 has been certified by an external party (ICSA) and can certainly withstand attacks on it. It is just more $$, complexity and management. The basic security is there (ZBFW, IPS/IDS), the content inspection can be done elsewhere.



    ------------------------------
    Jan-Willem.
    ------------------------------

    Original Message


  • 7.  RE: NGFW integration

    Posted Mar 07, 2023 02:11 AM

    I hear you Jan W. but it all depends on your business needs.

    A layered security design may be a business requirement - not relying on a single line of defense is very common in high security networks regardless of the added cost. 



    ------------------------------
    Regards
    Jonnie
    ------------------------------

    Original Message