Table of Contents
Software defined networking or (SDWAN) has changed the way networking was performed in the earlier days. The dependency on vendor network components, making them communicate with each other challenges, security, physical hardware maintenance etc. no longer exists. SDWAN decouples the hardware from the control plane. As applications are moving onto cloud and user mobility is tremendously increased the way networking needs to be delivered as a cloud service and solution.
In today’s topic we will learn about the Palo Alto Prisma (CloudGenix) SDWAN solution, its architecture, its features and how it works?
What is Palo Alto Prisma (CloudGenix) SDWAN?
We live in the age of cloud and digital transformation users and applications are moving onto cloud and leaving behind the traditional network boundaries organizations are facing challenges to protect their applications and users who use them. There was a need for a unified single platform for cloud access and the answer to this is – A SASE solution having converged connectivity (SDWAN, VPN, QoS etc) and security (CASB, FWaaS, DLP, ZTNA, DNS etc.) into a unified cloud delivered solution such as Palo Alto Prisma (CloudGenix). Prisma provides an SD-WAN hub as a service with high performance, low latency and global interconnect between cloud workloads and branch sites.
Palo Alto had acquired CloudGenix in 2020. It is a secure AppFabric which creates a VPN network on every WAN link. Policies are defined and aligned with business requirements to meet compliance, performance and security. ION devices can auto choose the best WAN path for applications based on business policies and real time analysis of WAN links and application performance.
Palo Alto CloudGenix Architecture
Prisma CloudGenix once deployed on sites, the ION devices establish VPN to data centres automatically over each internet circuit. The ION devices establish VPNs over private WANs having a common service provider. Application policies can be defined for compliance, performance and security in alignment with business requirements. The overall management, configuration, policies and monitoring of ION devices is managed via a single interface for multi-tenants known as CloudGenix management portal.
Operating Modes of CloudGenix
The CloudGenix can be deployed in two operating modes as under: –
Analytics Mode
ION devices can either be installed for a new branch or existing site and placed between WAN edge router and a LAN switch. The traffic is monitored by ION devices and vAnalystics is collected and reported to CloudGenix management portal. No policy application takes place if device is placed in analytics mode or path selection decisions are made for applications
Control Mode
ION device can be installed for a new branch or existing site and placed with an ION device or between WAN edge router and LAN switch. Devices at branch level build dynamically secure fabric VPN connections with all data center sites across WAN connectivity. Sites in control mode choose the best available path and secure fabric links based on policies established and enforce security policies for applications.
CloudGenix supports 32 public and 32 private categories of circuits which are customizable as per organization requirements.
Features of Prisma CloudGenix
- Analytics on Application Traffic – Application specific traffic flow information is displayed and provides compliance and performance reports and metrics.
- Centralized Management and Control – the CloudGenix controller runs in the cloud as a virtual machine in LAN or on CloudGenix X86 hardware in the data center. This console is central point for all management, policy configurations, analytics and reporting for SDWAN fabric and its components for multi-tenants.
- Forwarding of Traffic – ION elements are flow forwarders in CloudGenix just like in traditional network WAN routers which handle forwarding of traffic with a very high speed (Multi-gigabit rate).
- Security of Application Fabric – it is an overlay mesh of ION elements. ION fabric has one or more virtual networks and all traffic flow from fabric is encrypted using AES 256 IPsec for SDWAN secure connectivity.
- Fingerprinting of Applications – Session flowing is used between systems to identify applications instead of using signatures or deep packet inspection mechanism which is not that secure or reliable due to encrypted application payloads.
- Intelligent Path Selection – No routing protocols are involved here. Complex decision-making process involves real world throughout, capacity of the WAN link and application performance requirements.
Continue Reading:
How to configure DNS Sinkhole: Palo Alto Networks
DNS Proxy: Detailed Explanation
ABOUT THE AUTHOR
I am here to share my knowledge and experience in the field of networking with the goal being – “The more you share, the more you learn.”
I am a biotechnologist by qualification and a Network Enthusiast by interest. I developed interest in networking being in the company of a passionate Network Professional, my husband.
I am a strong believer of the fact that “learning is a constant process of discovering yourself.”
– Rashmi Bhardwaj (Author/Editor)