Better Together: Security + SD-WAN by Palo Alto Networks

Nov 21, 2019
6 minutes

By Koroush Saraf, VP, Product Management for SD-WAN


Applications moving to the cloud and increased user mobility are changing the way networking and network security services must be delivered. Palo Alto Networks founder and CTO Nir Zuk believes that the future of network security is in the cloud, and has been driving this change for the past few years, with Prisma Access, the industry’s most comprehensive SASE. In this ongoing series, Palo Alto Networks thought leaders explore the core tenets of an integrated, effective SASE solution, and more broadly, its implementation and implications.

We live in an age of cloud and digital transformation. Users and applications are moving outside the traditional network perimeter, accessing an ever increasing number of applications – both SaaS and in the public cloud. Organizations face the challenge to proactively protect their users, applications and data from security threats, without compromising user experience.


Cloud Access Needs Security That Is Simple

In order to solve the complexity of networking and security, a single, unified platform for cloud access is needed. Gartner writes about a model known as the “secure access service edge,” or SASE (pronounced “sassy”). In Gartner’s words:

“The secure access service edge is an emerging offering combining comprehensive WAN capabilities with comprehensive network security functions, such as SWG, CASB, FwaaS and ZTNA, to support the dynamic secure access needs of digital enterprises.” (Gartner, The Future of Network Security is in the Cloud, 30 August 2019)

A SASE solution converges connectivity (SD-WAN, VPN, QoS, etc.) and security (including FWaaS, CASB, DLP, ZTNA, DNS, etc) into one unified, cloud-delivered solution. Prisma™ Access by Palo Alto Networks is the industry’s most comprehensive SASE solution. To further drive momentum for our SASE, Palo Alto Networks now offers the most secure SD-WAN solution in the industry.


SD-WAN from Palo Alto Networks

SD-WAN by Palo Alto Networks

Before we get into the details of the unique and compelling capabilities of Palo Alto Networks SD-WAN, here is a quick introduction to SD-WAN. Software-Defined Wide Area Network (SD-WAN) offers a transformational approach to optimize branch office networking and assures peak application performance. In fact, according to Gartner’s Magic Quadrant for WAN Edge Infrastructure (October 18, 2018), Gartner states that “by 2023, more than 90% of WAN edge infrastructure refresh initiatives will be based on vCPE platforms or SD-WAN appliances vs. traditional routers  (up from less than 40% today).” 

But although SD-WAN offers many benefits, it also brings many challenges, including new security risks, unreliable performance and increased complexity. SD-WAN exposes the branch to public Internet and moves security close to the branch edge.  When security is an afterthought, it tends to be bolted on, introducing management complexity and subpar protection. Moreover, network performance becomes less reliable because organizations use the congested internet as the WAN middle mile – and when customers try to address this by building their own SD-WAN hub and interconnect infrastructures, it can translate into more complexity.

By using Prisma™ Access as the SD-WAN hub, customers can address several transformation challenges all at once. Prisma Access provides bookended SD-WAN hub-as-a-service, as well as high-performance, low-latency global interconnect between branch offices and cloud workloads. Combining security and end-to-end SD-WAN provides the best user to application experience. Customers can easily consume our secure Prisma Access SD-WAN hub as a service, eliminating the complexity of building their own SD-WAN hub and global interconnect fabric. Equally important, customers have options with our solution – they can build their own hub using Palo Alto Networks Next-Generation Firewalls, both hardware appliances and virtualized form factors like the VM-Series.  

Palo Alto Networks SD-WAN allows customers to seamlessly adopt an end-to-end SD-WAN architecture with natively integrated, world-class security and connectivity. Through tight integration, customers can manage security and SD-WAN on a single, intuitive interface.

End-to-End Secure SD-WAN hybrid deployment

Palo Alto Networks SD-WAN enables organizations to confidently manage their branch and cloud transformation initiatives, and realize a host of benefits:

Flexible Deployment Options – Palo Alto Networks is the only vendor in the industry to offer both cloud-based SD-WAN Hub and Interconnect as a service, as well as components (both VM-Series virtualized form factor and hardware appliances) for customers to build their SD-WAN deployment on their own.  

      • Prisma Access offers a simple-to-consume, cloud-based model. NGFWs are located in each branch, and they all connect to the closest Prisma Access node that acts as the regional SD-WAN hub. This offers book-ended SD-WAN and also includes a global backbone for high-performance branch to branch, branch to cloud, VPC, SaaS and datacenter with world-class security inserted in the path of all traffic. 
      • NGFW appliances (or the VM-Series) at the branch can apply security locally for east-west branch segmentation, Zero Trust and direct internet access. The branch can run in a thin mode, with security in the cloud, or apply security locally. Also, as mentioned before, classic DIY (do-it-yourself) is an option – NGFW appliances can be used to build a hub-and-spoke deployment, also deployed in customer data centers, Equinix performance hubs or on a service provider infrastructure to interconnect regional hubs with each other. 

Optimized Connectivity for Improved User Experience – Palo Alto Networks SD-WAN delivers an optimal user experience for cloud applications without compromising security. All users, whether at headquarters, branch offices or remote, can connect to Prisma Access to optimally use SaaS, public cloud and data center applications, delivering security and optimized end-to-end performance for SD-WAN. Additionally, with our recently announced SLAs for SaaS delivered by the Prisma fabric, customers can now be confident in their cloud experience, with guaranteed access to a growing list of SaaS providers, such as Microsoft Office 365,, and more. 

Central Management and Simplified Branch Onboarding – Palo Alto Networks SD-WAN eliminates the need to manage multiple, disparate consoles from different vendors by using Panorama to centrally manage both security and connectivity for all deployment options. We are also introducing zero touch provisioning (ZTP) capability for our NGFWs to enable customers to automate tedious branch device onboarding processes. Appliances can be drop-shipped to the branch and, with a few simple steps, the devices will connect to the customer’s Panorama to automatically configure the branch for SD-WAN, routing and, of course, security policies.

These are exciting times for Palo Alto Networks and SD-WAN. When I speak with customers, many believe SASE is the next step in the SD-WAN evolution. I am pleased to say Palo Alto Networks is well-positioned to lead the way.

Learn more about Palo Alto Networks SD-WAN capabilities.

Source: Gartner, Magic Quadrant for WAN Edge Infrastructure, Joe Skorupa, Andrew Lerner, et al., 18 October 2018.  (Gartner: 2018, October)

Source: Gartner, The Future of Network Security Is in the Cloud, Neil MacDonald, Lawrence Orans, et al., 30 August 2019.

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally, and is used herein with permission. All rights reserved.

Subscribe to the Newsletter!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.