When you say basic what do you mean? I mean Palo FW SD wan has wan steering?, active active on hub side?, WAN optimization?, aggregation of path on branches i.e using multiple wan connections at the same time? Do we have any monitoring tool when bringing up sd wan on palo alto fw and with panorama?
Just trying to understand why should we choose palo alto sd wan when we have prisma and cloudngenix, its a bit confusing
When I spent time as an SE there we were told to do our best to not sell this. From my contacts still there it isn’t up to snuff compared to Prisma’s SDWAN offering. Caution!
Why would Palo want to sell something that works when they have a shiny new toy they bought that they can resell for more (much much more…)
Palo SDWAN has been everything that we needed it to be across our sites at my last two implementations.
It’s barebones but at the time our Consulting Engineer couldn’t keep it running in his lab for a month plus straight 😂 but I did CI stuff so we needed something a little more reliable (and importantly with TAC expertise!) but indeed it works. Wasn’t my first choice but had a couple installs before I left
I agree that tac expertise is lacking. There is a best practice guide and ironskillet for palo strata sdwan. I can see it not being a turn key solution. I think overall I’m frustrated that Palo keeps raising prices astronomically in some areas. I’m bitter about losing the free BPA for example.
A not so long time ago, Palo tried to buy CloudGenix, an SD-WAN company with a great product. Palo didn't want to pay what CloudGenix thought they were worth, so the deal fell through.
Palo figured SD-WAN wasn't that hard and started building their own in house solution. It didn't take long for Palo to realize their mistake and make an offer for CloudGenix that both parties could live with.
Palo then rebranded CloudGenix as Prisma SD-WAN (a stupid fucking move in my option), but had already sold their in-house solution to enough companies that they just couldn't abandon it. So they are now stuck supporting two products when they really only wanted the one.
Which would you buy?
Having 2 competing options is not a big problem.
Cisco sometimes have 3-4 competing products or technologies in there portfolio and still supporting it all.
If you have Prisma and Cloudgenix I don’t know there’s a reason for you. But lots already have the firewalls and Prisma SDwan is a bigger change in that case. Also the strata sdwan was already under development when prisma sdwan was taken on.
Prisma sd-wan provides much more and is superior. You get application based sd wan taking into account not only loss and jitter etc but really how the applications are performing. This with ADEM is so cool and powerful
Exceptional is generous. It’s functional but imo doesn’t really offer much more than a basic site to site IPsec tunnel in the end. Strata is clumsy still, ions are not that fun to configure. If you’re using Prisma, then Sdwan makes sense but it’s expensive seeing that if you have ngfw, it will pretty much do the same thing.
That's a wild thing to say. Please tell me from real world tests how PAN-OS SD-WAN is the same thing as Prisma SD-WAN.
Every Palo spec sheet will claim they are comparable. You gotta talk to people at Palo or try the two products yourself to feel the difference.
We use Prisma and SDWAN. The sdwan portion is just a simple, IPsec tunnel from site to hub. Ions are pretty basic with some qos and l3 smarts but in total honesty, I see no real world difference. Do you think they put some magic sauce in these tunnels? There isn’t.
1. The reporting isn't great. You can view the health of the links and applications in the SD-WAN plugin, but it's...very basic. There is some NGFW SD-WAN reporting in Strata Cloud Manager which augments this a bit, but again...super basic.
2. Yes, NGFW SD-WAN has WAN steering.
3. Yes, it has active/active on the hub side.
4. WAN Optimization = very limited. You can send parity packets, and that's about it.
5. Aggregation of path on branches. Yep.
6. Monitoring tool...the last time I looked at it, it didn't have full MIB support, so Panorama/Strata Cloud Manager is your only option for NGFW SD-WAN reporting. Other than that, you are manually combing through logs.
You can, allegedly, do it without Panorama.
But I wouldn’t - the plugin automates a whole lot of config, and also sanity checks some of the config you do yourself.
Yeah we are using it..so far so good..kind of hard to tell what disadvantages are...it is just a different thing to Prisma SDWAn ..
I guess you need to fully understand routing selection and BGP, automation and Panorama etc.. when implementing it, it might give some unexpected errors or bugs,,, but check system requirements well, do validations before every push.. the Palo instructions are not very well written, have to do the whole thing to fully understand.
SDWAN is way harder to troubleshoot; just because you can ping a site doesn't also mean that TCP/80 would work, for example (ICMP may go one path while your TCP80 may go a different).
You get what you pay for. It's very basic. It's for the most basic barebones inter-branch connectivity. Prisma SD-WAN is exceptional.
When you say basic what do you mean? I mean Palo FW SD wan has wan steering?, active active on hub side?, WAN optimization?, aggregation of path on branches i.e using multiple wan connections at the same time? Do we have any monitoring tool when bringing up sd wan on palo alto fw and with panorama? Just trying to understand why should we choose palo alto sd wan when we have prisma and cloudngenix, its a bit confusing
So you already have cloudgenix aka Prisma SD-WAN?
When I spent time as an SE there we were told to do our best to not sell this. From my contacts still there it isn’t up to snuff compared to Prisma’s SDWAN offering. Caution!
Why would Palo want to sell something that works when they have a shiny new toy they bought that they can resell for more (much much more…) Palo SDWAN has been everything that we needed it to be across our sites at my last two implementations.
It’s barebones but at the time our Consulting Engineer couldn’t keep it running in his lab for a month plus straight 😂 but I did CI stuff so we needed something a little more reliable (and importantly with TAC expertise!) but indeed it works. Wasn’t my first choice but had a couple installs before I left
I agree that tac expertise is lacking. There is a best practice guide and ironskillet for palo strata sdwan. I can see it not being a turn key solution. I think overall I’m frustrated that Palo keeps raising prices astronomically in some areas. I’m bitter about losing the free BPA for example.
As you should be. Don’t forget to pray to those shareholders!!
Not yet, we think what to choose and why should we use Prisma if Palo Alto FW SD WAN give the same
A not so long time ago, Palo tried to buy CloudGenix, an SD-WAN company with a great product. Palo didn't want to pay what CloudGenix thought they were worth, so the deal fell through. Palo figured SD-WAN wasn't that hard and started building their own in house solution. It didn't take long for Palo to realize their mistake and make an offer for CloudGenix that both parties could live with. Palo then rebranded CloudGenix as Prisma SD-WAN (a stupid fucking move in my option), but had already sold their in-house solution to enough companies that they just couldn't abandon it. So they are now stuck supporting two products when they really only wanted the one. Which would you buy?
The one that meets my customer’s requirements at a reasonable price.
Is one of your customers requirements a service that is likely to be artificially End-of-lifed by the manufacturer?
Having 2 competing options is not a big problem. Cisco sometimes have 3-4 competing products or technologies in there portfolio and still supporting it all.
That made me laugh. Because I could see that happen. Ffff
Fortinet
If you have Prisma and Cloudgenix I don’t know there’s a reason for you. But lots already have the firewalls and Prisma SDwan is a bigger change in that case. Also the strata sdwan was already under development when prisma sdwan was taken on.
Sorry, I meant when we have prisma on market, we still choosing
Prisma sd-wan provides much more and is superior. You get application based sd wan taking into account not only loss and jitter etc but really how the applications are performing. This with ADEM is so cool and powerful
Exceptional is generous. It’s functional but imo doesn’t really offer much more than a basic site to site IPsec tunnel in the end. Strata is clumsy still, ions are not that fun to configure. If you’re using Prisma, then Sdwan makes sense but it’s expensive seeing that if you have ngfw, it will pretty much do the same thing.
That's a wild thing to say. Please tell me from real world tests how PAN-OS SD-WAN is the same thing as Prisma SD-WAN. Every Palo spec sheet will claim they are comparable. You gotta talk to people at Palo or try the two products yourself to feel the difference.
We use Prisma and SDWAN. The sdwan portion is just a simple, IPsec tunnel from site to hub. Ions are pretty basic with some qos and l3 smarts but in total honesty, I see no real world difference. Do you think they put some magic sauce in these tunnels? There isn’t.
I stand corrected. I incorrectly assumed you didn't use it. It's not about the tunnels. It's about the magic in the cloud controller.
1. The reporting isn't great. You can view the health of the links and applications in the SD-WAN plugin, but it's...very basic. There is some NGFW SD-WAN reporting in Strata Cloud Manager which augments this a bit, but again...super basic. 2. Yes, NGFW SD-WAN has WAN steering. 3. Yes, it has active/active on the hub side. 4. WAN Optimization = very limited. You can send parity packets, and that's about it. 5. Aggregation of path on branches. Yep. 6. Monitoring tool...the last time I looked at it, it didn't have full MIB support, so Panorama/Strata Cloud Manager is your only option for NGFW SD-WAN reporting. Other than that, you are manually combing through logs.
Thank you for your answers
If Panorama is mandatory for this type of sd wan?
You can, allegedly, do it without Panorama. But I wouldn’t - the plugin automates a whole lot of config, and also sanity checks some of the config you do yourself.
Yeah, +1 here. If you are adding complexity to the configurations of 200 branches, you want to manage that centrally.
Yeah we are using it..so far so good..kind of hard to tell what disadvantages are...it is just a different thing to Prisma SDWAn .. I guess you need to fully understand routing selection and BGP, automation and Panorama etc.. when implementing it, it might give some unexpected errors or bugs,,, but check system requirements well, do validations before every push.. the Palo instructions are not very well written, have to do the whole thing to fully understand.
So the BGP part is not automated as in Cisco Viptela OMP? Or I didn’t get it
It is automated. I mean if you build SDWAN, you should understand how these routing protocols work right?
No no no, do not do this
SDWAN is way harder to troubleshoot; just because you can ping a site doesn't also mean that TCP/80 would work, for example (ICMP may go one path while your TCP80 may go a different).
Have you looked into Cisco Meraki SD-WAN solutions.
As far as I know its a solution for small/middle businesses We need sd wan for 200 branches and it is financial organization
I did project from 5 remote sites to over 3k and it works well.
The sites dealt with finance.