Branch of the Future

with SD-WAN For Dummies

Palo Alto Networks Edition

As enterprises expand globally, the re- to a centralized corporate data center to
sources required to set up and manage form a single interconnected enterprise.
branch networks can be a drain on staff- More recently, three important trends
ing and the bottom line. This new reality have fundamentally changed how we
needs a next-generation SD-WAN — a work, creating new challenges for enter-
revolutionary architecture that provides prise network and security teams:
connectivity at the branch without the
hassle and cost of additional hardware • The hybrid workforce is here to
and multiple site visits. stay. Although remote and mobile
working aren’t new, the global pan-
In this brief, you discover how next-gen- demic hastened the broad adoption
eration SD-WAN provides a foundational of work-from-home and work-from-
component of secure access service edge anywhere models in modern
(SASE) and securely enables the branch enterprises. In the wake of the pan-
of the future. demic, many organizations have
embraced this “new normal,” and it
Modern Challenges for seems that the hybrid workforce is
Branch Locations here to stay. A 2023 Zippia survey
For more than two decades, organiza- found that 74 percent of businesses
tions have relied on legacy WAN currently have a permanent hybrid
architectures to connect branch locations work model. As branches reopen
 and employees come back a few branch office traffic bound for the inter-
days a week, the demand for capaci- net or the cloud through a headend
ty, resilience, and performance has router and perimeter firewall in a cen-
increased. tralized, on-premises data center (see
Figure 1) is costly and inefficient and
• S
 oftware-as-a-service (SaaS) creates a poor user experience due to
applications are everywhere. latency and congestion.
Many core business applications,
traditionally hosted in on-premises
corporate data centers, have been Cloud

Internet
replaced by SaaS applications. Addi- SaaS

tionally, almost 50 percent of all MPLS Internet

on-premises applications will move Branch Data Center Private Apps

to the cloud in the next three years.

Figure 1: Backhauling branch office traffic
• B
 ranches are becoming digitized. through a data center is costly and inefficient and
Branch locations are no longer sim- creates a poor user experience.
ple extensions of a corporate
headquarters with workers access- Early (Gen 1) SD-WAN products tried to
ing business applications in a overcome some of these challenges by
centralized data center. Much of the adding dedicated internet access (DIA)
innovation that happens in modern links at branch locations to offload inter-
enterprises happens at branch loca- net- and cloud-bound traffic from the
tions. The move to a highly private Multiprotocol Label Switching
distributed workforce has created a (MPLS) WAN (see Figure 2).
new set of challenges for IT teams in
which they must do more with less.
This requires automation of Day 2 Cloud SaaS Internet
operations to secure all people, apps, App
and things — including Internet of Internet
App
Things (IoT) devices at the branch. SD-
WAN
MPLS App

Branch Data Center App

The implications of these three trends
for legacy WAN architectures are pro- Figure 2: Gen 1 SD-WAN solutions provided direct
found. Backhauling (or hairpinning) access to Internet, cloud, and SaaS apps.
 However, these Gen 1 SD-WAN links based on application ser-
products created new challenges vice-level agreements (SLAs).
for branch office users directly
accessing apps, including the • N
 o ability to secure app traffic.
following: Gen 1 SD-WAN products still rely on
traditional security models, such as
• N
 o active–active support. Gen 1 backhauling all application traffic
SD-WAN products have limited across your MPLS WAN to a firewall
failover capabilities that allow you to in the corporate data center or de-
automatically switch between net- ploying separate firewalls in all your
works (broadband to MPLS, or MPLS branch locations. Neither of these
to broadband) if one link is degraded models delivers the application
or down (active–passive). However, performance, security, or scalability
this configuration doesn’t allow you needed to support the branch of the
to efficiently utilize all the bandwidth future.
you’re paying for across your differ-
ent links. For example, if your DIA link Next-generation SD-WAN solutions ad-
is congested but your MPLS link is dress the unique requirements of cloud
relatively idle, you can’t simply off- architectures, especially those with
load some traffic from your DIA link branch locations. They overcome the
and redirect it to your MPLS link. limitations of Gen 1 SD-WAN products,
including poor application visibility,
• N
 o intelligent traffic steering. time-consuming manual operations, and
Gen 1 SD-WAN products measure bolt-on stand-alone branch security.
network performance parameters Next-generation SD-WAN solutions in-
like jitter, latency, and loss, but they corporate advanced technologies such
can’t determine other important as automated response, machine learn-
performance factors, such as ing (ML), and application-defined policies
whether an application server in to increase return on investment (ROI),
the corporate data center is causing simplify network operations, and im-
delays or experiencing reachability prove the end-user experience.
issues. Thus, Gen 1 SD-WAN prod-
ucts are unable to provide traffic Next-generation SD-WAN
engineering to load balance or is a foundational component
failover between different WAN of SASE, which integrates
 networking and security › Domain Name System
services into a unified, cloud- (DNS) security
delivered solution that reliably
› Threat prevention
and securely connects branch
users to the Internet, public • A
 utonomous digital experience
cloud, SaaS apps, and corporate management (ADEM)
data center resources. › Deep observability

› Artificial intelligence (AI) powered

What Is SASE? operations
SASE is built on a modular platform that
allows organizations to quickly modern-
ize their branch locations with core
SD-WAN services and incrementally add Internet SaaS Public Cloud HQ Data Center

new networking and security functional-

ity (see Figure 3) over time, such as: PRISMA® SASE

ZTNA NG CASB SWG Proxy SD-WAN

for Private for SaaS for Internet for Branch
App Access App Access Access Connectivity
• Networking
ADEM
› Virtual private networks (VPNs)
for Digital Experience Management

› Quality of service (QoS)

› Routing Branch/Retail Home Mobile

› SaaS acceleration Figure 3: SASE delivers advanced network

and security capabilities in a converged
• Security cloud-delivered solution.

› Firewall as a service (FWaaS)

The Four Tenets of
› Zero Trust network access (ZTNA)
Next-Generation SD-WAN
› Cloud access security broker
(CASB) To address the inherent limitations of
Gen 1 SD-WAN products, a next-genera-
› Cloud secure web gateway tion SD-WAN, combined with SASE,
(Cloud SWG) should adhere to the following four
› Data loss prevention (DLP) design tenets (see Figure 4):
• E
 lastic networks: A next-genera- metrics such as transaction re-
tion SD-WAN solution must be able sponse times, application
to connect disparate network links fingerprints, traffic density, Mean
including broadband, satellite, Opinion Score (MOS) for voice and
5G/4G Long-Term Evolution (LTE), rich media, and session-level client–
and even MPLS in a fluid and highly server codec negotiation to ensure
resilient, active–active configuration. that both network and application
Additionally, high availability is need- SLAs are consistently met.
ed to provide 100 percent capacity.
It should also be managed from a • Z
 ero Trust security: The right solu-
centralized controller architecture tion will provide natively integrated
that automates end-to-end connec- and cloud-delivered security ser-
tivity, like building a full-mesh vices to branch offices. The security
overlay across the enterprise, and needs to be granular (Layer 7) to
building, managing, and updating enforce true least-privilege access
the network topology. and ensure only the right people get
access to the right information and
The Prisma SD-WAN solution assets. It should also provide visibili-
from Palo Alto Networks for- ty to all your assets, including
wards application sessions, not rapidly growing IoT devices, to en-
individual packets. This helps sure you can apply the right controls
build application-based busi- and policies to the entire network.
ness policies that include any
available WAN links for all ap- • A
 I-powered operations (AIOps).
plications. This also enables Next-generation SD-WAN offers
Prisma SD-WAN to distribute deep visibility into performance
application sessions across scores using trend analysis and
different links based on band- leveraging AI and ML. With AI and
width availability, capacity, and ML, organizations and IT teams can
performance. improve automation and observ-
ability, increase productivity, and
• A
 pp-defined fabric: In addition to reduce MTTR. Observability and
packet loss, latency, jitter, and other AIOps helps automate complete IT
Layer 3 (Network) parameters, a tasks, reduce troubleshooting, and
next-generation SD-WAN should enable proactive issue diagnosis
incorporate Layer 7 (Application) with predictive analysis.
 Cloud

SaaS

Internet

Data Center

Figure 4: The four tenets of next-generation

SD-WAN.

Prisma SD-WAN is the industry’s first

next-generation SD-WAN that provides
exceptional user experience, simplifies IT
operations, and improves security out-
comes.

Check out the following re-

sources from Palo Alto
Networks to help you trans-
form your branch locations
with next-generation SD-WAN:

• E-book: SASE For Dummies,

Palo Alto Networks 2nd Special
Edition

• Web page: Prisma SD-WAN

• SD-WAN trial: Try Prisma

SD-WAN for free

• Test drive: SD-WAN Ultimate

Test Drive

• W
 hite paper: Top Differentia-
tors between Next-Generation
and Legacy SD-WANs

For Dummies is a trademark of John Wiley & Sons, Inc. 9781394186228

All other trademarks are the property of their respective owners.