Choosing a firewall-friendly SD-WAN: Three questions you need to ask

Bigleaf - The firewall-friendly SD-WANIf you’re looking for an SD-WAN that works with your existing firewall, you’re not alone. Your team has invested valuable time into an auditable best-practice security architecture, and that top-of-the-line firewall wasn’t cheap. Most of all, your firewall represents a solution that your team is comfortable managing. You and your company have confidence that it works. So why change it?

Before choosing a solution, it’s important to understand how different SD-WAN technologies will work with your firewall and what those differences will mean for your company. Choosing an SD-WAN that “kind-of” works with your firewall could add hours to your installation time. It will also likely require poking holes in your network perimeter — potentially compromising your security, compliance, and network stability. Worse, it could fail in a significant way, breaking your on-prem applications or SIP trunks.

In this post, I’ll explain the ways that different solutions work with your existing firewall, arm you with questions you can ask to evaluate an SD-WAN’s firewall-friendliness, and show how Bigleaf was built to be the most firewall-friendly SD-WAN out there.

Which firewall features will the SD-WAN require me to disable?

We designed Bigleaf’s SD-WAN to work with all your firewall’s features, but many solutions require that you disable specific features in your firewall and hand them over to the SD-WAN device. So when you’re choosing an SD-WAN technology, make sure you ask which of your firewall’s essential features you’ll need to disable for it to work fully.

Here are some of the more common features you might need to disable or significantly modify:

DHCP – Many SD-WAN devices need to act as your LAN’s DHCP server to provide full functionality.

NAT – Almost every SD-WAN out there has NAT or proxying in it somewhere, which often requires you to disable NAT on your firewall to avoid double-NATting traffic.

LAN and Private WAN Routing – How will traffic route between your sites? Do you need to spend lots of time configuring subnets and routing within the SD-WAN and disabling that in your firewalls?

Site to Site VPN – Pretty much every SD-WAN out there wants to take over the role of site-to-site VPNs from your firewalls.

Network Segmentation – Where is the edge of your network now, what is secure, is there a perimeter? Most SD-WANs blur those lines. Handing over Network Segmentation to your SD-WAN could make for painful audits and compliance.

Traffic Filters – What do you have to touch to allow traffic in or out of the network? Are you disabling all filtering in the firewall and moving it to the SD-WAN? Are both devices filtering?

By confirming which of these features would need to be disabled or modified, you’ll avoid any surprises when it comes time for installation.

How long will the SD-WAN install take with an existing firewall?

Bigleaf is known for our firewall-friendly, 90-second install. That’s because our SD-WAN sits outside the firewall and doesn’t require any firewall features to be disabled.

But some vendors’ installation times are longer due to the number and severity of firewall changes required to work with their technology. Installation times can be even longer for multi-site deployments depending on the availability of highly-skilled network engineers needed to configure the new security integration correctly.

So keep in mind that other SD-WAN vendors’ “zero-touch” installation can become an hours-long ordeal when you’re installing it alongside your existing firewall. Those hours are expensive, so be sure to clarify how long an SD-WAN’s install typically takes with an existing firewall in place, including initial policy configuration, device configuration, and firewall reconfiguration.

You should be sure to spend time digging into how the implementation will impact each of the features listed above, and what the integration steps will be.

What changes will I need to make for inbound traffic?

If you’re running a web, email, VPN, or application server, you’ll need to make sure that your inbound traffic is routed correctly and not blocked. You’ll also need to deal with any NAT and ensure that any proxying doesn’t break your applications. Since your firewall handles that today, it’s essential that you understand all of the impacts on this inbound traffic from the SD-WAN solution.

Many SD-WAN solutions are seemingly built only for branch use. They can connect outwards to remote resources, but don’t have reliable solutions for inbound connectivity to local servers.

Joel Mulkey - CEO & Founder - Bigleaf Networks
Joel Mulkey
Bigleaf Networks

Bigleaf works with your firewall right out of the box

We built Bigleaf from day one to work with your firewall without compromising any of its functionality. To your firewall, Bigleaf looks like an internet connection. To install Bigleaf all you do is update your firewall’s WAN IP address — no compromises to your security or compliance. If you have site-to-site VPNs, you may need to update the IP addresses that they connect to. If you’re hosting servers internally, simply update the DNS records for those to point at the Bigleaf-provided IP addresses.

We believe in best-of-breed solutions for your critical business applications, and security is high on that list. If you’d like to learn how Bigleaf would work with your existing firewall, contact us today.

Related Posts