SD-WAN

Hi Team,

I'm looking into EdgeConnect SD-WAN and have a query over placement of existing firewalls. It seems as though the EdgeConnect boxes have firewall capabilities, but as our current edge setup uses Juniper Srx Firewall, removing them from the environment completely wouldn't be an option.
A major benefit offered by the EdgeConnect boxes, is to monitor internet circuits for performance and take this into account with outbound traffic. Terminating circuits directly on the EdgeConnect boxes seems to be the way forward, but I'm curious as to how best we can integrate placement of our existing Juniper Srx Firewall?

The two potential placements under consideration are:
Lan Device>Switch>EdgeConnect SD-WAN box > Juniper Srx Firewall > ISP

Lan Device>Switch>Juniper Srx Firewall > EdgeConnect SD-WAN box >ISP

Could you please share your experience or recommendations on which design would be more suitable? Your feedback will be greatly valued.

Regards,

Rahul Kewat

Neither option is a good one. Just too much equipment sprawl and too complex to manage.

The Edgeconnect's Firewall capabilities offer the (certified) robustness to directly connect it to the public Internet. It features FW- and DDoS-protection profiles as well as a zone based  application Firewall. IPS/IDS features are now included as standard with the bandwidth license. As of v9.6 (FCS now) it also has URL-filtering capabilities.

The SRX, with the ATP Cloud, also offers advanced content scanning features and more. If you need/want those extra capabilities from the SRX you can define it as a security service on the Edgeconnect and let it forward traffic to the SRX based on policies via an IPsec tunnel. The SRX can be placed in a DC or in a convenient location such as AWS or Azure (vSRX) and ingest traffic from multiple locations with Edgeconnects.

As an alternative to the centralized SRX you can also consider SSE solution, either our own HPE-SSE or others who's names shall not be mentioned aloud here.

Hi Team,

I'm looking into EdgeConnect SD-WAN and have a query over placement of existing firewalls. It seems as though the EdgeConnect boxes have firewall capabilities, but as our current edge setup uses Juniper Srx Firewall, removing them from the environment completely wouldn't be an option.
A major benefit offered by the EdgeConnect boxes, is to monitor internet circuits for performance and take this into account with outbound traffic. Terminating circuits directly on the EdgeConnect boxes seems to be the way forward, but I'm curious as to how best we can integrate placement of our existing Juniper Srx Firewall?

The two potential placements under consideration are:
Lan Device>Switch>EdgeConnect SD-WAN box > Juniper Srx Firewall > ISP

Lan Device>Switch>Juniper Srx Firewall > EdgeConnect SD-WAN box >ISP

Could you please share your experience or recommendations on which design would be more suitable? Your feedback will be greatly valued.

Regards,

Rahul Kewat

Hi Jan,

Thank you for your valuable response.

We are currently using a Juniper SRX firewall in our environment and are planning to introduce Aruba EdgeConnect into our network. Given the extensive configuration already in place on the SRX firewall, we would prefer not to alter the existing architecture.

Could you please advise on the optimal placement of the EdgeConnect appliance within our current setup? Specifically, should it be positioned before or after the SRX firewall?

Your guidance on how best to integrate EdgeConnect without disrupting our existing configuration would be greatly appreciated.

Neither option is a good one. Just too much equipment sprawl and too complex to manage.

The Edgeconnect's Firewall capabilities offer the (certified) robustness to directly connect it to the public Internet. It features FW- and DDoS-protection profiles as well as a zone based  application Firewall. IPS/IDS features are now included as standard with the bandwidth license. As of v9.6 (FCS now) it also has URL-filtering capabilities.

The SRX, with the ATP Cloud, also offers advanced content scanning features and more. If you need/want those extra capabilities from the SRX you can define it as a security service on the Edgeconnect and let it forward traffic to the SRX based on policies via an IPsec tunnel. The SRX can be placed in a DC or in a convenient location such as AWS or Azure (vSRX) and ingest traffic from multiple locations with Edgeconnects.

As an alternative to the centralized SRX you can also consider SSE solution, either our own HPE-SSE or others who's names shall not be mentioned aloud here.

Hi Team,

I'm looking into EdgeConnect SD-WAN and have a query over placement of existing firewalls. It seems as though the EdgeConnect boxes have firewall capabilities, but as our current edge setup uses Juniper Srx Firewall, removing them from the environment completely wouldn't be an option.
A major benefit offered by the EdgeConnect boxes, is to monitor internet circuits for performance and take this into account with outbound traffic. Terminating circuits directly on the EdgeConnect boxes seems to be the way forward, but I'm curious as to how best we can integrate placement of our existing Juniper Srx Firewall?

The two potential placements under consideration are:
Lan Device>Switch>EdgeConnect SD-WAN box > Juniper Srx Firewall > ISP

Lan Device>Switch>Juniper Srx Firewall > EdgeConnect SD-WAN box >ISP

Could you please share your experience or recommendations on which design would be more suitable? Your feedback will be greatly valued.

Regards,

Rahul Kewat

Hi Team,

I'm looking into EdgeConnect SD-WAN and have a query over placement of existing firewalls. It seems as though the EdgeConnect boxes have firewall capabilities, but as our current edge setup uses Juniper Srx Firewall, removing them from the environment completely wouldn't be an option.
A major benefit offered by the EdgeConnect boxes, is to monitor internet circuits for performance and take this into account with outbound traffic. Terminating circuits directly on the EdgeConnect boxes seems to be the way forward, but I'm curious as to how best we can integrate placement of our existing Juniper Srx Firewall?

The two potential placements under consideration are:
Lan Device>Switch>EdgeConnect SD-WAN box > Juniper Srx Firewall > ISP

Lan Device>Switch>Juniper Srx Firewall > EdgeConnect SD-WAN box >ISP

Could you please share your experience or recommendations on which design would be more suitable? Your feedback will be greatly valued.

Regards,

Rahul Kewat