PALO ALTO NETWORKS
AND VMWARE NSX SD-WAN
BY VELOCLOUD
Eliminate backhaul inefficiencies and latency while delivering optimized, robust
and cost-effective offerings for enterprise and cloud applications running over the
internet and in hybrid WAN environments.
Overview
• Robust application performance
with NSX SD-WAN Dynamic
Multipath Optimization
• Simplified WAN deployment
with NSX SD-WAN business
policy automation
• Consistent security across all
locations with the Palo Alto
Networks Security Operating
Platform
• Simplified operations and reduced
costs through zero-touch deploy-
ment and provisioning
Palo Alto Networks | Palo Alto Networks and VMware NSX SD-WAN by VeloCloud | Brief
Adopting distributed firewalls can be a challenge due to deployment complexity and
the difficulty of forwarding traffic to them. Today, cloud traffic is backhauled across a
private wide area network, or WAN, to a centralized firewall environment to simplify
­configurations. However, this negatively affects latency and performance. Additionally,
traditional WANs rely on costly private circuits to enhance application performance.
Backhaul of cloud traffic, guest Wi-Fi and more bandwidth-intensive applications, such as
video and virtual desktop integration, put further pressure on private WAN bandwidth.
A software-defined wide area network, or SD-WAN, enables inexpensive internet to be the
transport mechanism for bandwidth-intensive applications. Public internet links are “best
efforts” and susceptible to attacks. A secure, cloud-delivered SD-WAN delivers ubiquitous
security and enterprise-grade application performance for cloud or on-premise applications.
VMware NSX SD-WAN by VeloCloud
As more applications move to the cloud, the old approach of backhauling traffic through
Multiprotocol Label Switching, or MPLS, to a centralized internet gateway via a hub-and-
spoke architecture is no longer relevant. It is expensive and introduces unnecessary latency.
To support a cloud transition and deliver a fast user experience, enterprise network archi-
tects are reevaluating their WAN architectures to find ways to route internet traffic locally
and take advantage of inexpensive broadband internet services, often turning to SD-WAN.
VMware® NSX® SD-WAN simplifies how traffic is routed and provides bandwidth expansion
for the branch. It also provides direct access to cloud applications through a distributed network
of NSX SD-WAN Gateways, a cloud-based NSX SD-WAN Orchestrator and a branch platform,
NSX SD-WAN Edge. Using broadband along with MPLS as the transport mechanism, Dynamic
Multipath Optimization™ steers traffic on a per-packet basis to the optimal path and remediates
transmission degradations. By defining policies in the cloud via a single interface, organizations
can easily deploy new applications and services as well as manage policies across a large number
of locations.
The following are the key benefits of NSX SD-WAN.
1
Peak Application Performance
NSX SD-WAN Dynamic Multipath Optimization, with application-aware, per-packet steering and on-demand remediation, assures
transport-independent performance for demanding, real-time applications, such as voice and video.

Internet

Logging Service
GlobalProtect
cloud service

PN

Headquarters

Add/remove locations and users, manage policy

SD-WAN connections

Figure 1: GlobalProtect cloud service for remote networks and mobile users

Simplified WAN via Business Policy Automation

NSX SD-WAN reduces the branch office footprint with seamless insertion as well as chaining of virtualized services on-premise and in the
cloud. The NSX SD-WAN platform is an x86-based, hypervisor-capable edge that can instantiate and chain multiple virtualized network
functions. The platform allows elimination of multiple single-function appliances in the branch with firewall, VPN and third-party services
to enterprise service hubs at the branch edge or in the cloud, optimizing your branch network and improving performance and efficiency.

Managed Cloud On-Ramp

The NSX SD-WAN system of cloud gateways uniquely provides a managed cloud on-ramp. Unlike “best effort” direct branch-to-cloud
alternatives, the offering’s full SD-WAN capabilities are deployed at the doorstep of cloud applications to provide optimized, secure
connectivity to software and infrastructure as a service – SaaS and IaaS, respectively – as well as network and cloud security services.

Palo Alto Networks and NSX SD-WAN by VeloCloud

The integration of NSX SD-WAN and Palo Alto Networks provides the performance and security needed for enterprise and cloud
applications utilizing over-the-internet and hybrid WAN while simplifying deployments and reducing costs.

Integration With GlobalProtect Cloud Service

GlobalProtect™ cloud service extends and operationalizes Palo Alto Networks® Security Operating Platform, bringing protection to
your remote networks and mobile users through a cloud-based security infrastructure managed by Palo Alto Networks (see Figure 1).
GlobalProtect cloud service is administered by Panorama™ network security management, allowing customers to create and deploy
consistent security policies across their organizations.
One-click service insertion capabilities provided by the NSX SD-WAN business policy framework reduce complexity and align business
policies with application needs. Forward traffic from many branches to GlobalProtect cloud service, and route through one of the NSX
SD-WAN Gateways (see Figure 2). Together, VeloCloud® – now part of VMware – and Palo Alto Networks minimize exposure to risks by
enabling customers to securely route all traffic through GlobalProtect cloud service.

Palo Alto Networks | Palo Alto Networks and VMware NSX SD-WAN by VeloCloud | Brief 2
Customers do not need to backhaul traffic and can avoid deploying stacks of security appliances at each location. By routing traffic to
GlobalProtect cloud service, customers can immediately begin inspecting all traffic on all ports and protocols, including SSL. Organizations
can define and immediately enforce access and security policies across all locations from a single console. Moreover, GlobalProtect cloud
service scales so you can add capacity or deploy new services in just a few clicks.

GlobalProtect Cloud

Servers
IPsec
tunnel

NSX SD-WAN Data center

Gateway

Internet

SD-WAN
NSX SD-WAN Edge overlay NSX SD-WAN Edge
tunnels

Client 1 Client 2

Figure 2: Routing traffic through an NSX SD-WAN Gateway

Integration With NSX SD-WAN and Palo Alto Networks VM-Series

Service providers and large enterprise customers can easily deploy VM-Series virtualized next-generation
firewalls on the NSX SD-WAN Edge and manage them from Panorama. The VM-Series can be inserted on
the NSX SD-WAN Edge from the branch with the click of a button, using zero-touch operations delivered VM-
via the NSX SD-WAN Orchestrator. NSX SD-WAN service-chains traffic from the branch to both cloud- Series
based and enterprise regional hub services, providing robust performance, optimized security and expert
manageability. Customers can eliminate additional devices deployed at branch locations, reducing their
footprint. NSX SD-WAN Orchestrator simplifies operations by enabling bootstrapping of the VM-Series. Edge + VM-Series

About VMware
VMware, Inc. 3401 Hillview Avenue Palo Alto CA 94304 USA Tel 877-486-9273 Fax 650-427-5001 www.vmware.com Copyright
© 2018 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property
laws. VMware products are covered by one or more patents listed at http://www.vmware.com/go/patents. VMware is a registered
trademark or trademark of VMware, Inc. and its subsidiaries in the United States and other jurisdictions. All other marks and names
mentioned herein may be trademarks of their respective companies.

About Palo Alto Networks

We are the global cybersecurity leader, known for always challenging the security status quo. Our mission is to protect our way of life
in the digital age by preventing successful cyberattacks. This has given us the privilege of safely enabling tens of thousands of orga-
nizations and their customers. Our pioneering Security Operating Platform emboldens their digital transformation with continuous
innovation that seizes the latest breakthroughs in security, automation, and analytics. By delivering a true platform and empowering
a growing ecosystem of change‐makers like us, we provide highly effective and innovative cybersecurity across clouds, networks, and
mobile devices. Find out more at www.paloaltonetworks.com.

3000 Tannery Way
Santa Clara, CA 95054
Main: +1.408.753.4000
Sales: +1.866.320.4788
Support: +1.866.898.9087
© 2018 Palo Alto Networks, Inc. Palo Alto Networks is a registered ­
trademark of Palo Alto Networks. A list of our trademarks can be found at
https://www.paloaltonetworks.com/company/trademarks.html. All other
marks mentioned herein may be trademarks of their respective companies.
palo-alto-networks-and-vmware-nsx-sd-wan-by-velocloud-b-070618

www.paloaltonetworks.com