An existing NGFW customer requires direct internet access offload locally at each site, and IPSec connectivity to all branches over public internet. One requirement is that no new SD-WAN hardware be introduced to the environment.
What is the best solution for the customer?
Given the customer's requirement for direct internet access offload locally at each site and IPSec connectivity to all branches over public internet without introducing new hardware, configuring policy-based forwarding (PBF) is the best solution. PBF provides a way to control and direct traffic based on policies rather than relying on traditional routing tables. This allows the customer to manage traffic efficiently and meet their requirement without needing additional subscriptions or hardware, aligning perfectly with their constraints and objectives.
B. The PAN-OS software now includes a native SD-WAN subscription to provide intelligent and dynamic path selection on top of the industry-leading security that PAN-OS software already delivers. Key features of the SD-WAN implementation include centralized configuration management, automatic VPN topology creation, traffic distribution, monitoring, and troubleshooting. https://docs.paloaltonetworks.com/sd-wan
B is fine, but anything wrong with C, using PBF?
There are two SD-WAN options: - Pan-OS SD-WAN which requires a subscription and leverages existing firewalls - Cloudgenix SD-WAN which requires ION devices (hardware)
The question asked "What is the best solution for customer". The best solution should be no need to do any upgrade or subscription. Besides, the requirement does not need any intelligent or dynamic path selection. So PBF is the best solution I think.
Answer is C. Clearly, this is a question about SD-WAN, although the question isn't written well, we can still deduce the answer. SD-WAN is the best option. No additional hardware needed, just an SD-WAN subscription. You may have cloud-based services and instead of having your internet traffic flow from branches to the hub to the cloud, you want the internet traffic to flow directly from branches to the cloud using a directly connected ISP. Such access from a branch to the internet is Direct Internet Access (DIA). Use DIA on branches for SaaS, web browsing, or heavy-bandwidth applications that shouldn’t be backhauled to a hub. This ties to the mention of "offloading" at each site.
B is correct option