Can Cisco Firewalls also function as SD-WAN? The Answer is Yes.

2023 SEASON SALE Networking and Security Showcase In-stock ICT products at exclusive discounts

As widely known, Cisco offers two sets of SD-WAN solutions. One is the Viptela SD-WAN professional solution tailored for telecom operators and large to medium-sized enterprises. The other is the Meraki SD-WAN solution designed for general enterprise customers. However, there is still a subset of users who require an SD-WAN solution that can provide both advanced security features at the WAN boundary and SD-WAN routing policies, all deployable and manageable locally. This is precisely what this article aims to explore.

SD-WAN is based on the automation of building overlay channels, with a controller centrally managing the on-demand forwarding of business traffic through different overlay channels. This accomplishes monitoring, ensuring business reliability, security, and quality of service in a wide area network solution. Therefore, SD-WAN solutions fundamentally have three key elements: the construction of overlay channels, routing and service backup strategies, and global unified management and control. Of course, these are just the three basic elements for a wide area network. As an edge device, it also needs to possess excellent security capabilities.

Through unified management with FMC (Firepower Management Center), Next-Generation Firewalls (NGFW) support the construction of overlay topologies using VTI interfaces, supporting various topological forms like P2P, Hub-Spoke, Full Mesh, and more to meet diverse business requirements. These overlay tunnels can form multiple optional forwarding paths, and the underlying layer of the overlay tunnel can be the Internet, dedicated lines, or a combination of both, resulting in differences in bandwidth, latency, jitter, and other attributes for different paths. The data transmitted within the tunnel is always encrypted, ensuring overall communication security regardless of the underlying physical lines used.

NGFW (Next-Generation Firewall) supports policy-based routing based on path detection. This functionality allows users to forward data for custom traffic based on specific routing principles. In addition to our standard five-tuple traffic and application information, this custom traffic can also be based on user and SGT (Security Group Tag) labels. Routing principles can be based on interface priority, link RTT (Round-Trip Time), jitter, packet loss statistics, and can also be manually defined for preferred and backup paths. It’s worth noting that this path-monitoring-based policy routing can be deployed not only for overlay path selection but also for physical paths. For users who rely on dedicated lines to build their wide area networks, designing routing principles directly based on physical paths might be more preferable.

FMC (Firepower Management Center) serves not only for unified configuration and deployment of the entire NGFW network but also offers monitoring, management, and troubleshooting capabilities. The graphical interface of FMC provides an intuitive display of link and overlay status, as well as related statistics. It also includes embedded tools for debugging and troubleshooting.

Under the SD-WAN networking environment, NGFW retains various professional security features and HA (High Availability) deployment capabilities. Key security features such as application identification and control, IPS (Intrusion Prevention System), AMP (Advanced Malware Protection), DNS, and even SASE (Secure Access Service Edge) remain crucial for users who prioritize border security, cloud security, and data security.

Of course, compared to Cisco‘s specialized Viptela SD-WAN solution, the NGFW-based SD-WAN deployment may have certain gaps in advanced link assurance and control management. However, for many wide area network users with relatively simple environments and a need for border security through a professional firewall, yet not wanting to purchase an additional set of routers to implement SD-WAN functionality, this approach still holds practical significance.