Next-Generation Firewall
Configure SD-WAN
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1
-
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
-
-
-
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1
Configure SD-WAN
Configure the SD-WAN interfaces and Link Management Profiles to define how the
firewall performs SD-WAN link failovers.
Contact your account team to enable Cloud Management for NGFWs using
Strata Cloud Manager.
Where Can I Use
This? | What Do I Need? |
---|---|
|
|
Configure the physical Ethernet interfaces and SD-WAN interface profile to enable
SD-WAN functionality and define the characteristics of the ISP connections the
firewall monitors. Additionally, you must create the SD-WAN VPN cluster to determine
which branches communicate with which hubs and to create a secure connection between
the branch and hub firewalls.
- Log in toStrata Cloud Manager.
- Layer 3 interfaces are required for SD-WAN functionality. Repeat this step to configure as many Layer 3 Ethernet interfaces on your SD-WAN firewall as needed.You can configure up to four IP addresses for an SD-WAN enabled interface. The Auto VPN workflows uses only the first IP address from the configuredIPv4address list to create the VPN tunnel and ignores the remainingIPv4addresses in the list.
- Configure a Logical Router and add the interfaces that you created in the previous step to the logical router.
- (Optional) Configure a BGP Redistribution Profile.
- Configure an SD-WAN interface profile.The SD-WAN interface profile defines the characteristics of the ISP connection, specifies the speed of links and how frequently the firewall monitors the link, and specifies the Link Tag. When you specify the same Link Tag on multiple links, you’re grouping (bundling) those physical links into a link bundle or fat pipe.
- Selectand select the hub or branch folder where want to create the SD-WAN interface profile.ManageConfigurationNGFW and Prisma AccessSecurity ServicesSD-WAN PolicyProfilesSD-WAN Interface
- Add Profile.
- Enter a descriptiveNamefor the profile.
- Select theLink Tagthe profile assigns to the interface.
- Select theLink Typefrom the predefined list.
- Specify theMaximum Download (Mbps)speed from the ISP.
- Specify theMaximum Upload (Mbps)speed to the ISP.
- Check (enableEligible for Error Correction Profile Interface Selectionto enable Forward Error Correction (FEC) or packet duplication for interfaces.If enabled, you must enable this setting for both sending and receiving firewalls.
- VPN Data Tunnel Supportdetermines whether the branch-to-hub traffic and return traffic flows through a VPN tunnel for added security or flows outside of the VPN tunnel to avoid encryption overhead. This setting is enabled by default.
- Keep enabled for public links that have direct internet connections or internet break capabilities, such as cable modem, ADSL, and other internet connections.
- Disable for private link types such as MPLS, satellite, or microwave that doesn’t have internet breakout capability. However, you must first ensure that the traffic can’t be intercepted because it will be sent outside of the VPN tunnel.
- The branch might have DIA traffic that needs to fail over to the private MPLS link connecting to the hub, and reach the internet from the hub. The VPN Data Tunnel Support setting determines whether the private data flows through the VPN tunnel or flows outside the tunnel, and the failed over traffic uses the other connection (that the private data flow doesn’t use). The firewall uses zones to segment DIA failover traffic from private MPLS traffic.
- Set theVPN Failover Metricif DIA AnyPath is enabled a hub or branch firewall, to prioritize the order in which a particular hub is selected for failover.The lower the metric, the higher the priority of the interface to be selected during failover. If multiple hub virtual interfaces have the same metric value, SD-WAN sends new session traffic to them in round-robin fashion.
- Select thePath Monitoringmode.
- Aggressive—Firewall sends probe packets to the opposite end of the SD-WAN link at a constant frequency. Use this mode if you need fast detection and failover for brownout and blackout conditions. Default for all link types except LTE and Satellite.
- Relaxed—Firewall waits for a number of seconds (Probe Idle Time) between sending sets of probe packets, making path monitoring less frequent. When the probe idle time expires, firewall sends probes for 7 seconds at theProbe Frequencyconfigured. Use this mode when you have low-bandwidth links, links that charge by usage (such as LTE), or when fast detection isn’t as important as preserving cost and bandwidth. Default for LTE and Satellite link types.
- Set theProbe Frequency (per second)to specify the number of times per second the firewall sends a probe packet to the opposite end of the SD-WAN link. The default setting provides subsecond detection of brownout and blackout conditions.
- Set theProbe Idle Time (seconds) to specify how long the firewall waits between sets of probe packets.
- Set theFailback Hold Time (seconds)to specify how long the firewall waits for a recovered link to remain qualified before the firewall reinstates the link after it has failed.
- Save.
- Configure a VPN cluster for your hub and branch firewalls.
- SelectandManageConfigurationDevice SettingsAuto VPNAdd VPN Cluster.
- Check (enable)SD-WAN.
- Add the hub firewalls to the VPN cluster.
- Add Hub Devicesto select one or more firewalls toAddas hubs.Up to four hubs are supported for a VPN cluster.
- Click the firewall in the Hub Devices list.
- Set the hub firewallPriority.Range is1to4. The lower the priority value, the higher the priority and local preference. A cluster supports a maximum of four hubs. An active/passive HA pair counts as one hub. Multiple hubs can have the same priority; an HA pair must have the same priority.
- Select a LogicalRouter.
- (Optional) Check (enable)DIA VPNand select aDIA VPN Link Tag.
- Update.
- Repeat this step for all hub firewalls that you add to the VPN cluster.
- Add the branch firewalls to the VPN cluster.
- Add Hub Devicesto select one or more firewalls toAddas hubs.
- Select a LogicalRouter.
- (Optional) Select aBGP Redistribution Profile.
- Update.
- Repeat this step for all branch firewalls that you add to the VPN cluster.