Next-Generation Firewall
Create SD-WAN Link Management Profiles
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
Cloud Management of NGFWs
- PAN-OS 11.1 & Later
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- Cloud Management of NGFWs
-
-
-
- Configure a Filter Access List
- Configure a Filter Prefix List
- Configure a Filter Community List
- Configure a BGP Filter Route Map
- Configure a Filter Route Maps Redistribution List
- Configure a Filter AS Path Access List
- Configure an Address Family Profile
- Configure a BGP Authentication Profile
- Configure a BGP Redistribution Profile
- Configure a BGP Filtering Profile
- Configure an OSPF Authentication Profile
- Configure a Logical Router
- Configure a Static Route
- Configure OSPF
- Configure BGP
- Configure an IPSec Tunnel
- Web Proxy
- Cheat Sheet: GlobalProtect for Cloud Management of NGFWs
-
PAN-OS 11.1 & Later
- PAN-OS 11.1 & Later
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
-
- Tap Interfaces
-
- Layer 2 and Layer 3 Packets over a Virtual Wire
- Port Speeds of Virtual Wire Interfaces
- LLDP over a Virtual Wire
- Aggregated Interfaces for a Virtual Wire
- Virtual Wire Support of High Availability
- Zone Protection for a Virtual Wire Interface
- VLAN-Tagged Traffic
- Virtual Wire Subinterfaces
- Configure Virtual Wires
- Configure a PPPoE Client on a Subinterface
- Configure an IPv6 PPPoE Client
- Configure an Aggregate Interface Group
- Configure Bonjour Reflector for Network Segmentation
- Use Interface Management Profiles to Restrict Access
-
- DHCP Overview
- Firewall as a DHCP Server and Client
- Firewall as a DHCPv6 Client
- DHCP Messages
- Dynamic IPv6 Addressing on the Management Interface
- Configure an Interface as a DHCP Server
- Configure an Interface as a DHCPv4 Client
- Configure an Interface as a DHCPv6 Client with Prefix Delegation
- Configure the Management Interface as a DHCP Client
- Configure the Management Interface for Dynamic IPv6 Address Assignment
- Configure an Interface as a DHCP Relay Agent
-
- DNS Overview
- DNS Proxy Object
- DNS Server Profile
- Multi-Tenant DNS Deployments
- Configure a DNS Proxy Object
- Configure a DNS Server Profile
- Use Case 1: Firewall Requires DNS Resolution
- Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resolution for Security Policies, Reporting, and Services within its Virtual System
- Use Case 3: Firewall Acts as DNS Proxy Between Client and Server
- DNS Proxy Rule and FQDN Matching
-
- NAT Rule Capacities
- Dynamic IP and Port NAT Oversubscription
- Dataplane NAT Memory Statistics
-
- Translate Internal Client IP Addresses to Your Public IP Address (Source DIPP NAT)
- Create a Source NAT Rule with Persistent DIPP
- PAN-OS
- Strata Cloud Manager
- Enable Clients on the Internal Network to Access your Public Servers (Destination U-Turn NAT)
- Enable Bi-Directional Address Translation for Your Public-Facing Servers (Static Source NAT)
- Configure Destination NAT with DNS Rewrite
- Configure Destination NAT Using Dynamic IP Addresses
- Modify the Oversubscription Rate for DIPP NAT
- Reserve Dynamic IP NAT Addresses
- Disable NAT for a Specific Host or Interface
-
- Network Packet Broker Overview
- How Network Packet Broker Works
- Prepare to Deploy Network Packet Broker
- Configure Transparent Bridge Security Chains
- Configure Routed Layer 3 Security Chains
- Network Packet Broker HA Support
- User Interface Changes for Network Packet Broker
- Limitations of Network Packet Broker
- Troubleshoot Network Packet Broker
-
- Enable Advanced Routing
- Logical Router Overview
- Configure a Logical Router
- Create a Static Route
- Configure BGP on an Advanced Routing Engine
- Create BGP Routing Profiles
- Create Filters for the Advanced Routing Engine
- Configure OSPFv2 on an Advanced Routing Engine
- Create OSPF Routing Profiles
- Configure OSPFv3 on an Advanced Routing Engine
- Create OSPFv3 Routing Profiles
- Configure RIPv2 on an Advanced Routing Engine
- Create RIPv2 Routing Profiles
- Create BFD Profiles
- Configure IPv4 Multicast
- Configure MSDP
- Create Multicast Routing Profiles
- Create an IPv4 MRoute
-
-
PAN-OS 11.2
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 8.1 (EoL)
- Cloud Management and AIOps for NGFW
Create SD-WAN Link Management Profiles
Create the SD-WAN Link Management Profiles to manage SD-WAN link
failovers.
Contact your account team to enable Cloud Management for NGFWs using
Strata Cloud Manager.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
One of these:
|
Create the SD-WAN Link Management profiles to manage SD-WAN link failovers.
- Log in to Strata Cloud Manager.
- Select ManageConfigurationNGFW and Prisma Access and in the Overview, select the branch folder for which you want to create your SD-WAN Link Management profiles.To make the Error Correction profile available to all SD-WAN firewalls regardless of folder association, select All Firewalls.
- (Optional) Create a custom Path Quality profile.Create a custom Path Quality profile for each set of business-critical and latency-sensitive applications, application filters, application groups, services, service objects and service group objects that has unique network quality (health) requirements based on latency, jitter, and packet loss percentage specific to your business needs. Applications and services can share a Path Quality profile.The firewall treats the latency, jitter, and packet loss thresholds as OR conditions, meaning if any one of the thresholds is exceeded, the firewall selects the new best (preferred) path. Any path that has latency, jitter, and packet loss less than or equal to all three thresholds is considered qualified and the firewall selected the path based on the associated Traffic Distribution profile.As an alternative to creating a Path Quality profile, you can use any of the predefined Path Quality profiles, such as general-business, voip-video, file-sharing, audio-streaming, photo-video, and remote-access, and more. The predefined profiles are set up to optimize the latency, jitter, and packet loss thresholds for the type of applications and services suggested by the name of the profile.
- Select Security ServicesSD-WAN PolicyProfilesPath Quality Quality and select the branch folder for which you want to create the Path Quality profile.
- Add Path Quality Profile.
- Enter a descriptive Name.Up to 31 alphanumeric characters are supported.
- Configure the Latency settings.The latency settings specify the number of milliseconds allowed for a packet to leave the firewall, arrive at the opposite end of the SD-WAN tunnel, and a response packet to return to the firewall before the threshold is exceeded.
- Specify the latency Threshold in milliseconds.Range is 10 to 3000. Default is 100.
- Specify the latency threshold Sensitivity.You can select Low, Medium (default), or High sensitivity.
- Configure the Jitter settings.The jitter settings specify the number of milliseconds allowed for packet disruptions to impact data packet arrival. High jitter may cause packets to be received out of order or to be discarded.
- Specify the jitter Threshold in milliseconds.Range is 10 to 2000. Default is 100.
- Specify the latency threshold Sensitivity.You can select Low, Medium (default), or High sensitivity.
- Configure the Packet Loss settings.The packet loss settings specify the percentage of packets lost on the link before the threshold is exceeded.Range is 1 to 100. Default is 1.
- Save.
- Create a SaaS Quality profile.The SaaS Quality profile specifies how one or more software-as-a-service applications should be monitored if your branch firewall has a Direct Internet Access (DIA) link to a SaaS application. The SaaS Quality profile is associated with an SD-WAN policy rule to determine how the branch firewall determines the path quality thresholds for latency, jitter, and packet loss and selects the preferred path for an outgoing packet.
- Select Security ServicesSD-WAN PolicyProfilesSaaS Quality.
- Add Profile.
- Enter a descriptive Name.
- Configure the SaaS Quality profile.The following SaaS Monitoring Mode types are supported. Only a single SaaS Monitoring Mode type is supported for a SaaS Quality profile.
- Adaptive—Passively monitor the SaaS application session for send and receive activity to determine if the predefined path quality thresholds have been exceeded.
- Static IP Address—Add up to four static IP addresses to monitor and specify the Probe Interval by which the branch firewall probes the SaaS application path for health information.
- FQDN—Add one Fully Qualified Domain Name and specify the Probe Interval by which the branch firewall probes the SaaS application path for health information.
- HTTP/HTTPS—Add a URL and specify the Probe Interval by which the branch firewall probes the SaaS application path for health information.
- Save.
- Create a Traffic Distribution profile.The Traffic Distribution profile specifies how the firewall selects paths for session load distribution and for path failover when the firewall detects a brownout, blackout, or path deterioration for an application. Before you can configure a Traffic Distribution profile, you must create all your Link Tags so the firewall can know which paths to fail over to.
- Select Security ServicesSD-WAN PolicyProfilesTraffic Distribution.
- Add Profile.
- Enter a descriptive Name.
- Select the Traffic Distribution method the firewall uses to determine which path to fail over to.Only a single Traffic Distribution method is supported for a Traffic Distribution profile.
- Best Available Path—Select this method if cost isn’t a factor and you allow applications to use any path out of the branch. The firewall uses the predefined Path Quality metrics to distribute traffic and to fail over to one of the links belonging to a Link Tag in the list, thus providing the best application experience to users.
- Top Down Priority—Select this method if you have expensive or low-capacity links that you want used only as a last resort or as a backup link. When using this method, order your Link Tags so that the paths you want used as a last resort are at the bottom of the Link Tag list. The firewall uses the top Link Tag in the list first to determine the links on which to session load traffic and on which to fail over. If none of the links in the top Link Tag are qualified based on the predefined Path Quality profile, the firewall selects a link from the second Link Tag in the list. If none of the links in the second Link Tag are qualified, the process continues as necessary until the firewall finds a qualified link in the last Link Tag. If all associated links are overloaded and no link meets quality thresholds, the firewall uses the Best Available Path method to select a link on which to forward traffic. At the start of a failover event, the firewall starts at the top of the Top-Down Priority list of Link Tags to find a link to which it fails over.
- Weighted Session Distribution—Select this method if you want to manually load traffic (that matches the rule) onto your ISP and WAN links and you don’t require failover during brownout conditions. You manually specify the link load when you apply a static percentage of new sessions that the interfaces grouped with a single Link Tag will get. The firewall distributes new sessions using round-robin among the links having the specified Link Tags, until the link assigned the lowest percentage reaches that percentage of sessions. The firewall then uses one or more remaining links in the same manner. You might select this method for applications that aren’t sensitive to latency and that require much of the link’s bandwidth capacity, such as large branch backups and large file transfers.
- Add Link Tags .When adding and ordering your Link Tags, be sure consider the Traffic Distribution method you selected to ensure the firewall selects the appropriate path.
- Save.
- Create an Error Correction profile.SD-WAN supports Forward Error Correction (FEC) to correct certain data transmission errors that occur over noisy communication lines to improve data reliability without requiring retransmission or Packet Duplication to duplicate application sessions from one tunnel to another.
- Select Security ServicesSD-WAN PolicyProfilesError Correction.To make the Error Correction profile available to all SD-WAN firewalls regardless of folder association, select All Firewalls.
- Add Profile.
- Enter a descriptive Name.
- Specify the Activation Threshold (Packet Loss %) to set the packet loss percentage that must be exceeded before error correction is activated.
- Select the error correction Mode.Only a single error correction Mode can be selected for an Error Correction profile.
- (Forward Error Correction only) Select the Packet Loss Correction Ratio to specify the ratio of parity bits to data packets.The higher the ratio of parity bits to data packets that the sending firewall sends, the higher the probability that the receiving firewall can repair packet loss. However, a higher ratio requires more redundancy and therefore more bandwidth overhead, which is a tradeoff for achieving error correction. The parity ratio applies to the receiving firewall’s outgoing traffic.Also specify the Recovery Duration (ms) to set the maximum number of milliseconds that the receiving firewall can spend performing packet recovery on last data packets using the parity packets it received.
- Save.