Add |
Name | Enter a Name that
identifies the SD-WAN firewall. |
Type | Select the Type of
SD-WAN firewall: Hub—A centralized
firewall deployed at a primary office or location, such as a data
center or business headquarters, to which all branch firewalls connect
using a VPN connection. Traffic between branches passes through
the hub before continuing to the target branch. Branches connect
to hubs to gain access to centralized resources at the hub location
and the hub processes traffic, enforces policy rules, and manages
link swapping at the primary office or location. Branch—A firewall deployed at a physical
branch location that connects to the hub using a VPN connection
and provides security at the branch level. The branch connects to
the hub for access to centralized resources. The branch firewall
processes traffic, enforces policy rules, and manages link swapping
at the branch location.
|
Virtual Router Name | Select the virtual router to use for routing
between the SD-WAN hub and branches. By default, Panorama creates
an sdwan-default virtual router and
enables Panorama to automatically push router configurations. |
Site | Enter a user-friendly Site name
that identifies the hub or branch. For example, enter the city name
where the branch firewall is deployed. |
Zone Internet | Add one or more pre-existing
zones to map them to the predefined zone named zone-internet.
SD-WAN traffic egresses this zone to go to the internet. |
Zone Hub | Add one or more pre-existing
zones to map them to the predefined zone named To_Hub. SD-WAN
traffic egresses this zone to go to a hub. |
Zone Branch | Add one or more pre-existing
zones to map them to the predefined zone named To_Branch.
SD-WAN traffic egresses this zone to go to a branch. |
Zone Internal | Add one or more pre-existing
zones to map them to the predefined zone named zone-internal.
SD-WAN traffic egresses this zone to go to an internal zone. |
BGP | Select tab to configure BGP. |
BGP | Enable BGP to configure
BGP routing for SD-WAN traffic. |
Router ID | Specify the BGP router ID, which must be
unique for all routers.
Use the Loopback
Address as the Router ID. |
Loopback Address | Specify a static loopback IPv4 address for
BGP peering. |
AS Number | Enter the Autonomous System number of the
private AS to which the virtual router on the hub or branch belongs.
The SD-WAN plugin supports only private autonomous systems. The
AS number must be unique for every hub and branch. The 4-byte ASN
range is 4,200,000,000 to 4,294,967,294 or 64512.64512 to 65535.65534.
The 2-byte ASN range is 64512 to 65534.
Use
a 4-byte private ASN. |
Prefixes to Redistribute | Enter prefixes to redistribute to the hub
router from the branch. By default, all locally connected internet
prefixes are advertised to the hub location.
Palo Alto
Networks does not redistribute the branch office default routes
learned from the ISP. |
Upstream NAT | (PAN-OS 9.1.3 and later 9.1 releases
and SD-WAN Plugin 1.0.3 and later 1.0 releases) Select tab
if you are adding an SD-WAN hub device that is behind a NAT device. |
Upstream NAT | Enable Upstream NAT for
the hub. |
SD-WAN Interface | Select an interface on the hub that you
have already configured for SD-WAN. |
IP Address/FQDN | Select either IP Address or FQDN and
enter a single IP address or FQDN of the public-facing interface
on the upstream, NAT-performing device. Auto VPN Configuration uses
this address as the tunnel endpoint of the hub. |
Group HA Peers | Click the checkbox at the bottom of the
screen to cause HA peers to appear consecutively on the list of
devices for ease of use. |
BGP Policy |
BGP Policy | (PAN-OS 9.1.2 and later 9.1 releases)
Select BGP Policy at the bottom of the screen
and then Add to have Panorama automatically
create and push to firewalls a Security policy rule that allows
BGP to run between branches and hubs. |
Policy Name | Enter a name for the Security policy rule
that Panorama will automatically create. |
Select Device Groups | Select the device groups to which Panorama
pushes the Security policy rule. |
