Add |
Name | Enter a Name that
identifies the SD-WAN firewall. |
Type | Select the Type of
SD-WAN firewall: Hub—A centralized
firewall deployed at a primary office or location, such as a data
center or business headquarters, to which all branch firewalls connect
using a VPN connection. Traffic between branches passes through
the hub before continuing to the target branch. Branches connect
to hubs to gain access to centralized resources at the hub location
and the hub processes traffic, enforces policy rules, and manages
link swapping at the primary office or location. Branch—A firewall deployed at a physical
branch location that connects to a hub using a VPN connection and provides
security at the branch level. The branch connects to a hub for access to
centralized resources. In SD-WAN Plugin 2.0.1 and later 2.0 releases,
a branch can connect to another branch in a full mesh VPN cluster.
The branch firewall processes traffic, enforces policy rules, and manages
link swapping at the branch location.
|
Virtual Router Name | Select the virtual router to use for routing
between the SD-WAN hub and branches. By default, Panorama creates
an sdwan-default virtual router and
enables Panorama to automatically push router configurations. |
Site | Enter a user-friendly Site name
that identifies the hub or branch. For example, enter the city name
where the branch firewall is deployed. |
Zone Internet | Add one or more pre-existing
zones to map them to the predefined zone named zone-internet.
SD-WAN traffic egresses this zone to go to the internet. |
Zone Hub | Add one or more pre-existing
zones to map them to the predefined zone named To_Hub. SD-WAN
traffic egresses this zone to go to a hub. |
Zone Branch | Add one or more pre-existing
zones to map them to the predefined zone named To_Branch.
SD-WAN traffic egresses this zone to go to a branch. |
Zone Internal | Add one or more pre-existing
zones to map them to the predefined zone named zone-internal.
SD-WAN traffic egresses this zone to go to an internal zone. |
BGP | Enable BGP to configure
BGP routing for SD-WAN traffic. |
Router ID | Specify the BGP router ID, which must be
unique for all routers.
Use the Loopback
Address as the Router ID. |
Loopback Address | Specify a static loopback IPv4 address for
BGP peering. |
AS Number | Enter the Autonomous System number of the
private AS to which the virtual router on the hub or branch belongs.
The SD-WAN plugin supports only private autonomous systems. The
AS number must be unique for every hub and branch. The 4-byte ASN
range is 4,200,000,000 to 4,294,967,294 or 64512.64512 to 65535.65534.
The 2-byte ASN range is 64512 to 65534.
Use
a 4-byte private ASN. |
Remove Private AS | Disable (uncheck) the Remove
Private AS option (default is enabled) if you have endpoints
that need to exchange routes with a hub or branch firewall in an
SD-WAN BGP topology and therefore you don’t want to remove private
AS numbers (64512 to 65534) from the AS_PATH attribute in BGP Updates. This
setting applies to all BGP peer groups on the branch or hub firewall. If
you need this setting to differ among BGP peer groups or peers,
you must configure the setting outside of the SD-WAN plugin. If
you change the Remove Private AS setting, commit
to all SD-WAN cluster nodes, and subsequently downgrade to an SD-WAN
Plugin version earlier than 2.0.2, then all configuration related
to Remove Private AS must be done outside
of the SD-WAN plugin or directly on the firewalls. |
Prefixes to Redistribute | Enter prefixes to redistribute to the hub
router from the branch. By default, all locally connected internet
prefixes are advertised to the hub location.
Palo Alto
Networks does not redistribute the branch office default routes
learned from the ISP. |
Upstream NAT | Select tab if you are adding an SD-WAN hub
or branch device that is behind a NAT device. |
Upstream NAT | Enable Upstream NAT for
the hub. Beginning with SD-WAN Plugin 2.0.1, you can enable Upstream
NAT for a branch. |
SD-WAN Interface | Select an interface on the hub or branch
that you have already configured for SD-WAN. |
NAT IP Address Type | Select one of the following: - Static
IP. Select IP Address or FQDN and
enter a single IP address or FQDN of the public-facing interface
on the upstream, NAT-performing device.
- DDNS
Auto VPN Configuration
uses this address as the tunnel endpoint of the hub or branch. |
Group HA Peers | Click the checkbox at the bottom of the
screen to cause HA peers to appear consecutively on the list of
devices for ease of use. |
BGP Policy |
BGP Policy | Select BGP Policy and
then Add to have Panorama automatically create
and push to firewalls a Security policy rule that allows BGP to
run between branches and hubs. |
Policy Name | Enter a name for the Security policy rule
that Panorama will automatically create. |
Select Device Groups | Select the device groups to which Panorama
pushes the Security policy rule. |
