SD-WAN
SD-WAN Devices
Table of Contents
Expand All
|
Collapse All
SD-WAN Docs
-
-
-
-
- 3.4
- 3.3
- 3.2
- 3.1
- 3.0
- 2.2
- 2.1
- 2.0
- 1.0
-
SD-WAN Devices
Add SD-WAN branch and hub firewalls to be managed by
Panorama.
- PanoramaSD-WANDevices
Add the SD-WAN firewall branches and hubs that make up your
VPN cluster and SD-WAN topology that the Panorama management server will manage.
You can also Group HA Peers so HA peers
appear consecutively on the list of devices for ease of use.
You can select BGP Policy to have Panorama create and push to firewalls a
Security policy rule that allows BGP to run between branches and hubs. In SD-WAN plugin 3.1.1 and later 3.1
releases, select IPv4 BGP Policy or IPv6 BGP
Policy.
Field | Description |
---|---|
Add | |
Name | Enter a Name that
identifies the SD-WAN firewall. |
Type | Select the Type of
SD-WAN firewall:
|
Virtual Router Name | Select the virtual router to use for routing
between the SD-WAN hub and branches. By default, Panorama creates
an sdwan-default virtual router and
enables Panorama to automatically push router configurations. |
Site | Enter a user-friendly Site name
that identifies the hub or branch. For example, enter the city name
where the branch firewall is deployed. |
Zone Internet | Add one or more preexisting zones to map them to the predefined zone named
zone-internet. SD-WAN traffic
egresses this zone to go to the internet. |
Zone Hub | Add one or more preexisting zones to map them to the predefined zone named
To_Hub. SD-WAN traffic egresses
this zone to go to a hub. |
Zone Branch | Add one or more preexisting zones to map them to the predefined zone named
To_Branch. SD-WAN traffic egresses
this zone to go to a branch. |
Zone Internal | Add one or more preexisting zones to map them to the predefined zone named
zone-internal. SD-WAN traffic
egresses this zone to go to an internal zone. |
BGP | Enable BGP to configure
BGP routing for SD-WAN traffic. |
Router ID | Specify the BGP router ID, which must be
unique for all routers. Use the Loopback
Address as the Router ID. |
Loopback Address | Specify a static loopback IPv4 address for
BGP peering. |
AS Number | Enter the Autonomous System number of the
private AS to which the virtual router on the hub or branch belongs.
The SD-WAN plugin supports only private autonomous systems. The
AS number must be unique for every hub and branch. The 4-byte ASN
range is 4,200,000,000 to 4,294,967,294 or 64512.64512 to 65535.65534.
The 2-byte ASN range is 64512 to 65534. Use
a 4-byte private ASN. |
Remove Private AS | Disable (uncheck) the Remove
Private AS option (default is enabled) if you have endpoints
that need to exchange routes with a hub or branch firewall in an
SD-WAN BGP topology and therefore you don’t want to remove private
AS numbers (64512 to 65534) from the AS_PATH attribute in BGP Updates. This
setting applies to all BGP peer groups on the branch or hub firewall. If
you need this setting to differ among BGP peer groups or peers,
you must configure the setting outside of the SD-WAN plugin. If you change the Remove Private AS setting, commit to all SD-WAN cluster
nodes, and subsequently downgrade to an SD-WAN plugin version
earlier than 2.0.2, then you must perform all configuration related
to Remove Private AS outside of the SD-WAN
plugin or directly on the firewalls. |
Prefixes to Redistribute | Enter prefixes to redistribute to the hub
router from the branch. By default, all locally connected internet
prefixes are advertised to the hub location. Palo Alto
Networks does not redistribute the branch office default routes
learned from the ISP. |
(SD-WAN Plugin 3.1.1 and later 3.1 releases)
IPv4 BGP
| |
Enable IPv4 BGP support
|
Enable IPv4 BGP to configure BGP routing for SD-WAN traffic.
|
Loopback Address
|
Enter the IPv4 Loopback address for BGP peering.
|
Remove Private AS
|
Disable (uncheck) the Remove Private AS option
(default is enabled) if you have endpoints that need to exchange
routes with a hub or branch firewall in an SD-WAN BGP topology and
therefore you don’t want to remove private AS numbers (64512 to
65534) from the AS_PATH attribute in BGP Updates.
This setting applies to all BGP peer groups on the branch or hub
firewall. If you need this setting to differ among BGP peer groups
or peers, you must configure the setting outside of the SD-WAN
plugin.
If you change the Remove Private AS setting,
commit to all SD-WAN cluster nodes, and subsequently downgrade to an
SD-WAN plugin version earlier than 2.0.2, then you must perform all
configuration related to Remove Private AS
outside of the SD-WAN plugin or directly on the firewalls.
|
Prefixes to Redistribute
|
Enter IPv4 prefixes with /prefix length to redistribute to the hub
router from the branch. By default, all locally connected internet
prefixes are advertised to the hub. However, a hub doesn't
redistribute every route to the branch because the hub can have many
connected routes to different branches or ISPs. Therefore, when
configuring a hub device, a prefix to redistribute is mandatory.
Palo Alto Networks does not redistribute the branch office
default routes learned from the ISP. |
(SD-WAN Plugin 3.1.1 and later 3.1 releases)
IPv6 BGP
| |
Enable IPv6 BGP support
|
Enable IPv6 BGP to configure BGP routing for SD-WAN traffic.
|
IPv6 Loopback Address
|
Enter the IPv46 Loopback address for BGP peering.
|
Prefixes to Redistribute
|
Enter IPv6 prefixes with /prefix length to redistribute to the hub
router from the branch. By default, all locally connected internet
prefixes are advertised from the branch to the hub. However, a hub
doesn't redistribute every route to the branch because the hub can
have many connected routes to different branches or ISPs. Therefore,
when configuring a hub device, a prefix to redistribute is
mandatory.
Palo Alto Networks does not redistribute the branch office
default routes learned from the ISP. |
BGP Policy | |
BGP Policy | Select BGP Policy and
then Add to have Panorama automatically create
and push to firewalls a Security policy rule that allows BGP to
run between branches and hubs. |
Policy Name | Enter a name for the Security policy rule
that Panorama automatically creates. |
Select Device Groups | Select the device groups to which Panorama
pushes the Security policy rule. |
Upstream NAT | Select this tab if you are adding an SD-WAN hub or branch device that is behind a NAT device. |
Upstream NAT | Enable Upstream NAT for
the hub. Beginning with SD-WAN Plugin 2.0.1, you can enable Upstream
NAT for a branch. |
SD-WAN Interface | Select an interface on the hub or branch
that you have already configured for SD-WAN. |
NAT IP Address Type | Select one of the following:
Auto VPN Configuration uses this address as the tunnel endpoint of the hub or branch. |
(SD-WAN Plugin 3.1.1 and later 3.1 releases)
IPv4 BGP Policy
| |
Policy Name |
Enter a name for the Security policy rule that Panorama automatically
creates.
|
Type | Select Hub or Branch. |
Select Device Groups
|
Select the device groups to which Panorama pushes the Security policy
rule.
|
(SD-WAN Plugin 3.1.1 and later 3.1 releases)
IPv6 BGP Policy
| |
Policy Name |
Enter a name for the Security policy rule that Panorama automatically
creates.
|
Type | Select Hub or Branch. |
Select Device Groups |
Select the device groups to which Panorama pushes the Security policy
rule.
|
VPN Tunnel | |
Copy ToS Header | (PAN-OS 10.2.1 and later 10.2 releases
and SD-WAN 3.0.1 and later 3.0 releases) Copy the (Type of
Service) ToS field (ToS bits or Differentiated Service Code Point
[DSCP] markings) from the inner IPv4 header to the VPN header of
the encapsulated packets in order to preserve the original ToS information.
This also copies the Explicit Congestion Notification (ECN) field. |
Group HA Peers | Click the checkbox at the bottom of the
screen to cause HA peers to appear consecutively on the list of
devices for ease of use. |
Prisma Access Onboarding | |
Interface | Select the physical, sub-interface, or aggregate
ethernet interface for which you have enabled SD-WAN functionality. |
Tenant | Select the Prisma Access deployment for
which to leverage SD-WAN. |
Comment | Enter a comment to describe the Prisma Access
deployment leveraging SD-WAN. Up to 1,024 characters are supported. |
Region | Select the location where the Prisma Access
hub is deployed. The list of available regions is based on the Tenant
you select. |
IPSec Termination Nodes | Select an IPSec Termination Node associated
with the remote network secured by the Prisma Access deployment.
You can select up to four (4) IPSec Termination Nodes for a single
Prisma Access deployment. The list of available IPSec Termination
Nodes is based on the Region and Tenant you selected. |
BGP | Check (enable) BGP for the IPSec tunnel.
Displays true if enabled and false if
disabled. |
Advertise Default Route | Check (enable) to allow Prisma Access to
advertise a default route for the remote network using eBGP when
leveraging SD-WAN for Prisma Access deployments. Displays true if
enabled and false if disabled. When
onboarding and configuring remote networks for your Prisma Access
deployment, you must publish your default routes before you make
the selection to advertise them. In addition, be sure that the remote
network does not have another default route advertised by BGP, or
you could introduce routing issues in your network. |
Summarize Mobile User Routes Before Advertising | Check (enable) to summarize mobile user
IP subnets advertised over BGP to reduce the number of mobile user
IP subnets are to customer premises equipment (CPE). Displays true if
enabled and false if disabled. By
default, Prisma Access advertises the mobile users IP address pools in
blocks of /24 subnets. If you summarize them, Prisma Access advertises
the pool based on the subnet you specified. For example, Prisma
Access advertises a public user mobile IP pool of 10.8.0.0/20 using
the /20 subnet, rather than dividing the pool into subnets of 10.8.1.0/24,
10.8.2.0/24, 10.8.3.0/24, and so on before advertising them. Summarizing
routes in advertisements can reduce the number of routes stored
in CPE routing tables. |
Don’t Advertise Prisma Access Routes | Check (enable) to prevent Prisma Access
BGP peer from forwarding routes into your organization’s network
when leveraging SD-WAN for Prisma Access deployments. Displays true if enabled
and false if disabled. By default,
Prisma Access advertises all BGP routing information, including
local routes and all prefixes it receives from other service connections,
remote networks, and mobile user subnets. Enable this setting to prevent
Prisma Access from sending any BGP advertisements when leveraging SD-WAN,
but still use the BGP information it receives to learn routes from other
BGP neighbors. Because Prisma Access does not send BGP advertisements
if this setting is enabled, you must configure static routes on
the on-premises equipment to establish routes back to Prisma Access. |
Prisma AS Number | The Autonomous System number of the private AS to which the virtual router on the Prisma Access
hub belongs. The SD-WAN plugin supports only private autonomous
systems. The AS number must be unique for every hub and branch. The
4-byte ASN range is 4,200,000,000 to 4,294,967,294 or 64512.64512 to
65535.65534. The 2-byte ASN range is 64512 to 65534. |
Tunnel Monitor IP | The tunnel monitor IP address provided by
Prisma Access for IPSec tunnel monitoring. This is displayed after
you successfully onboard a Prisma Access hub. |
Service IP | The public IP address of the Prisma Access
hub. This is displayed after you successfully onboard a Prisma Access
hub. |
Secret | Enter and confirm a passphrase to authenticate
BGP peer communications. |
Link Tag | Configure a link tag to identify the Prisma
Access hub when applications and services use this link during SD-WAN
traffic distribution and failover. |
Operations | Click to perform one of the following operations
when configuring Prisma Access to leverage SD-WAN.
|