: SD-WAN Devices
Focus
Focus
Table of Contents

SD-WAN Devices

Add SD-WAN branch and hub firewalls to be managed by Panorama.
  • Panorama
    SD-WAN
    Devices
Add
the SD-WAN firewall branches and hubs that make up your VPN cluster and SD-WAN topology to be managed by the Panorama management server.
You can also
Group HA Peers
so HA peers appear consecutively on the list of devices for ease of use.
You can select
BGP Policy
to have Panorama create and push to firewalls a Security policy rule that allows BGP to run between branches and hubs.
Field
Description
Add
Name
Enter a
Name
that identifies the SD-WAN firewall.
Type
Select the
Type
of SD-WAN firewall:
  • Hub
    —A centralized firewall deployed at a primary office or location, such as a data center or business headquarters, to which all branch firewalls connect using a VPN connection. Traffic between branches passes through the hub before continuing to the target branch. Branches connect to hubs to gain access to centralized resources at the hub location and the hub processes traffic, enforces policy rules, and manages link swapping at the primary office or location.
  • Branch
    —A firewall deployed at a physical branch location that connects to a hub using a VPN connection and provides security at the branch level. The branch connects to a hub for access to centralized resources. In
    SD-WAN Plugin 2.0.1 and later 2.0 releases
    , a branch can connect to another branch in a full mesh VPN cluster. The branch firewall processes traffic, enforces policy rules, and manages link swapping at the branch location.
Virtual Router Name
Select the virtual router to use for routing between the SD-WAN hub and branches. By default, Panorama creates an
sdwan-default
virtual router and enables Panorama to automatically push router configurations.
Site
Enter a user-friendly
Site
name that identifies the hub or branch. For example, enter the city name where the branch firewall is deployed.
Zone Internet
Add
one or more pre-existing zones to map them to the predefined zone named
zone-internet
. SD-WAN traffic egresses this zone to go to the internet.
Zone Hub
Add
one or more pre-existing zones to map them to the predefined zone named
To_Hub
. SD-WAN traffic egresses this zone to go to a hub.
Zone Branch
Add
one or more pre-existing zones to map them to the predefined zone named
To_Branch
. SD-WAN traffic egresses this zone to go to a branch.
Zone Internal
Add
one or more pre-existing zones to map them to the predefined zone named
zone-internal
. SD-WAN traffic egresses this zone to go to an internal zone.
BGP
Enable
BGP
to configure BGP routing for SD-WAN traffic.
Router ID
Specify the BGP router ID, which must be unique for all routers.
Use the Loopback Address as the Router ID.
Loopback Address
Specify a static loopback IPv4 address for BGP peering.
AS Number
Enter the Autonomous System number of the private AS to which the virtual router on the hub or branch belongs. The SD-WAN plugin supports only private autonomous systems. The AS number must be unique for every hub and branch. The 4-byte ASN range is 4,200,000,000 to 4,294,967,294 or 64512.64512 to 65535.65534. The 2-byte ASN range is 64512 to 65534.
Use a 4-byte private ASN.
Remove Private AS
Disable (uncheck) the
Remove Private AS
option (default is enabled) if you have endpoints that need to exchange routes with a hub or branch firewall in an SD-WAN BGP topology and therefore you don’t want to remove private AS numbers (64512 to 65534) from the AS_PATH attribute in BGP Updates.
This setting applies to all BGP peer groups on the branch or hub firewall. If you need this setting to differ among BGP peer groups or peers, you must configure the setting outside of the SD-WAN plugin.
If you change the
Remove Private AS
setting, commit to all SD-WAN cluster nodes, and subsequently downgrade to an SD-WAN Plugin version earlier than 2.0.2, then all configuration related to
Remove Private AS
must be done outside of the SD-WAN plugin or directly on the firewalls.
Prefixes to Redistribute
Enter prefixes to redistribute to the hub router from the branch. By default, all locally connected internet prefixes are advertised to the hub location.
Palo Alto Networks does not redistribute the branch office default routes learned from the ISP.
BGP Policy
BGP Policy
Select
BGP Policy
and then
Add
to have Panorama automatically create and push to firewalls a Security policy rule that allows BGP to run between branches and hubs.
Policy Name
Enter a name for the Security policy rule that Panorama automatically creates.
Select Device Groups
Select the device groups to which Panorama pushes the Security policy rule.
Upstream NAT
Select tab if you are adding an SD-WAN hub or branch device that is behind a NAT device.
Upstream NAT
Enable
Upstream NAT
for the hub. Beginning with SD-WAN Plugin 2.0.1, you can enable Upstream NAT for a branch.
SD-WAN Interface
Select an interface on the hub or branch that you have already configured for SD-WAN.
NAT IP Address Type
Select one of the following:
  • Static IP
    . Select
    IP Address
    or
    FQDN
    and enter a single IP address or FQDN of the public-facing interface on the upstream, NAT-performing device.
  • DDNS
Auto VPN Configuration uses this address as the tunnel endpoint of the hub or branch.
VPN Tunnel
Copy ToS Header
(
PAN-OS 10.2.1 and later 10.2 releases and SD-WAN 3.0.1 and later 3.0 releases
) Copy the (Type of Service) ToS field (ToS bits or Differentiated Service Code Point [DSCP] markings) from the inner IPv4 header to the VPN header of the encapsulated packets in order to preserve the original ToS information. This also copies the Explicit Congestion Notification (ECN) field.
Group HA Peers
Click the checkbox at the bottom of the screen to cause HA peers to appear consecutively on the list of devices for ease of use.
Prisma Access Onboarding
Interface
Select the physical, sub-interface, or aggregate ethernet interface for which you have enabled SD-WAN functionality.
Tenant
Select the Prisma Access deployment for which to leverage SD-WAN.
Comment
Enter a comment to describe the Prisma Access deployment leveraging SD-WAN. Up to 1,024 characters are supported.
Region
Select the location where the Prisma Access hub is deployed. The list of available regions is based on the Tenant you select.
IPSec Termination Nodes
Select an IPSec Termination Node associated with the remote network secured by the Prisma Access deployment. You can select up to four (4) IPSec Termination Nodes for a single Prisma Access deployment. The list of available IPSec Termination Nodes is based on the Region and Tenant you selected.
BGP
Check (enable) BGP for the IPSec tunnel. Displays
true
if enabled and
false
if disabled.
Advertise Default Route
Check (enable) to allow Prisma Access to advertise a default route for the remote network using eBGP when leveraging SD-WAN for Prisma Access deployments. Displays
true
if enabled and
false
if disabled.
When onboarding and configuring remote networks for your Prisma Access deployment, you must publish your default routes before you make the selection to advertise them. In addition, be sure that the remote network does not have another default route advertised by BGP, or you could introduce routing issues in your network.
Summarize Mobile User Routes Before Advertising
Check (enable) to summarize mobile user IP subnets advertised over BGP to reduce the number of mobile user IP subnets are to customer premises equipment (CPE). Displays
true
if enabled and
false
if disabled.
By default, Prisma Access advertises the mobile users IP address pools in blocks of /24 subnets. If you summarize them, Prisma Access advertises the pool based on the subnet you specified. For example, Prisma Access advertises a public user mobile IP pool of 10.8.0.0/20 using the /20 subnet, rather than dividing the pool into subnets of 10.8.1.0/24, 10.8.2.0/24, 10.8.3.0/24, and so on before advertising them. Summarizing routes in advertisements can reduce the number of routes stored in CPE routing tables.
Don’t Advertise Prisma Access Routes
Check (enable) to prevent Prisma Access BGP peer from forwarding routes into your organization’s network when leveraging SD-WAN for Prisma Access deployments. Displays
true
if enabled and
false
if disabled.
By default, Prisma Access advertises all BGP routing information, including local routes and all prefixes it receives from other service connections, remote networks, and mobile user subnets. Enable this setting to prevent Prisma Access from sending any BGP advertisements when leveraging SD-WAN, but still use the BGP information it receives to learn routes from other BGP neighbors.
Because Prisma Access does not send BGP advertisements if this setting is enabled, you must configure static routes on the on-premises equipment to establish routes back to Prisma Access.
Prisma AS Number
The Autonomous System number of the private AS to which the virtual router on the Prisma Access Hub belongs. The SD-WAN plugin supports only private autonomous systems. The AS number must be unique for every hub and branch. The 4-byte ASN range is 4,200,000,000 to 4,294,967,294 or 64512.64512 to 65535.65534. The 2-byte ASN range is 64512 to 65534.
Tunnel Monitor IP
The tunnel monitor IP address provided by Prisma Access for IPSec tunnel monitoring. This is displayed after you successfully onboard a Prisma Access hub.
Service IP
The public IP address of the Prisma Access hub. This is displayed after you successfully onboard a Prisma Access hub.
Secret
Enter and confirm a passphrase to authenticate BGP peer communications.
Link Tag
Configure a link tag to identify the Prisma Access hub when applications and services use this link during SD-WAN traffic distribution and failover.
Operations
Click to perform one of the following operations when configuring Prisma Access to leverage SD-WAN.
  • Add
    —Add a new Prisma Access hub to SD-WAN.
  • Delete
    —Delete a Prisma Access hub from SD-WAN.
  • Sync to Prisma
    —Click to synchronize the branch firewall to Prisma Access and retrieve the service IP address(es) to the Prisma Access compute nodes.

Recommended For You