Add a Branch Gateway
Table of Contents
Add a Branch Gateway
Prisma SD-WAN
offers a new hybrid site type—Branch Gateway to maximize
the flexibility of the system. Prisma SD-WAN
offers two types of site configurations—branch
sites and data center sites. There may be situations where a given location does not
fit cleanly into either of these configurations. To maximize the flexibility of the
system, Prisma SD-WAN
offers a new hybrid site type—Branch Gateway.
The Branch Gateway provides the policy transit and LQM server capabilities of a data
center site along with the visibility and path selection of a branch site. The branch gateway functionality can be enabled on an existing branch site in the
control mode using a site level configuration setting. Upon enabling the Branch
Gateway mode, VPN tunnels will automatically form between the Branch Gateway and
corresponding branch sites in the domain.
Branch Gateway is supported on the following platforms:
- ION 3200
- ION 5200
- ION 9200
- ION 3000
- ION 7000
- ION 9000
All Virtual ION models also support branch gateway.
The ION device assigned to a Branch Gateway supports the following interfaces:
- Port
- Bypass Pair
- Sub-interfaces
- Virtual Interfaces
- Standard VPN
Interfaces in the Branch Gateway support IPv4 & IPv6 static and DHCP addresses as
well as secondary addresses.
You can create a site as a Branch Gateway or can convert an existing site to a Branch
Gateway after the site configuration has been completed.
- Create a new branch gateway site.
- Select .
- Add aSite Nameand optionally enter description and tags.
- EnableConfigure as a Branch Gateway Site.
![]()
- Add the other details to set up a site and clickSave & Exit.
You must assign a device to the created branch gateway site, enableL3 Direct Private WAN ForwardingandL3 LAN Forwardingfor the device and then configure interfaces. - Convert an existing branch site to a branch gateway site.You can convert an existing branch site to a branch gateway site.Ensure that:
- The site is inControlmode.
- You have enabledL3 Direct Private WAN Forwarding.
- You have enabledL3 LAN Forwarding.
- There aren’t any existing branch-to-branch VPN tunnels. If any tunnels exists, they will be deleted during the conversion process.
- Select and click the ellipsis menu for the site.
- SelectSwitch to Branch Gateway Site.Switching a branch site to a branch gateway site causes the ION device to reboot.
![]()
Alternatively, you can selectBranch Sites, select a site and enableBranch Gateway.
- Edit Branch Gateway settings.(Optional)After you create a branch gateway site, you can optionally edit the branch gateway site settings.
![]()
SelectPrefer LAN Default over WANin case your topology needs to take the LAN interface (with a default gateway) as the default route. This will mimic the path selection behavior of a data center site where all incoming WAN traffic is forwarded to the LAN peer.![]()
For example, if the traffic is—Branch ↔Branch Gateway ↔ LAN (Firewall → Internet). Typically, the ION device will have a default route (0.0.0.0/0) on the internet (WAN) interfaces (with the next hop as the default gateway configured on the wan interface or from DHCP) to steer packets to the internet (for DIA or otherwise) if no other specific route exists. In this particular scenario, we need the Branch Gateway to take the LAN interface (which has a default gateway configured either statically or via DHCP) as a default route as against an Internet interface which would generally have a default route. This can be achieved by adding a default route with a lower Admin cost on the LAN interface than the WAN interface when you selectPrefer LAN Default over WAN.Maximum Branch Site Count Infoindicates the maximum number of branch sites that should be associated with a Branch Gateway site. If this number is exceeded, an incident will be generated. However, it will still be possible to associate branches to the branch gateway by joining the domain or through the establishment of manual tunnels. - Create VPNs between branch gateway or branch sites.
![]()
VPN tunnels are established as follows:- Branch -> Branch Gateway (Same Domain) —Automatically built Fabric VPN tunnels.
- Branch -> Branch Gateway (Different Domain) — Manually defined Fabric VPN Tunnels.
- Branch Gateway -> DC —Automatic VPN tunnel.
- Branch Gateway -> Branch Gateway —Manually defined Fabric VPN Tunnels.
- (Optional)Changing the domain of a branch gateway.
- Select a Branch Gateway site.
- Click the ellipsis menu and selectChange Site Domain.
- Choose the required domain and clickSubmit.
To establish an automatic VPN tunnel between a branch site and a branch gateway site, ensure that both are in the same domain. - (Optional)Create a manual VPN tunnel between two Branch Gateway sites.
- Select and select a branch gateway site.
- Select .
- On theAdd Secure Fabric Linkpop-up, select a circuit and select the site for VPN establishment.
- Prefix AdvertisementThe Branch Gateway performs prefix advertisement and distribution in a variety of topologies.Prefix AdvertisementLearned ViaAdvertised ToFabric TunnelLAN BGP PeerStandard VPN BGP PeerStandard VPN Tunnel BGP PeerFabric (to branch)LAN BGP PeerLAN BGP PeerFabric → yesLAN BGP Peer → yesPrivate WAN BGP Peer → yesPrivate WAN BGP PeerLAN BGP Peer → yesLAN Static RouteFabric → yesLAN BGP Peer → yesPrivate WAN BGP Peer → yes
- Default Route in WAN BGP PeerThe existing BGP Global configuration is enhanced to allow an option to choose the default route as part of the prefix advertisement to WAN.For a BGP peer, selectAdvertise Default Route to Peerto distribute the default route to the peer, instead of explicitly configuring a prefix via route-maps.
![]()
