Add Your SD-WAN Firewalls as Managed Devices
Table of Contents
Expand all | Collapse all
-
- Create a Link Tag
- Configure an SD-WAN Interface Profile
- Configure a Physical Ethernet Interface for SD-WAN
- Configure an Aggregate Ethernet Interface and Subinterfaces for SD-WAN
- Configure Layer 3 Subinterfaces for SD-WAN
- Configure a Virtual SD-WAN Interface
- Create a Default Route to the SD-WAN Interface
-
- Create a Path Quality Profile
-
- Create a SaaS Quality Profile
- Use Case: Configure SaaS Monitoring for a Branch Firewall
- Use Case: Configure a Hub Firewall Failover for SaaS Monitoring from a Branch Firewall to the Same SaaS Application Destination
- Use Case: Configure a Hub Firewall Failover for SaaS Monitoring from a Branch Firewall to a Different SaaS Application Destination
- SD-WAN Traffic Distribution Profiles
- Create a Traffic Distribution Profile
- Create an Error Correction Profile
- Configure an SD-WAN Policy Rule
- Allow Direct Internet Access Traffic Failover to MPLS Link
- Configure DIA AnyPath
- Distribute Unmatched Sessions
- Configure HA Devices for SD-WAN
- Create a VPN Cluster
- Create a Full Mesh VPN Cluster with DDNS Service
- Create a Static Route for SD-WAN
Add Your SD-WAN Firewalls as Managed Devices
Before you add your firewalls as SD-WAN firewalls, you
must add them as managed devices.
Before you can begin configuring your SD-WAN
deployment, you must first Install the SD-WAN Plugin and add
your hub and branch firewalls as managed devices to the Panorama™
management server. As part of adding your SD-WAN firewall as a managed
device on the Panorama™ management server, you must activate the
SD-WAN license to enable SD-WAN functionality for the firewall.
As
part of adding your SD-WAN firewalls as managed devices, you must configure
your managed firewalls to forward logs to Panorama. Panorama collects information
from multiple sources, such as configuration logs, traffic logs,
and link characteristic measurements, to generate the visibility
for SD-WAN application and link health information.
Do not have your Panorama management server
connection to be only reliant on the SD-WAN overlay. To maintain a reliable
connection, where the Panorama is always reachable to the PAN-OS firewalls, we
recommend you to create a dedicated IPSec tunnel from the PAN-OS firewalls to reach
Panorama (that is outside the SD-WAN overlay between hub/branches where the Panorama
is located). With this approach, you can ensure that the Panorama management server
is always reachable even if there is any impact to the SD-WAN overlay.
- Launch the Firewall Web Interface.Activate your SD-WAN license to enable SD-WAN functionality on the firewall.Each firewall you intend to use in your SD-WAN deployment requires a unique auth code to activate the license. For example, if you have 100 firewalls, you must purchase 100 SD-WAN licenses and activate each SD-WAN license on each firewall using one of the 100 unique auth codes.For VM-Series firewalls, you apply the SD-WAN auth code against the specific VM-Series firewall. If you deactivate the VM-Series firewall, the SD-WAN auth code can be activated on a different VM-Series firewall of the same model.Ensure that your SD-WAN license remains valid to continue leveraging SD-WAN. If the SD-WAN license expires, the following occurs:
- A warning displays when you Commit any configuration changes but no commit failure occurs.
- Your SD-WAN configuration no longer functions but is not deleted.
- Firewalls no longer monitor and gather link health metrics and stop sending monitoring probes.
- Firewalls no longer send app and link health metrics to Panorama.
- SD-WAN path selection logic is disabled.
- New sessions round robin on the virtual SD-WAN interface.
- Existing sessions remain on the specific link they were on when the license expired.
- If an internet outage occurs, traffic follows using standard routing and ECMP if configured.
Add the Panorama IP address to the firewall.- Select DeviceSetupManagement and edit the Panorama Settings.Enter the Panorama IP address in the first field.The Panorama FQDN is not supported for SD-WAN.(Optional) If you have set up a high availability (HA) pair in Panorama, enter the IP address of the secondary Panorama in the second field.(SD-WAN plugin 2.2.7 and later 2.2 versions) When you convert the standalone Panorama to a HA Panorama, the HA synchronization will fail. This is because, the HA synchronization job on passive Panorama from active Panorama succeeds but the synchronization with the mongo database fails. When this failure occurs, a warning message is displayed prompting you to execute the mongo DB CLI command before making further changes. In this case, you must execute the mongo DB synchronization CLI command to synchronize the active and passive Panorama database.Verify that you Enable pushing device monitoring data to Panorama.Click OK.Commit your changes.Configure log forwarding to Panorama.Forwarding logs from your SD-WAN firewalls to Panorama is required to display Monitoring and Reporting data.By default, HTTP/2 inspection is automatically enabled if decryption is enabled for application traffic. The parent sessions using a HTTP/2 connection does not generate any traffic logs because they do not carry any application traffic. However, the child sessions generated by the streams within the HTTP/2 parent session still generate traffic logs. For more information on viewing logs for HTTP/2 connections, see the Palo Alto Networks Knowledgebase.Add one or more firewalls to Panorama.For more details about adding firewalls to Panorama, see Add a Firewall as a Managed Device.
- Log in to the Panorama Web Interface.Select PanoramaManaged DevicesSummary and Add the firewall(s).Enter the serial number(s) of the firewalls.If you are adding firewalls when the required device groups and templates are already created, enable (check) Associate Devices to assign new firewalls to the appropriate device groups and template stack.To add multiple firewalls using a CSV, click Import and Download Sample CSV to populate with the firewall information, and then Browse to import the firewalls.