: Add Your SD-WAN Firewalls as Managed Devices
Focus
Focus

Add Your SD-WAN Firewalls as Managed Devices

Table of Contents

Add Your SD-WAN Firewalls as Managed Devices

Before you add your firewalls as SD-WAN firewalls, you must add them as managed devices.
Before you can begin configuring your SD-WAN deployment, you must first Install the SD-WAN Plugin and add your hub and branch firewalls as managed devices to the Panorama™ management server. As part of adding your SD-WAN firewall as a managed device on the Panorama™ management server, you must activate the SD-WAN license to enable SD-WAN functionality for the firewall.
As part of adding your SD-WAN firewalls as managed devices, you must configure your managed firewalls to forward logs to Panorama. Panorama collects information from multiple sources, such as configuration logs, traffic logs, and link characteristic measurements, to generate the visibility for SD-WAN application and link health information.
Do not have your Panorama management server connection to be only reliant on the SD-WAN overlay. To maintain a reliable connection, where the Panorama is always reachable to the PAN-OS firewalls, we recommend you to create a dedicated IPSec tunnel from the PAN-OS firewalls to reach Panorama (that is outside the SD-WAN overlay between hub/branches where the Panorama is located). With this approach, you can ensure that the Panorama management server is always reachable even if there is any impact to the SD-WAN overlay.
  1. Activate your SD-WAN license to enable SD-WAN functionality on the firewall.
    Each firewall you intend to use in your SD-WAN deployment requires a unique auth code to activate the license. For example, if you have 100 firewalls, you must purchase 100 SD-WAN licenses and activate each SD-WAN license on each firewall using one of the 100 unique auth codes.
    For VM-Series firewalls, you apply the SD-WAN auth code against the specific VM-Series firewall. If you deactivate the VM-Series firewall, the SD-WAN auth code can be activated on a different VM-Series firewall of the same model.
    Ensure that your SD-WAN license remains valid to continue leveraging SD-WAN. If the SD-WAN license expires, the following occurs:
    • A warning displays when you Commit any configuration changes but no commit failure occurs.
    • Your SD-WAN configuration no longer functions but is not deleted.
    • Firewalls no longer monitor and gather link health metrics and stop sending monitoring probes.
    • Firewalls no longer send app and link health metrics to Panorama.
    • SD-WAN path selection logic is disabled.
    • New sessions round robin on the virtual SD-WAN interface.
    • Existing sessions remain on the specific link they were on when the license expired.
    • If an internet outage occurs, traffic follows using standard routing and ECMP if configured.
  2. Add the Panorama IP address to the firewall.
    1. Select DeviceSetupManagement and edit the Panorama Settings.
    2. Enter the Panorama IP address in the first field.
      The Panorama FQDN is not supported for SD-WAN.
    3. (Optional) If you have set up a high availability (HA) pair in Panorama, enter the IP address of the secondary Panorama in the second field.
      (SD-WAN plugin 2.2.7 and later 2.2 versions) When you convert the standalone Panorama to a HA Panorama, the HA synchronization will fail. This is because, the HA synchronization job on passive Panorama from active Panorama succeeds but the synchronization with the mongo database fails. When this failure occurs, a warning message is displayed prompting you to execute the mongo DB CLI command before making further changes. In this case, you must execute the mongo DB synchronization CLI command to synchronize the active and passive Panorama database.
    4. Verify that you Enable pushing device monitoring data to Panorama.
    5. Click OK.
    6. Commit your changes.
  3. Configure log forwarding to Panorama.
    Forwarding logs from your SD-WAN firewalls to Panorama is required to display Monitoring and Reporting data.
    By default, HTTP/2 inspection is automatically enabled if decryption is enabled for application traffic. The parent sessions using a HTTP/2 connection does not generate any traffic logs because they do not carry any application traffic. However, the child sessions generated by the streams within the HTTP/2 parent session still generate traffic logs. For more information on viewing logs for HTTP/2 connections, see the Palo Alto Networks Knowledgebase.
  4. Add one or more firewalls to Panorama.
    For more details about adding firewalls to Panorama, see Add a Firewall as a Managed Device.
    1. Select PanoramaManaged DevicesSummary and Add the firewall(s).
    2. Enter the serial number(s) of the firewalls.
    3. If you are adding firewalls when the required device groups and templates are already created, enable (check) Associate Devices to assign new firewalls to the appropriate device groups and template stack.
    4. To add multiple firewalls using a CSV, click Import and Download Sample CSV to populate with the firewall information, and then Browse to import the firewalls.
    5. Click OK.
  5. Select Commit and Commit and Push your configuration.
  6. Repeat Steps 2 through 5 on each firewall you intend to use in your SD-WAN deployment.