Initial Set Up for SD-WAN
Prerequisite steps before you can begin configuring SD-WAN
deployment.
Where Can I Use This? | What Do I Need? |
|
|
Before you can begin configuring your SD-WAN deployment, you
must add your hub and branch firewalls as managed devices, and create the necessary
templates and device group configurations to successfully push your SD-WAN configuration to SD-WAN firewalls.
To use a
Panorama™ management server to manage your firewalls, you need to enable a connection
between the firewall and the
Panorama management server. To strengthen your
security posture when onboarding a new firewall, you must create a unique device
registration authentication key on the
Panorama management server for mutual
authentication between the new firewall and the server on the first connection. A
successful first connection requires that you add the
Panorama IP address on
each firewall the server will manage, add the serial number on the server for each
firewall, and specify the device registration authentication key on both the server and
the firewall. When you
add a firewall as a managed device,
you can also associate the new firewall with a device group, template stack, Collector
Group, and log collector during the initial deployment. Additionally, you have the
option to automatically push the configuration to your newly added firewall when the
firewall first connects to the
Panorama server, which ensures that firewalls
are immediately configured and ready to secure your network.
If you are adding a firewall to Panorama in a high availability (HA)
configuration, the device registration authentication key is required only to add the
firewall to the primary peer. Panorama in HA configuration synchronize the
certificate authority (CA) certificate that allows the secondary peer to manage
firewalls in the event of HA failover.
After adding
firewalls as a managed device, you can group
them into
device groups. Be sure to assign both
firewalls in an active/passive high availability (HA) configuration to the same device
group so that Panorama will push the same policy rules and objects to those firewalls.
PAN-OS doesn’t synchronize security rules across HA peers. To manage
rules and objects at different administrative levels in your organization
create a device group hierarchy.