Initial Set Up for SD-WAN

Before you can begin configuring your SD-WAN deployment, you must add your hub and branch firewalls as managed devices, and create the necessary templates and device group configurations to successfully push your SD-WAN configuration to SD-WAN firewalls.

To use a Panorama™ management server to manage your firewalls, you need to enable a connection between the firewall and the Panorama management server. To strengthen your security posture when onboarding a new firewall, you must create a unique device registration authentication key on the Panorama management server for mutual authentication between the new firewall and the server on the first connection. A successful first connection requires that you add the Panorama IP address on each firewall the server will manage, add the serial number on the server for each firewall, and specify the device registration authentication key on both the server and the firewall. When you add a firewall as a managed device, you can also associate the new firewall with a device group, template stack, Collector Group, and log collector during the initial deployment. Additionally, you have the option to automatically push the configuration to your newly added firewall when the firewall first connects to the Panorama server, which ensures that firewalls are immediately configured and ready to secure your network.

If you are adding a firewall to Panorama in a high availability (HA) configuration, the device registration authentication key is required only to add the firewall to the primary peer. Panorama in HA configuration synchronize the certificate authority (CA) certificate that allows the secondary peer to manage firewalls in the event of HA failover.

Create the predefined zones for the SD-WAN to forward the traffic. Create a network template with networking configuration objects that helps to easily setup firewall policy rules for managing traffic between different networks.

After adding firewalls as a managed device, you can group them into device groups. Be sure to assign both firewalls in an active/passive high availability (HA) configuration to the same device group so that Panorama will push the same policy rules and objects to those firewalls. PAN-OS doesn’t synchronize security rules across HA peers. To manage rules and objects at different administrative levels in your organization create a device group hierarchy.