SD-WAN
About SD-WAN
Table of Contents
Expand All
|
Collapse All
SD-WAN Docs
-
- SD-WAN Deployment Workflow
-
- Add SD-WAN Branch or Hub Firewall
- Configure Certificate-based Authentication for Strong Security
- Quickly Add Multiple SD-WAN Devices with Bulk Import
- Configure SD-WAN Devices in HA Mode
- Onboard PAN-OS Firewalls to Prisma Access for Cloud-based Security
- Plan Your Topology for SD-WAN with Auto VPN
- Create a Full Mesh VPN Cluster with DDNS Service
- Create a Static Route for SD-WAN
- Configure Advanced Routing for SD-WAN
About SD-WAN
Palo Alto Networks supports an SD-WAN overlay that provides dynamic,
intelligent path selection based on applications, services, and link conditions.
Where Can I Use This? | What Do I Need? |
---|---|
To integrate ADEM with SD-WAN:
|
To integrate ADEM with SD-WAN:
|
Software-Defined Wide Area Network (SD-WAN) is a technology
that allows you to use multiple internet and private services to create an intelligent
and dynamic WAN, which helps lower costs and maximize application quality and usability.
Beginning with PAN-OS® 9.1, Palo Alto Networks® offers strong
security with an SD-WAN overlay in a single management system. Instead of
using costly and time-consuming MPLS with components such as routers, firewalls, WAN
path controllers, and WAN optimizers to connect your WAN to the internet, SD-WAN on a Palo Alto Networks firewall allows you to use less expensive
internet services and fewer pieces of equipment. You don’t need to purchase and maintain
other WAN components.
- PAN-OS Security with SD-WAN Functionality
- SD-WAN Link and Firewall Support
- (SD-WAN
plugin
2.2.0
and later versions) Prisma Access Hub Support
- Centralized Management
- (PAN-OS 11.1.8 and PAN-OS
11.2.5 versions) Monitor Remote Site Experience on NGFWs with ADEM
PAN-OS Security with SD-WAN Functionality
The SD-WAN plugin is integrated with PAN-OS, so that you get the
security features of a PAN-OS firewall and SD-WAN functionality from
a single vendor. The SD-WAN overlay supports dynamic, intelligent
path selection based on applications and services and the conditions of links that
each application or service is allowed to use. The path health monitoring for each
link includes latency, jitter, and packet loss. Granular application and service
controls allow you to prioritize applications based on whether the application is
mission-critical, latency-sensitive, or meets certain health criteria, for example.
Dynamic path selection avoids brownout and node failure problems because sessions
fail over to a better performing path in less than one second.
The SD-WAN overlay works with all PAN-OS security features, such as
User-ID™ and App-ID™, to provide complete security control to branch offices. The
full suite of App-ID capabilities (App-ID decoder, App-ID cache, and
source/destination external dynamic list [EDL] IP address lists) identifies
applications for application-based control of SD-WAN traffic. You can
deploy the firewall with Zero Trust segmentation of traffic. You can configure and
manage SD-WAN centrally from the Panorama web interface or
the Panorama REST API.
You may have cloud-based services and instead of having your internet traffic flow
from branches to the hub to the cloud, you want the internet traffic to flow
directly from branches to the cloud using a directly connected ISP. Such access from
a branch to the internet is Direct Internet Access (DIA). You don’t need to spend
your hub bandwidth and money on internet traffic. The branch firewall is already
doing security, so you don’t need the hub firewall to enforce security on internet
traffic. Use DIA on branches for SaaS, web browsing, or heavy-bandwidth applications
that shouldn’t be backhauled to a hub. The following figure illustrates a DIA
virtual interface consisting of three links from the branch to the cloud. The figure
also illustrates a VPN tunnel virtual interface consisting of four links that
connect the branch to the hub at the headquarters.

SD-WAN Link and Firewall Support
Link bundling allows you to group multiple physical links (that different ISPs use to
communicate with the same destination) into a virtual SD-WAN
interface. On the basis of applications and services, the firewall chooses from the
links (path selection) for session load sharing and to provide failover protection
in the event of a brownout or blackout. Thus you are providing the application with
the best quality performance. The firewall automatically performs session load
sharing over the links in a virtual SD-WAN interface to use available
bandwidth advantageously. An SD-WAN interface must have all of the
same type of connection (either DIA or VPN). VPN links support the hub-and-spoke
topology.
SD-WAN supports the following types of WAN connections: ADSL/DSL,
cable modem, Ethernet, fiber, LTE/3G/4G/5G, MPLS, microwave/radio, satellite, WiFi,
and anything that terminates as Ethernet to the firewall’s interface. You decide the
appropriate strategy for how to use the links. You could use inexpensive broadband
connections before expensive MPLS or LTE connections. Alternatively, you could use
specific VPN tunnels to reach specific hubs in a region.
See the system requirements for SD-WAN for a full
list of firewall models that support SD-WAN software capabilities.
If you are a new customer purchasing a Palo Alto Networks next-generation firewall,
you will use the default virtual router for SD-WAN. If you are an
existing customer, you can choose to either let PAN-OS overwrite any existing
virtual routers or use a new virtual router and new zones for SD-WAN
to keep SD-WAN content separate from your pre-existing
configuration.
Beginning with PAN-OS
11.0, SD-WAN plugin 3.1 supports advanced routing engine that uses
industry-standard configuration methodology to facilitate administrator tasks.
Although conceptually equivalent, the advanced routing engine uses logical routers rather than virtual routers to instantiate routing
domains. When you enable advanced routing, logical routers
are created and advanced routing engine is used for routing. When you disable
Advanced Routing, virtual routers are created and legacy engine is used for
routing.
Prisma Access Hub Support
With SD-WAN plugin 2.2 and later releases, PAN-OS Secure SD-WAN provides you with Prisma Access hub support to give you
full control of how and where applications are secured. Prisma Access Hub
support allows PAN-OS firewalls to connect to Prisma Access compute nodes (CNs)
to achieve cloud-based security in an SD-WAN hub-and-spoke topology.
This support enables a seamless link failover from on-premises security to Prisma Access and the ability to mix both to meet your security needs.
In a mixed topology with both
SD-WAN firewalls and Prisma Access hubs, the SD-WAN hubs are Prisma Access CNs (IPSec Termination Nodes) and the SD-WAN branches are PAN-OS firewalls. SD-WAN
automatically creates IKE and IPSec tunnels that connect the branch to the hub.
Using Traffic Distribution profiles, you can create SD-WAN policies
to match specific internet applications and redirect them to a PAN-OS firewall or
Prisma Access deployment of your choice. With Prisma Access hub support,
on-premises and cloud security platforms work together to provide a complete
solution with consistent security policies managed by Panorama.
See the system requirements for SD-WAN for the
minimum PAN-OS and SD-WAN plugin versions required for Prisma Access Hub support.
Prisma Access hub support has the following limitations:
- Importing and exporting an SD-WAN configuration related to Prisma Access are not supported.
- Load, Partial Load, Revert, and Partial Revert for the Prisma Access configuration are not supported.
- Onboarding to an existing Prisma Access Remote Network Security Processing Node (RN-SPN) is not supported. For an existing branch that is connected to Prisma Access, you need to delete the branch and then onboard it again.
- No SD-WAN CLI commands are available on Prisma Access firewalls.
- On a CN, there is no path selection for traffic that originates on the CN.
- Prisma Access statistics are not provided in SD-WAN reporting and statistics.
Centralized Management
Panorama™ provides the means to configure and manage SD-WAN,
which makes configuring multiple options on many geographically-dispersed firewalls
much faster and easier than configuring firewalls individually. You can change
network configurations from a single location rather than configuring each firewall
individually. Auto VPN configuration allows Panorama to configure branches
and hubs with secure IKE/IPSec connections. A VPN cluster defines the hubs and
branches that communicate with each other in a geographic region. The firewall uses
VPN tunnels for path health monitoring between a branch and a hub to provide
subsecond detection of brownout conditions.
The Panorama dashboard provides visibility into your SD-WAN
links and performance so that you can adjust path quality thresholds and other
aspects of SD-WAN to improve its performance. Centralized statistics
and reporting include application and link performance statistics, path health
measurements and trend analysis, and focused views of application and link
issues.
Begin by understanding your SD-WAN use case, then review the SD-WAN configuration elements, traffic distribution methods, and plan
your SD-WAN configuration. To greatly accelerate the configuration,
the best practice is for you to export an empty SD-WAN device CSV and
enter information such as branch office IP address, the virtual router to use, the
firewall site name, zones to which the firewall belongs, and BGP route information.
Panorama uses the CSV file to configure the SD-WAN hubs
and branches and to automatically provision VPN tunnels between hubs and branches.
SD-WAN supports dynamic routing through eBGP and is configured
using Panorama’s SD-WAN plugin to allow all branches to
communicate with the hub only or with the hub and other branches.
If Panorama is managing a multi-vsys firewall, all SD-WAN enabled interfaces and configurations must be configured
on vsys1.
SD-WAN does not support an SD-WAN configuration
across multiple virtual systems of a multi-VSYS firewall.
SD-WAN interfaces must be configured in the same virtual router;
they cannot be split among virtual routers.
Monitor Remote Site Experience on NGFWs with ADEM
(PAN-OS 11.1.8 and PAN-OS
11.2.5 versions)
Autonomous Digital Experience Management (ADEM) is a service that provides native
end-to-end visibility and performance metrics for real application traffic in your
Secure Access Service Edge (SASE) environment. The ADEM agent is natively integrated
into PAN-OS firewalls. When licensed and activated, it enables synthetic testing
capabilities on your network devices.
ADEM conducts various synthetic tests to measure network and application
performance:
- ICMP/TCP/UDP pings and trace routes on both underlay and overlay networks
- End-to-end HTTP/HTTPS tests for application performance metrics
These tests provide valuable insights into network paths, latency, and application
responsiveness.
ADEM 1.0.0 when integrated with SD-WAN provides you:
- Visibility into SD-WAN site performance
- Path monitoring and selection insights
- Application performance metrics across SD-WAN links
This integration allows you to optimize your SD-WAN deployment and ensure the best
possible application experience for your users. To get started monitoring remote
site experience for the next-generation firewalls, associate your NGFW with the same tenant
as ADEM and begin viewing experience data for your NGFWs in Strata Cloud Manager and
Panorama.
You can also use the command-line interface to run the ADEM commands. View the ADEM logs by
running the tail follow yes plugins-log
<plugin-adem-timestamp.log> command. The timestamp must be
in yyyymmdd format.