Add an SD-WAN Device

Log in to the Panorama Web Interface.
Select
Panorama
SD-WAN
Devices
and
Add
a new SD-WAN firewall.
Select the managed firewall
Name
to add as an SD-WAN device. You must add your SD-WAN firewalls as managed devices before you can add them as an SD-WAN device.
Select the
Type
of SD-WAN device.
Hub
—A centralized firewall deployed at a primary office or location to which all branch devices connect using a VPN connection. Traffic between branches passes through the hub before continuing to the target branch, and connects branches to centralized resources at the hub location. The hub device processes traffic, enforces policy rules, and manages link swapping at the primary office or location.
Branch
—A firewall deployed at a physical branch location that connects the hub using a VPN connection and provides security at the branch level. The branch device processes traffic, enforces policy rules, and manages link swapping at the branch location.
Select the
Router Name
to use for routing between the SD-WAN hub and branches. By default, an
sdwan-default
virtual router is created and enables Panorama to automatically push router configurations.
(
Advanced Routing
enabled
) If you have configured advanced routing and the logical routers are created successfully,
Router Name
displays both virtual and logical router names:
If the virtual router and logical router names are the same, then the
Router Name
displays the same name because advanced routing creates a logical router with the same name as the virtual router, by default. It's important that the logical router name and virtual router name are the same for the same template when using the advanced routing engine.
If the virtual router and logical router names are different (which happens only when you update the logical router name manually), then the router name displays both the virtual and logical router names. You can select either virtual router (for legacy engine) or logical router (for advanced routing engine) based on your requirement. If you haven't enabled
Advanced Routing
, then you’ll have only virtual routers to select from the
Router Name
(for the legacy engine).
Enter the SD-WAN
Site
name to identify the geographical location or purpose of the device.
The SD-WAN Site name supports all upper-case and lower-case alphanumerical and special characters. Spaces aren’t supported in the Site name and result in monitoring (
Panorama
Monitoring
) data for that site not to be displayed.
All SD-WAN devices, including SD-WAN devices in a high availability (HA) configuration, must have a unique Site name.
Select the
Link Tag
you created for the hub virtual interface (or branch virtual interface), which Auto VPN will assign to the virtual interface. You’ll use this Link Tag in a Traffic Distribution profile to allow the hub (or branch) to participate in DIA AnyPath.
If you’re adding a hub that is behind a device performing NAT for the hub, you must specify the IP address or FQDN of the public-facing interface on that upstream NAT-performing device, so that Auto VPN configuration can use that address as the tunnel endpoint of the hub. It’s the IP address that the branch office’s IKE and IPSec flows must be able to reach. (You must have already configured a physical Ethernet interface for SD-WAN.)
On the
Upstream NAT
tab, enable
Upstream NAT
.
Add
an
SD-WAN interface
; select an interface you already configured for SD-WAN.
Select
IP Address
or
FQDN
and enter the IPv4 address without a subnet mask (for example, 192.168.3.4) or the FQDN of the upstream device, respectively.
Click
OK
.
Additionally, on the upstream device that is performing NAT you must set up the inbound destination NAT with a one-to-one NAT policy, and you must not configure port translation to the IKE or IPSec traffic flows.
If the IP address on the upstream device changes, you must configure the new IP address and push it to the VPN cluster. You must use the CLI commands
clear vpn ipsec-sa
,
clear vpn ike-sa
, and
clear session all
on both the branch and hub. You must also
clear session all
on the virtual router where you configured the NAT policy for the IP addresses.
Upstream NAT isn’t supported on Layer 2 interfaces.
(
Full Mesh Deployments Only
) If you’re adding a branch that is behind a device performing NAT for the branch, you must specify the IP address or FQDN of the public-facing interface on that upstream NAT-performing device, or select DDNS to indicate that the IP address for the interface on the NAT device is obtained from the Palo Alto Networks DDNS service. Thus, Auto VPN Configuration uses that public IP address as the tunnel endpoint for the branch. It is the IP address that the branch office’s IKE and IPSec flows must be able to reach. (You must have already configured a physical Ethernet interface for SD-WAN.)
On the
Upstream NAT
tab, enable
Upstream NAT
.
Add
an
SD-WAN interface
; select an interface you already configured for SD-WAN.
If you select the
NAT IP Address Type
to be
Static IP
, select
IP Address
or
FQDN
and enter the IPv4 address without a subnet mask (for example, 192.168.3.4) or the FQDN of the upstream device, respectively.
Alternatively, select the
NAT IP Address Type
to be
DDNS
.
Click
OK
.
Additionally, on the upstream device that is performing NAT you must set up the inbound destination NAT with a one-to-one NAT policy, and you must not configure port translation to the IKE or IPSec traffic flows.
If the IP address on the upstream device changes, you must configure the new IP address and push it to the VPN cluster. You must use the CLI commands
clear ipsec
,
clear ike-sa
, and
clear session all
on both the branch and hub. You must also
clear session all
on the virtual router where you configured the NAT policy for the IP addresses.
There is a second location in the web interface where you can configure Upstream NAT for a branch, but the following location isn't preferred and you shouldn't configure Upstream NAT for a branch in both places. The secondary, non-preferred location to configure Upstream NAT is on Panorama at
Network
Interfaces
Ethernet
, select a template in the
Template
field, select an Ethernet interface, and select the
SD-WAN
tab. At this point you can
Enable
Upstream NAT, and select a
NAT IP Address Type
. This second method takes precedence. If Upstream NAT is first configured for the Ethernet interface on Panorama through the template stack, then the SD-WAN plugin won’t change the settings, even if you use different settings on the plugin device configuration page. Only if there is no Upstream NAT configured on Panorama through the template stack, then the plugin configuration for Upstream NAT takes effect.
Upstream NAT is not supported on Layer 2 interfaces.
(
Required for preexisting customers
) Map your preexisting zones to predefined zones used for SD-WAN.
When you map your existing zones to an SD-WAN zone, you must modify your security policy rules and add the SD-WAN zones to the correct
Source
and
Destination
zones.
Select
Zone Internet
and
Add
the preexisting zones that will egress SD-WAN traffic to the internet.
Select
Zone to Hub
and
Add
the preexisting zones that will egress SD-WAN traffic to the hub.
Select
Zone to Branch
and
Add
the preexisting zones that will egress SD-WAN traffic to the branch.
Select
Zone Internal
and
Add
the preexisting zones that will egress SD-WAN traffic to an internal zone.
If your application traffic is tagged with Type of Service (ToS) bits or Differentiated Services Code Point (DSCP) markings, copy the ToS field from the inner IPv4 header to the outer VPN header of encapsulated packets going through the VPN tunnel to preserve QoS information.
Select the
VPN Tunnel
tab.
Select
Copy ToS Header
.
Click
OK
.
(
Optional
) Configure BGP routing.
To automatically set up BGP routing between the VPN cluster members, enter the BGP information below. If you want to manually configure BGP routing on each firewall or use a separate Panorama template to configure BGP routing for more control, leave the BGP information below blank.
Before implementing SD-WAN with BGP routing in an environment where BGP is already in use, ensure that the BGP configuration generated by the SD-WAN plugin doesn’t conflict with your preexisting BGP configuration. For example, you must use the existing BGP AS number and router ID values for the corresponding SD-WAN device values. If the BGP configuration generated by the plugin conflicts with your preexisting BGP configuration, the preexisting BGP configuration takes precedence. If you want the pushed configuration to take precedence, you must enable the force template value when doing a Panorama push.
Select the
BGP
tab and enable
BGP
to configure BGP routing for SD-WAN traffic.
Enter the BGP
Router ID
, which must be unique among all routers.
(
Substeps 3 through 6 pertain to the web interface for SD-WAN plugin 3.1.0 only. For later 3.1 releases, skip to Step 13.
)
Specify a static IPv4
Loopback Address
for BGP peering. Auto VPN configuration automatically creates a loopback interface with the same IPv4 address that you specify. If you specify an existing loopback address, the commit will fail, so you should specify an IPv4 address that isn’t already a loopback address.
Enter the
AS Number
. The autonomous system number specifies a commonly defined routing policy to the internet. The AS number must be unique for every hub and branch location.
Disable the
Remove Private AS
option (the default is enabled) if you have endpoints that need to exchange routes with a hub or branch firewall in an SD-WAN BGP topology and therefore you don’t want to remove private AS numbers (64512 to 65534) from the AS_PATH attribute in BGP Updates. In this case, you want to allow the private AS numbers to leave the SD-WAN private AS in BGP Updates.
The
Remove Private AS
setting applies to all BGP peer groups on the branch or hub firewall. If you need this setting to differ among BGP peer groups or peers, you must configure the setting outside of the SD-WAN plugin.
If you change the
Remove Private AS
setting, commit to all SD-WAN cluster nodes, and later downgrade to an SD-WAN plugin version earlier than 2.0.2, then you must perform all configuration related to
Remove Private AS
outside of the SD-WAN plugin or directly on the firewalls.
Add
the
Prefix(es) to Redistribute
. On a hub device, you must add at least one prefix to redistribute over the SD-WAN tunnel. Branch devices don’t have this mandatory configuration requirement because subnets connected to branch locations are redistributed by default.
(
SD-WAN plugin 3.1.1 and later 3.1 releases using the legacy routing engine
) To configure BGP to use IPv4, select
IPV4 BGP
. Whether your BGP environment is only IPv4 or dual stack (IPv4 and IPv6), you must enable IPv4 BGP.
Enable IPv4 BGP support

.

For an upgraded configuration (an already existing SD-WAN IPv4 configuration),

Enable IPv4 BGP support

is selected by default. Otherwise, explicitly

Enable IPv4 BGP support

.

Specify a static IPv4

Loopback Address

for BGP peering. Auto VPN configuration automatically creates a Loopback interface with the same IPv4 address that you specify. If you specify an existing loopback address, the commit will fail, so you must specify an IPv4 address that isn’t already a loopback address.

Disable the

Remove Private AS

option (the default is enabled) if you have endpoints that need to exchange routes with a hub or branch firewall in an SD-WAN BGP topology and therefore you don’t want to remove private AS numbers (64512 to 65534) from the AS_PATH attribute in BGP Updates. In this case, you want to allow the private AS numbers to leave the SD-WAN private AS in BGP Updates.

The

Remove Private AS

setting applies to all BGP peer groups on the branch or hub firewall. If you need this setting to differ among BGP peer groups or peers, you must configure the setting outside of the SD-WAN plugin.

If you change the

Remove Private AS

setting, commit to all SD-WAN cluster nodes, and later downgrade to an SD-WAN plugin version earlier than 2.0.2, then you must perform all configuration related to

Remove Private AS

outside of the SD-WAN plugin or directly on the firewalls.

Add

the

Prefix(es) to Redistribute

. On a hub device, you must enter at least one prefix to redistribute over the SD-WAN tunnel. Branch devices don't have this mandatory configuration requirement because subnets connected to branch locations are redistributed by default.


(
SD-WAN plugin 3.1.1 and later 3.1 releases using the legacy routing engine
) To configure BGP to use IPv6, select
IPV6 BGP
.
Enable IPv6 BGP support

.

Specify a static

IPv6 Loopback Address

for BGP peering. Auto VPN configuration automatically creates a loopback interface with the same IPv6 address that you specify. If you specify an existing loopback address, the commit will fail, so you must specify an IPv6 address that isn't already a loopback address.

Add

the

Prefix(es) to Redistribute

over the SD-WAN tunnel. On a hub device, you must enter at least one prefix to redistribute over the SD-WAN tunnel. Branch devices don't have this mandatory configuration requirement because subnets connected to branch locations are redistributed by default.


Click
OK
.
Select
Group HA Peers
at the bottom of the screen to display branches (or hubs) that are HA peers together.

Have Panorama create and push to firewalls a Security policy rule that allows BGP to run between branches and hubs.
At the bottom of the screen, for SD-WAN plugin 3.1.0, select

BGP Policy

or for SD-WAN plugin 3.1.1 and later releases on a legacy routing engine, select

IPv4 BGP Policy

or

IPv6 BGP Policy

(depending on which type of BGP address you used)

and

Add

a policy rule.

Enter a

Policy Name

for the Security policy rule that Panorama will automatically create.

Select

Type

as

Hub

or

Branch

.

Select Device Groups

to specify the device groups to which Panorama pushes the Security policy rule.

Click

OK

.




Select
Push to Devices
to push your configuration changes to your managed firewalls.