: Bulk Import Multiple SD-WAN Devices
Focus
Focus

Bulk Import Multiple SD-WAN Devices

Table of Contents

Bulk Import Multiple SD-WAN Devices

Import multiple SD-WAN branch and hub devices to more quickly deploy your SD-WAN.
Add multiple SD-WAN devices to quickly onboard branch and hub firewalls, rather than manually adding each device one at a time. When adding your devices, you specify what type of device it is (branch or hub) and you give each device its site name for easy identification. Before adding your devices, plan your SD-WAN configuration to ensure you have all the required IP addresses and that you understand the SD-WAN topology. This helps reduce any configuration errors.
If you want to have active/passive HA running on two branch firewalls or two hub firewalls, don’t add those firewalls as SD-WAN devices in your CSV file. You’ll add them as HA peers separately when you Configure HA Devices for SD-WAN.
If you’re using BGP routing, you must add a Security policy rule to allow BGP from the internal zone to the hub zone and from the hub zone to the internal zone. If you want to use 4-byte autonomous system numbers (ASNs), you must first enable 4-byte ASNs for the virtual router.
If you have preexisting zones for your Palo Alto Networks firewalls, you’ll be mapping them to the predefined zones used in SD-WAN.
  1. Select PanoramaSD-WANDevicesDevice CSV and Export an empty SD-WAN device CSV. The CSV allows you to import multiple branch and hub devices at once, rather than adding each device manually.
  2. Populate the SD-WAN device CSV with the branch and hub information and save the CSV. All fields are required unless noted otherwise. Enter the following for each hub and branch:
    • device-serial—The serial number of the branch or hub firewall.
    • type—Specify whether the device is a branch or a hub.
    • site—Enter the SD-WAN device site name to help you identify the geographical location or purpose of the device.
      The SD-WAN Site name supports all upper-case and lower-case alphanumerical and special characters. Spaces aren’t supported in the Site name and result in monitoring (PanoramaSD-WANMonitoring) data for that site not to be displayed.
      All SD-WAN devices, including SD-WAN devices in a high availability (HA) configuration, must have a unique Site name.
    • router-name—Enter the virtual router to use for routing between the SD-WAN hub and branches. By default, Panorama creates an sdwan-default virtual router and enables Panorama to automatically push router configurations.
    • vif-link-tag—Specify a link tag to identify the hub when applications and services use this link during SD-WAN traffic distribution and failover.
    • (Optional) router-id—Specify the BGP router ID, which must be unique among all virtual or logical routers.
      Enter the Loopback Address as the router ID.
      Before implementing SD-WAN with BGP routing in an environment where BGP is already in use, ensure that the BGP configuration generated by the SD-WAN plugin doesn’t conflict with your existing BGP configuration. For example, you must use the existing BGP AS number and router ID values for the corresponding SD-WAN device values.
    • (Optional) as-number—Enter the ASN of the private AS to which the virtual router on the hub or branch belongs. The SD-WAN plugin supports only private autonomous systems. The ASN must be unique for every hub and branch. The 4-byte ASN range is 4,200,000,000 to 4,294,967,294 or 64512.64512 to 65535.65534. The 2-byte ASN range is 64512 to 65534.
      Use a 4-byte private ASN.
      Before implementing SD-WAN with BGP routing in an environment where BGP is already in use, ensure that the BGP configuration generated by the SD-WAN plugin doesn’t conflict with your existing BGP configuration. For example, you must use the existing BGP AS number and router ID values for the corresponding SD-WAN device values.
    • (Optional) ipv4-bgp-enable—Specify yes or no to enable or disable BGP for IPv4 addresses.
    • (Optional) loopback-address—Specify a static loopback IPv4 address for BGP peering. SD-WAN plugin 3.1.1 and later 3.1 releases support an IPv6 loopback address for BGP peering.
    • (Optional) remove-private-as—Specify no to disable the Remove Private AS option (default is enabled) if you have endpoints that need to exchange routes with a hub or branch firewall in an SD-WAN BGP topology and therefore you don’t want to remove private AS numbers (64512 to 65534) from the AS_PATH attribute in BGP Updates.
      This setting applies to all BGP peer groups on the branch or hub firewall. If you need this setting to differ among BGP peer groups or peers, you must configure the setting outside of the SD-WAN plugin.
    • (Optional) prefix-redistribute—Enter IP prefixes that the branch informs the hub it can reach. To add more than one prefix, separate prefixes with a space, an ampersand (&), and a space; for example, 192.2.10.0/24 & 192.168.40.0/24. By default, the branch firewall advertises all locally connected internet prefixes to the hub.
      Palo Alto Networks doesn’t redistribute the branch office default route(s) learned from the ISP.
    • (Optional) ipv6-bgp-enable—Specify yes/no to enable/disable BGP for IPv6 addresses.
    • (Optional) ipv6-loopback-address—Specify a static loopback IPv6 address for BGP peering.
    • (Optional) ipv6-prefix-redistribute—Enter IPv6 prefixes to redistribute to the hub router from the branch. By default, all locally connected internet IPv6 prefixes are advertised to the hub location.
    • (Optional) copy-tos-header—Specify yes/no to enable/disable this option to copy the Type of Service (TOS) header from the inner IP header to the outer IP header of the encapsulated packets in order to preserve the original TOS information.
    • authentication-type—Specify the authentication type that the device (hub or branch) supports: pre-shared key or certificate authentication.
    • (Only for Certificate authentication type) certificate-name—Enter a certificate name. The name is case-sensitive and can have up to 63 characters on the firewall or up to 31 characters on the Panorama. It must be unique and use only letters, numbers, hyphens, and underscores.
      For pre-shared key authentication type, this field should be left empty.
  3. Import the SD-WAN device CSV into Panorama.
    Verify that there are no pending commits on Panorama or the import fails.
    1. On Panorama, Select PanoramaSD-WANDevicesDevice CSV and Import the CSV you edited in the previous step.
    2. Browse and select the SD-WAN device CSV.
    3. Click OK to import the SD-WAN devices.
  4. Verify that your SD-WAN devices were successfully added.
  5. Commit your configuration changes.
  6. Select Push to Devices to push your configuration changes to your managed firewalls.