Configure a Physical Ethernet Interface for SD-WAN
Table of Contents
Expand all | Collapse all
-
- Create a Link Tag
- Configure an SD-WAN Interface Profile
- Configure a Physical Ethernet Interface for SD-WAN
- Configure an Aggregate Ethernet Interface and Subinterfaces for SD-WAN
- Configure Layer 3 Subinterfaces for SD-WAN
- Configure a Virtual SD-WAN Interface
- Create a Default Route to the SD-WAN Interface
-
- Create a Path Quality Profile
-
- Create a SaaS Quality Profile
- Use Case: Configure SaaS Monitoring for a Branch Firewall
- Use Case: Configure a Hub Firewall Failover for SaaS Monitoring from a Branch Firewall to the Same SaaS Application Destination
- Use Case: Configure a Hub Firewall Failover for SaaS Monitoring from a Branch Firewall to a Different SaaS Application Destination
- SD-WAN Traffic Distribution Profiles
- Create a Traffic Distribution Profile
- Create an Error Correction Profile
- Configure an SD-WAN Policy Rule
- Allow Direct Internet Access Traffic Failover to MPLS Link
- Configure DIA AnyPath
- Distribute Unmatched Sessions
- Configure HA Devices for SD-WAN
- Create a VPN Cluster
- Create a Full Mesh VPN Cluster with DDNS Service
- Create a Static Route for SD-WAN
- Configure Advanced Routing for SD-WAN
Configure a Physical Ethernet Interface for SD-WAN
Configure Ethernet Layer 3 interfaces with SD-WAN functionality.
In Panorama, configure a physical, Layer 3 Ethernet interface and enable SD-WAN
functionality. To configure a physical interface, you must assign it an IPv4 or IPv6
address, or both. You must also assign the interface a fully qualified next-hop
gateway and assign an SD-WAN Interface Profile to the
interface. (SD-WAN supports only a Layer 3 interface type; it doesn't support Layer
2 networks such as VPLS.)
After you use Panorama to create a VPN cluster and export your hub and branch
information in the CSV, an Auto VPN configuration in the SD-WAN plugin uses this
information to generate a configuration for the associated branches and hubs that
includes the predefined SD-WAN zones and creates secure VPN tunnels between SD-WAN
branches and hubs. Auto VPN configuration also generates the BGP configuration if
you enter BGP information in the CSV or in Panorama when you add an SD-WAN branch or
hub.
- Select, select the appropriate template from theNetworkInterfacesEthernetTemplatecontext drop-down, select a slot number, such as Slot1, and select an interface (for example, ethernet1/1).
- Select theInterface TypeasLayer3.
- On theConfigtab, for a legacy routing engine, select aVirtual Routeror create a new virtual router. For Advanced Routing Engine, select aLogical Routeror create a new logical router.
- Assign theSecurity Zonethat is appropriate for the interface you’re configuring.For example, if you’re creating an uplink to an ISP, you must know that the Ethernet interface you chose is going to an untrusted zone.
- To enable SD-WAN on an IPv4 interface, select theIPv4tab andEnable SD-WAN.With SD-WAN plugin 3.2.0 and later releases, you can configure up to four IP addresses for an SD-WAN enabled interface. The SD-WAN plugin uses only the first IP Address from the configured IP address list to create the SD-WAN tunnel.The SD-WAN considers only the firstIPaddress for theNext Hop Gatewayand ignores the remainingIPaddresses in the list.(HA deployments only) If you wish to downgrade from SD-WAN plugin version 3.2.0 to 3.1.0 or earlier, remove the HA active/passive configurations on both the firewalls before attempting a downgrade procedure, such as downgrading PAN-OS and SD-WAN plugin versions.
- For an IPv4 interface, selectTypeof address:
- Static—In theIPfield,Addan IPv4 address and prefix length for the interface. You can use a defined variable, such as $uplink, with a range of addresses. Enter the fully qualified IPv4 address of theNext Hop Gateway(the next hop from the IPv4 address you just entered). The Next Hop Gateway must be on the same subnet as the IPv4 address. The Next Hop Gateway is the IP address of the ISP’s default router that the ISP gave you when you bought the service. It is the next hop IP address to which the firewall sends traffic to reach the ISP’s network, and ultimately, the internet and the hub.
- PPPoE—EnablePPPoE authentication for DSL links, enter theUsernameandPassword, andConfirm Password.
- DHCP Client—It’s critical that DHCP assigns a default gateway, also known as the next hop gateway for the ISP connection. The ISP will provide all the necessary connectivity information, such as dynamic IP address, DNS servers, and the default gateway.Although DHCP Client is supported for a hub or branch interface, on a hub interface it’s preferable for you to assign aStaticaddress instead of DHCP Client. Using DHCP on a hub requires the Palo Alto Networks DDNS service. Using a Static address at the hub site creates a more stable environment because DDNS isn’t involved when resolving the DHCP IP address changes, and because the DDNS service can take a few minutes to register the new IP address when it changes. If you have multiple branch sites connecting to a hub site, having stability is critical to keeping the network up and running.If you select DHCP Client, be sure to disable the optionAutomatically create default route pointing to default gateway provided by server, which is enabled by default.
- To enable SD-WAN on an IPv6 interface, select theIPv6tab,Enable IPv6 on the interface, andEnable SD-WAN.
- In theEUI-64 (default 64-bit Extended Unique Identifier)field, enter the 64-bit EUI in hexadecimal format. If you leave this field blank, the firewall uses the EUI-64 generated from the MAC address of the physical interface. If you enable theUse interface ID as host portionoption when adding an address, the firewall uses the Interface ID as the host portion of that address.
- For an IPv6 interface, select theTypeof address asStatic. Select theAddress Assignmenttab.
- Addan IPv6Addressfor the interface or selectNew Variableto create the variable. SD-WAN supports one IPv6 address per physical interface.
- Enable address on interface.
- Use interface ID as host portion—See prior step for explanation.
- Anycast—Select to make the IPv6 address (route) an Anycast address (route), which means multiple locations can advertise the same prefix, and IPv6 sends the anycast traffic to the node it considers the nearest, based on routing protocol costs and other factors.
- Next Hop Gateway—Enter the IPv6 address of the Next Hop Gateway (the next hop from the IPv6 address you entered). The Next Hop Gateway must be on the same subnet as the IPv6 address. The Next Hop Gateway is the IP address of the ISP’s default router that the ISP gave you when you bought the service. It is the next hop IP address to which the firewall sends traffic to reach the ISP’s network, and ultimately, the internet and the hub.
- Send Router Advertisement—Select to enable the firewall to send this address in Router Advertisements (RAs), in which case you must also enable the globalEnable Router Advertisementoption for the interface (on theRouter Advertisementtab).
- Valid Lifetime (sec)—Enter the valid lifetime (in seconds) that the firewall considers the address valid. The valid lifetime must equal or exceed thePreferred Lifetime (sec)(default is 2,592,000).
- Preferred Lifetime (sec)—Enter the preferred lifetime (in seconds) that the valid address is preferred, which means the firewall can use it to send and receive traffic. After the preferred lifetime expires, the firewall can't use the address to establish new connections, but any existing connections are valid until the valid lifetime expires (default is 604,800).
- On-link—Select if systems that have addresses within the prefix are reachable without a router.
- Autonomous—Select if systems can independently create an IP address by combining the advertised prefix with an Interface ID.
- ClickOK.
- For a static IPv6 interface, configure address resolution.
- SelectAddress Resolution.
- EnableDuplicate Address Detection(DAD) if you want the uniqueness of a potential IPv6 address to be verified before it's assigned to the interface (default is enabled).
- If you selectedEnable Duplicate Address Detection, specify the number ofDAD Attemptswithin the neighbor solicitation (NS) interval before the attempt to identify neighbors fails; range is 1 to 10; default is 1.
- Enter theReachable Time (sec), the length of time that the client assumes a neighbor is reachable after receiving a Reachability Confirmation message; range is 10 to 36,000; default is 30.
- Enter theNS Interval (sec)(Neighbor Solicitation interval), the length of time between Neighbor Solicitations; range is 1 to 3,600; default is 1
- Enable NDP Monitoringto enable Neighbor Discovery Protocol monitoring. When enabled, you can select the NDP icon in the Features column and view information such as the IPv6 address of a neighbor the firewall has discovered, the corresponding MAC address, User-ID, and status (on a best-case basis).
- ClickOK.
- If you want to enable the interface to send IPv6 Router Advertisements (RAs) and optionally tune RA parameters, configure Router Advertisement as documented in the PAN-OS Networking Administrator's Guide, Configure Layer 3 Interfaces.
- On theSD-WANtab, select anSD-WAN Interface Profilethat you already created (or create a new SD-WAN Interface Profile) to apply to this interface. The SD-WAN Interface Profile has an associated link tag, so the interfaces where this profile is applied will have the associated link tag. An interface can have only one link tag.
- ClickOKto save the Ethernet interface.
- CommitandCommit and Pushyour configuration changes.
- (SD-WAN manual configuration only) Configure a Virtual SD-WAN Interface. Auto VPN configuration will perform this task if you’re using Auto VPN.