Enable SD-WAN without Auto VPN
Learn how to configure SD-WAN without using Auto VPN. You may need to
perform some manual configuration steps additionally if you want to configure SD-WAN without Auto VPN.
| Where Can I Use This? | What Do I Need? |
|---|
|
|
|
Add a single SD-WAN hub or branch firewall
or
use
a CSV to bulk import multiple SD-WAN hub and branch
firewalls with pre-shared key or certificate
authentication type.
You can also configure SD-WAN without using the SD-WAN
plugin by following one of these ways:
- Configure using a network template from the Panorama management server, or
- Configure SD-WAN directly on each firewall
While configuring SD-WAN without Auto VPN, it's mandatory to define the
virtual interface and bundle the correct physical interface under these virtual
interfaces on which SD-WAN is enabled. The tunnels between a site and hub
should be part of the same virtual interface. It is also required to configure the
routing protocol (or static route) for route exchange.
If you use Auto VPN configuration through Panorama, it creates the SD-WAN
interfaces for you, in which case you don't have to create and configure a virtual SD-WAN interface. If you are not using Auto VPN configuration through
Panorama, then you can configure SD-WAN manually as follows:
- Create the DIA SD-WAN virtual interface (VIF) on both hub and branch
firewalls and configure the SD-WAN-enabled interface as a member of
DIA VIF.
- Configure the default route using DIA SD-WAN VIF for internet
traffic.
- Configure IPSec tunnel between the hub and branch firewalls using the physical
interface on which SD-WAN is enabled as the IKE gateway.
- Create the SD-WAN VIF (branch VIF on the hub and hub VIF on the
branch) and configure the IPSec tunnel that goes to the same destination as a part
of the same VIF.
- Configure routing between hub and branch to exchange the routing information.
