When you have Panorama deployed without a public IP address, your SD-WAN devices rely solely on the SD-WAN overlay network for connectivity to Panorama. This creates a single point of failure that can result in significant outages when SD-WAN overlay issues occur. The Dedicated Tunnel to Panorama feature addresses this vulnerability by establishing persistent, dedicated IPSec tunnels from your branch devices to Panorama through designated termination devices using direct internet access (DIA) interfaces.

This feature is valuable in environments where Panorama can’t be exposed over the internet using a public IP address. With dedicated tunnels in place, even if your primary SD-WAN overlay network becomes unavailable, your devices can still reach Panorama to receive configuration updates and troubleshooting commands. This eliminates the need for manual recovery, significantly reducing downtime and operational costs.

You can configure primary and secondary termination devices with preferred and secondary DIA interfaces, ensuring redundant connectivity paths to Panorama. The solution uses a separate VPN address pool for tunnel IP address assignments that must not overlap with existing SD-WAN overlay configurations.