Next-Generation Firewall
Configure SD-WAN
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
-
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
-
-
-
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)
Configure SD-WAN
Configure the SD-WAN interfaces and Link Management Profiles to define how the
firewall performs SD-WAN link failovers.
Contact your account team to enable Cloud Management for NGFWs using
Strata Cloud Manager.
Where Can I Use This? | What Do I Need? |
---|---|
|
One of these:
|
Configure the physical Ethernet interfaces and SD-WAN interface profile to enable
SD-WAN functionality and define the characteristics of the ISP connections the
firewall monitors. Additionally, you must create the SD-WAN VPN cluster to determine
which branches communicate with which hubs and to create a secure connection between
the branch and hub firewalls.
- Log in to Strata Cloud Manager.Set Up SD-WAN.Configure a Layer 3 Interface.Layer 3 interfaces are required for SD-WAN functionality. Repeat this step to configure as many Layer 3 Ethernet interfaces on your SD-WAN firewall as needed.You can configure up to four IP addresses for an SD-WAN enabled interface. The Auto VPN workflows uses only the first IP address from the configured IPv4 address list to create the VPN tunnel and ignores the remaining IPv4 addresses in the list.Configure a Logical Router and add the interfaces that you created in the previous step to the logical router.(Optional) Configure a BGP Redistribution Profile.Configure an SD-WAN interface profile.The SD-WAN interface profile defines the characteristics of the ISP connection, specifies the speed of links and how frequently the firewall monitors the link, and specifies the Link Tag. When you specify the same Link Tag on multiple links, you’re grouping (bundling) those physical links into a link bundle or fat pipe.
- Select ManageConfigurationNGFW and Prisma AccessSecurity ServicesSD-WAN PolicyProfilesSD-WAN Interfaceand select the hub or branch folder where want to create the SD-WAN interface profile.Add Profile.Enter a descriptive Name for the profile.Select the Link Tag the profile assigns to the interface.Select the Link Type from the predefined list.Specify the Maximum Download (Mbps) speed from the ISP.Specify the Maximum Upload (Mbps) speed to the ISP.Check (enable Eligible for Error Correction Profile Interface Selection to enable Forward Error Correction (FEC) or packet duplication for interfaces.If enabled, you must enable this setting for both sending and receiving firewalls.VPN Data Tunnel Support determines whether the branch-to-hub traffic and return traffic flows through a VPN tunnel for added security or flows outside of the VPN tunnel to avoid encryption overhead. This setting is enabled by default.
- Keep enabled for public links that have direct internet connections or internet break capabilities, such as cable modem, ADSL, and other internet connections.
- Disable for private link types such as MPLS, satellite, or microwave that doesn’t have internet breakout capability. However, you must first ensure that the traffic can’t be intercepted because it will be sent outside of the VPN tunnel.
- The branch might have DIA traffic that needs to fail over to the private MPLS link connecting to the hub, and reach the internet from the hub. The VPN Data Tunnel Support setting determines whether the private data flows through the VPN tunnel or flows outside the tunnel, and the failed over traffic uses the other connection (that the private data flow doesn’t use). The firewall uses zones to segment DIA failover traffic from private MPLS traffic.
Set the VPN Failover Metric if DIA AnyPath is enabled a hub or branch firewall, to prioritize the order in which a particular hub is selected for failover.The lower the metric, the higher the priority of the interface to be selected during failover. If multiple hub virtual interfaces have the same metric value, SD-WAN sends new session traffic to them in round-robin fashion.Select the Path Monitoring mode.- Aggressive—Firewall sends probe packets to the opposite end of the SD-WAN link at a constant frequency. Use this mode if you need fast detection and failover for brownout and blackout conditions. Default for all link types except LTE and Satellite.
- Relaxed—Firewall waits for a number of seconds (Probe Idle Time) between sending sets of probe packets, making path monitoring less frequent. When the probe idle time expires, firewall sends probes for 7 seconds at the Probe Frequency configured. Use this mode when you have low-bandwidth links, links that charge by usage (such as LTE), or when fast detection isn’t as important as preserving cost and bandwidth. Default for LTE and Satellite link types.
Set the Probe Frequency (per second) to specify the number of times per second the firewall sends a probe packet to the opposite end of the SD-WAN link. The default setting provides subsecond detection of brownout and blackout conditions.Set the Probe Idle Time (seconds) to specify how long the firewall waits between sets of probe packets.Set the Failback Hold Time (seconds) to specify how long the firewall waits for a recovered link to remain qualified before the firewall reinstates the link after it has failed.Save.Configure a VPN cluster for your hub and branch firewalls.- Select ManageConfigurationDevice SettingsAuto VPN and Add VPN Cluster.Check (enable) SD-WAN.Add the hub firewalls to the VPN cluster.
- Add Hub Devices to select one or more firewalls to Add as hubs.Up to four hubs are supported for a VPN cluster.
- Click the firewall in the Hub Devices list.
- Set the hub firewall Priority.Range is 1 to 4. The lower the priority value, the higher the priority and local preference. A cluster supports a maximum of four hubs. An active/passive HA pair counts as one hub. Multiple hubs can have the same priority; an HA pair must have the same priority.
- Select a Logical Router.
- (Optional) Check (enable) DIA VPN and select a DIA VPN Link Tag.
- Update.
- Repeat this step for all hub firewalls that you add to the VPN cluster.
Add the branch firewalls to the VPN cluster.- Add Hub Devices to select one or more firewalls to Add as hubs.
- Select a Logical Router.
- (Optional) Select a BGP Redistribution Profile.
- Update.
- Repeat this step for all branch firewalls that you add to the VPN cluster.