Network > Network Profiles > SD-WAN Interface Profile
Table of Contents
Expand all | Collapse all
-
- Firewall Overview
- Features and Benefits
- Last Login Time and Failed Login Attempts
- Message of the Day
- Task Manager
- Language
- Alarms
- Commit Changes
- Save Candidate Configurations
- Revert Changes
- Lock Configurations
- Global Find
- Threat Details
- AutoFocus Intelligence Summary
- Configuration Table Export
- Change Boot Mode
-
- Objects > Addresses
- Objects > Address Groups
- Objects > Regions
- Objects > Dynamic User Groups
- Objects > Application Groups
- Objects > Application Filters
- Objects > Services
- Objects > Service Groups
- Objects > Devices
- Objects > External Dynamic Lists
- Objects > Custom Objects > Spyware/Vulnerability
- Objects > Custom Objects > URL Category
- Objects > Security Profiles > Antivirus
- Objects > Security Profiles > Anti-Spyware Profile
- Objects > Security Profiles > Vulnerability Protection
- Objects > Security Profiles > File Blocking
- Objects > Security Profiles > WildFire Analysis
- Objects > Security Profiles > Data Filtering
- Objects > Security Profiles > DoS Protection
- Objects > Security Profiles > Mobile Network Protection
- Objects > Security Profiles > SCTP Protection
- Objects > Security Profile Groups
- Objects > Log Forwarding
- Objects > Authentication
- Objects > Packet Broker Profile
- Objects > Schedules
-
-
- Firewall Interfaces Overview
- Common Building Blocks for Firewall Interfaces
- Common Building Blocks for PA-7000 Series Firewall Interfaces
- Tap Interface
- HA Interface
- Virtual Wire Interface
- Virtual Wire Subinterface
- PA-7000 Series Layer 2 Interface
- PA-7000 Series Layer 2 Subinterface
- PA-7000 Series Layer 3 Interface
- Layer 3 Interface
- Layer 3 Subinterface
- Log Card Interface
- Log Card Subinterface
- Decrypt Mirror Interface
- Aggregate Ethernet (AE) Interface Group
- Aggregate Ethernet (AE) Interface
- Network > Interfaces > VLAN
- Network > Interfaces > Loopback
- Network > Interfaces > Tunnel
- Network > Interfaces > SD-WAN
- Network > VLANs
- Network > Virtual Wires
-
- Network > Network Profiles > GlobalProtect IPSec Crypto
- Network > Network Profiles > IPSec Crypto
- Network > Network Profiles > IKE Crypto
- Network > Network Profiles > Monitor
- Network > Network Profiles > Interface Mgmt
- Network > Network Profiles > QoS
- Network > Network Profiles > LLDP Profile
- Network > Network Profiles > SD-WAN Interface Profile
-
-
- Device > Setup
- Device > Setup > Management
- Device > Setup > Interfaces
- Device > Setup > Telemetry
- Device > Setup > Content-ID
- Device > Setup > WildFire
- Device Setup Ace
- Device > Setup > DLP
- Device > Log Forwarding Card
- Device > Config Audit
- Device > Administrators
- Device > Admin Roles
- Device > Access Domain
- Device > Authentication Sequence
- Device > Device Quarantine
-
- Security Policy Match
- QoS Policy Match
- Authentication Policy Match
- Decryption/SSL Policy Match
- NAT Policy Match
- Policy Based Forwarding Policy Match
- DoS Policy Match
- Routing
- Test Wildfire
- Threat Vault
- Ping
- Trace Route
- Log Collector Connectivity
- External Dynamic List
- Update Server
- Test Cloud Logging Service Status
- Test Cloud GP Service Status
- Device > Virtual Systems
- Device > Shared Gateways
- Device > Certificate Management
- Device > Certificate Management > Certificate Profile
- Device > Certificate Management > OCSP Responder
- Device > Certificate Management > SSL/TLS Service Profile
- Device > Certificate Management > SCEP
- Device > Certificate Management > SSL Decryption Exclusion
- Device > Certificate Management > SSH Service Profile
- Device > Response Pages
- Device > Server Profiles
- Device > Server Profiles > SNMP Trap
- Device > Server Profiles > Syslog
- Device > Server Profiles > Email
- Device > Server Profiles > HTTP
- Device > Server Profiles > NetFlow
- Device > Server Profiles > RADIUS
- Device > Server Profiles > TACACS+
- Device > Server Profiles > LDAP
- Device > Server Profiles > Kerberos
- Device > Server Profiles > SAML Identity Provider
- Device > Server Profiles > DNS
- Device > Server Profiles > Multi Factor Authentication
- Device > Local User Database > Users
- Device > Local User Database > User Groups
- Device > Scheduled Log Export
- Device > Software
- Device > Dynamic Updates
- Device > Licenses
- Device > Support
- Device > Policy Recommendation > IoT
- Device > Policy > Recommendation SaaS
-
- Network > GlobalProtect > MDM
- Network > GlobalProtect > Clientless Apps
- Network > GlobalProtect > Clientless App Groups
- Objects > GlobalProtect > HIP Profiles
-
- Use the Panorama Web Interface
- Context Switch
- Panorama Commit Operations
- Defining Policies on Panorama
- Log Storage Partitions for a Panorama Virtual Appliance in Legacy Mode
- Panorama > Setup > Interfaces
- Panorama > High Availability
- Panorama > Administrators
- Panorama > Admin Roles
- Panorama > Access Domains
- Panorama > Device Groups
- Panorama > Plugins
- Panorama > Log Ingestion Profile
- Panorama > Log Settings
- Panorama > Server Profiles > SCP
- Panorama > Scheduled Config Export
- Panorama > Device Registration Auth Key
Network > Network Profiles > SD-WAN Interface Profile
Create an SD-WAN Interface Profile to
group physical links by Link Tag and to control the speed of links
and how frequently the firewall monitors the link.
SD-WAN Interface Profile | |
|---|---|
Name | Enter the name of the SD-WAN Interface Profile
using a maximum of 31 alphanumeric characters. The name must begin
with an alphanumeric character and can contain letters, numbers,
underscores (_), hyphens (-), periods (.), and spaces. |
Location | Select a virtual system for a multi-vsys
device. |
Link Tag | Select the Link Tag that this profile will
assign to the interface or add a new tag. A link tag bundles physical
links (different ISPs) for the firewall to select from during path
selection and failover. |
Description | It is a best practice to enter a user-friendly
description of the profile. |
Link Type | Select the physical link type from the predefined
list (ADSL/DSL, Cable Modem, Ethernet, Fiber, LTE/3G/4G/5G, MPLS, Microwave/Radio, Satellite, WiFi,
or Other). The firewall can support any CPE
device that terminates and hands off as an Ethernet connection to
the firewall; for example, WiFi access points, LTE modems, laser-microwave
CPEs all can terminate with an Ethernet hand-off. For existing PAN-OS deployments that have zones defined on interfaces that will be used to
support SD-WAN, Panorama may automatically configure the
interface’s zone name to one of the predefined SD-WAN zones
under the following conditions: 1. The SD-WAN interface
is configured as a point-to-point private link type (MPLS, Satellite,
or Microwave) in its Interface Profile. 2.
The VPN Data Tunnel Support checkbox is disabled
(unchecked) on the SD-WAN Interface Profile. This instructs PAN-OS
to forward traffic in clear text outside of the SD-WAN VPN tunnel. On
the Hub firewall, the zone name is configured as “zone-to-branch”
when condition #1 is met. On the Branch firewall, the zone name
is configured as “zone-to-hub” when
both condition #1 and condition #2 are met. Panorama automates this
step to simplify configuration to ensure proper communication between
the hub and branch firewalls. If you have preexisting firewall policies
that referenced the old zone name, you must update the policies
to reflect the new predefined SD-WAN zone name. |
Maximum Download (Mbps) | Enter the maximum download speed from the
ISP in megabits per second; range is 1 to 100,000, there is no default
value. Ask your ISP for the link speed or sample the link’s maximum
speeds with a tool such as speedtest.net and take an average of
the maximums over a good length of time. |
Maximum Upload (Mbps) | Enter the maximum upload speed from the
ISP in megabits per second; range is 1 to 100,000, there is no default
value. Ask your ISP for the link speed or sample the link’s maximum
speeds with a tool such as speedtest.net and take an average of
the maximums over a good length of time. |
Eligible for Error Correction Profile interface selection | Select this setting to make interfaces (where
you apply this profile) eligible for the encoding firewall to select
them for Forward Error Correction (FEC) or packet duplication. You
can deselect this setting so that expensive FEC or packet duplication
is never used on an expensive link (interface) where you apply the
profile. The Link Type specified for the
profile determines whether the default setting of Eligible
for Error Correction Profile interface selection is
selected or not. To configure FEC or packet duplication, create
an SD-WAN Error Correction
Profile. |
VPN Data Tunnel Support | Determines whether the branch-to-hub traffic
and the return traffic flows through a VPN tunnel for added security
(enabled by default) or flows outside of the VPN tunnel to avoid
encryption overhead.
|
VPN Failover Metric | (PAN-OS 10.0.3 and later releases)
When you configure DIA AnyPath, you need a way to specify the failover
order of individual VPN tunnels bundled in a hub virtual interface
or branch virtual interface to which DIA fails over. Specify the
VPN Failover Metric for the VPN tunnel (link); range is 1 to 65,535;
default is 10. The lower the metric value, the higher the priority
of the tunnel (link where you apply this profile) to be chosen during
failover. For example, set the metric to a low value and apply
the profile to a broadband interface; then create a different profile
that sets a high metric to apply to an expensive LTE interface to
ensure it is used only after broadband has failed over. If
you have only one link at the hub, that link supports all of the
virtual interfaces and DIA traffic. If you want to use the link
types in a specific order, you must apply a Traffic Distribution
profile to the hub that specifies Top Down Priority,
and then order the Link Tags to specify the preferred order. (If
you apply a Traffic Distribution profile that instead specifies Best
Available Path, the firewall will use the link, regardless
of cost, to choose the best performing path to the branch.) In summary,
Link Tags in a Traffic Distribution Profile, the Link Tag applied
to a hub virtual interface,
and a VPN Failover Metric work only when the Traffic Distribution
profile specifies Top Down Priority. |
Path Monitoring | Select the path monitoring mode in which
the firewall monitors the interfaces where you apply this SD-WAN
Interface Profile.
|
Probe Frequency (per second) | Enter the probe frequency, which is the
number of times per second that the firewall sends a probe packet
to the opposite end of the SD-WAN link (range is 1 to 5; default
is 5). |
Probe Idle Time (seconds) | If you select Relaxed path
monitoring, you can set the probe idle time (in seconds) that the
firewall waits between sets of probe packets (range is 1 to 60;
default is 60). |
Failback Hold Time (seconds) | Enter the length of time (in seconds) that
the firewall waits for a recovered link to remain qualified before
the firewall reinstates that link as the preferred link after it
has failed over (range is 20 to 120; default is 120). The failback
hold time prevents a recovered link from being reinstated as the preferred
link too quickly and having it fail again right away. |