SD-WAN Plugin Support for Advanced Routing Engine

Configure PAN-OS SD-WAN with the Advanced Routing Engine.
Advanced Routing Engine allows the firewall to scale and provide stable, high-performing, and highly available routing functions to large data centers, ISPs, enterprises, and cloud users. The Advanced Routing Engine relies on industry-standard configuration methodology, which facilitates the administrator tasks. It allows the creation of profiles that are used for different functions (such as, filtering, redistribution, and metric changes), all of which can be used across logical routers. These profiles provide finer granularity to filter routes for each dynamic routing protocol and improve route redistribution across multiple protocols.
You’ll need the following to configure advanced routing engine on SD-WAN:
Platform
Firewalls running PAN-OS Release
SD-WAN Plugin
Panorama
TM
11.0 and later
3.1.0 and later
The Panorama SD-WAN plugin 3.1.0 can concurrently manage firewalls using the Advanced Routing Engine and firewalls using the legacy routing engine. The benefit is that you can migrate select managed firewalls to the new Advanced Routing Engine while still maintaining your current legacy routing engine configuration on others.
While the SD-WAN plugin 3.1.0 manages a firewall regardless of the routing engine, only one routing engine configuration can be in effect at a time on a managed firewall. You can use the
Advanced Routing
option to enable or disable the advanced routing engine. Each time you change the engine that the firewall uses (you enable or disable Advanced Routing to access the advanced engine or legacy engine, respectively), you must commit the configuration and reboot the firewall for the changes to take effect.
  1. Add your hub and branch firewalls as managed devices to the Panorama
    TM
    management server.
  2. Make a backup of your current configuration before you enable Advanced Routing.
  3. In the
    Device
    section, select appropriate template stack from the
    Template
    context drop-down.
    1. Select
      Device
      Setup
      Management
      and edit the General Settings.
    2. Commit
      .
    3. Select
      Device
      Setup
      Operations
      and
      Reboot Device
      .
  4. Select
    Commit
    Commit to Panorama
    and
    commit
    your changes.
  5. Commit and push your configuration changes to your managed firewalls.
    Push to Devices
    to view the logical routers added in the selected SD-WAN firewalls.
    1. Select
      Commit
      Push to Devices
      and
      Edit Selections
      .
    2. Select
      Templates
      and choose the templates stack and template from the list.
    3. Enable
      Force Template Values
      to overwrite local configuration with the updated template values. Before you use this option, check for overridden values on the firewalls to ensure your commit does not result in any unexpected network outages or issues caused by replacing those overridden values.
    4. Click
      OK
      and
      Push
      to devices.
  6. Log back into the firewall.
  7. Select
    Network
    .
    Notice the menu items, which are more industry-standard and more detailed than the single item (Virtual Routers) on the legacy menu.
    Routing
    includes
    Logical Routers
    and
    Routing Profiles
    , which include
    BGP
    ,
    BFD
    ,
    OSPF
    ,
    OSPFv3
    ,
    RIPv2
    ,
    Filters
    , and
    Multicast
    .
  8. You must enable
    Advanced Routing
    for each template stack individually when you have more than one template stack in your configuration. Repeat Steps 5 through 10 for other template stacks on firewalls that you intend to update for advanced routing.
    According to our design requirement, the logical router name must be the same as the virtual router name for the same template when using the advanced routing engine. This means that hubs and branches have always the same router name. When manually creating logical routers rather than using a migration script, you must make sure the logical router name and virtual router name are the same.
  9. Select virtual or logical router in your SD-WAN deployment.
    Select
    Panorama
    SD-WAN
    Devices
    , to add an SD-WAN device (SD-WAN hub or branch firewall) to be managed by the Panorama management server.
    In addition to existing configuration options for adding an SD-WAN device, you can now select a logical router (for advanced routing engine) or virtual router (for legacy engine) for a
    Router Name
    . It is important that the logical router name and the virtual router name are same for the same template when using the advanced routing engine.
    Select the
    Router Name
    (logical or virtual router) to use for routing between the SD-WAN hub and branches:
    • If the virtual router and logical router names are the same, then the
      Router Name
      displays one name.
    • If virtual router and logical router names are different, then the
      Router Name
      displays both virtual and logical router name. You can select either virtual router (for legacy engine) or logical router (for advanced routing engine) based on your requirement.

Recommended For You