: Network > Interfaces > SD-WAN
Focus
Focus

Network > Interfaces > SD-WAN

Table of Contents

Network > Interfaces > SD-WAN

If you use Auto VPN configuration through Panorama, Auto VPN configuration creates the SD-WAN interfaces for you, in which case you don't create and configure a virtual SD-WAN interface.
If you aren't using Auto VPN configuration with Panorama, create a virtual SD-WAN interface and add one or more physical Ethernet interface members that go to the same destination, such as a specific hub or to the internet.
If Panorama is managing a multi-vsys firewall, all SD-WAN enabled interfaces and configurations must be configured on vsys1.
SD-WAN does not support an SD-WAN configuration across multiple virtual systems of a multi-VSYS firewall.
SD-WAN Interface Settings
Interface Name
The read-only Interface Name is set to sdwan. In the adjacent field, enter a numeric suffix (1 to 9,999) to identify the virtual SD-WAN interface.
Auto VPN create SD-WAN interfaces numbered .901, .902, and so on. Hence, if you want to create the SD-WAN interfaces manually, don't use the sdwan.90x format for an SD-WAN interface name. Similarly, Auto VPN creates an SD-WAN interface numbered .9016 for an IPv6 interface, so don't use sdwan.9016 for an SD-WAN interface name.
Comment
The best practice is to enter a user-friendly description for the interface, such as to internet or to Western USA hub. Your comments will make it easier to identify interfaces rather than trying to decipher auto-generated names in logs and reports.
Link Tag
Tag on an SD-WAN link; for example, Cheap Broadband or Backup.
Protocol
Select the protocol to indicate the type of virtual SD-WAN interface:
  • ipv4 indicates an IPv4 DIA virtual interface.
  • ipv6 indicates an IPv6 DIA virtual interface.
  • none indicates a VPN tunnel virtual interface.
Config Tab
Virtual Router
Assign a virtual router to the interface, or select Virtual Router to define a new one (see Network > Virtual Routers). Select None to remove the current virtual router assignment from the interface.
Virtual System
If the firewall supports multiple virtual systems and that capability is enabled, you must select vsys1 for the interface.
Security Zone
Select a security zone for the interface, or select Zone to define a new zone. Select None to remove the current zone assignment from the interface. The virtual SD-WAN interface and all of its interface members must be in the same security zone, thus ensuring the same security policy rules apply to all paths from the branch to the same destination.
Advanced Tab
Interfaces
Select the Layer 3 Ethernet interfaces (for Direct Internet Access [DIA]) or virtual VPN tunnel interfaces (for hub) that constitute this virtual SD-WAN interface. The firewall virtual router uses this virtual SD-WAN interface to route SD-WAN traffic to a DIA or a hub location. The interfaces can have different tags. If you enter more than one interface, they must all be the same type (either VPN tunnel or DIA).