>
    Strata Copilot
    Configure Multi-VRFs
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma SD-WAN
    3. Prisma SD-WAN Sites and Devices
    4. Set Up Sites
    5. Add PAN-OS as a Prisma SD-WAN Data Center
    6. Configure Multi-VRFs
    Download PDF
    Prisma SD-WAN

    Configure Multi-VRFs

    Table of Contents

    Configure Multi-VRFs

    Learn to configure multi VRFs.
    Where Can I Use This?What Do I Need?
    • Strata Cloud Manager
    • Advanced SD-WAN license for NGFW
    Virtual Routing and Forwarding (VRF) enables segmentation of network traffic. The configuration and management of multi-VRF involves configurations on both the Prisma SD-WAN controller and Strata Cloud Manager (SCM).
    1. Onboard the NGFW and move it from the available list to cloud-managed devices under ConfigurationNGFW and Prisma AccessDevice Management.
      1. Create a new folder under All Firewalls and move the NGFW into this folder.
      2. Initially, keep the device scope configuration in a disabled state.
    2. Enable Prisma SD-WAN on the NGFW and push the initial configuration.
    3. Create necessary variables at the NGFW folder level for public, private, and LAN interfaces, their IP addresses and gateways, BGP router ID, and local and peer BGP as numbers for Global, Red, and Blue VRFs.
      1. Add variables by accessing Overview Variables.
      2. To create Interface variables, go to FolderDevice SettingsInterfaces.
        Examples of variables include $eth_int_public_ip, $eth_int_private_gw, $eth_lan_intf_vrf_red, $bgp_router_id, $bgp_vrf_global_local_as, $red_core_peer_bgp_as.
    4. Create a Data Center Site and assign the NGFW device to it.
      1. After the assignment, switch the site to Control mode.
      2. Verify that a logical router is created at the folder level.
      3. Push the configuration.
    5. Configure the required LAN and WAN interfaces on the NGFW using the variables created earlier.
      1. Add Ethernet interfaces and assign IP addresses.
      2. Push the configuration to the NGFW device after configuring the interfaces and IP addresses.
    6. Create VRF Definitions and Profile.
      1. Navigate to ConfigurationPrisma SDWANResourcesVRF.
      2. Add new VRF definitions, such as VRF_Blue and VRF_Red. Global VRF is present by default.
      3. Create a new VRF profile, for example, csdwan_vrf_profile, including Global, VRF_Blue, and VRF_Red definitions.
        If the VRF profile is Global, a logical router prisma-sdwan-global is created,if there is a custom VRF profile, then logical routers with the same name as VRFs are created.
      4. Associate the DC site with this newly created VRF profile. This will create the new Logical Routers, VRF_Red and VRF_Blue on SCM.
    7. Attach the Internet (public) and Private (MPLS) circuits to the DC site using the configured interfaces and variables.
      Ensure the circuit names are provided in the DC site configuration so they appear when attaching the circuits to the NGFW on SCM.
    8. Configure the logical routers (VRF_Red and VRF_Blue) on the NGFW.
      1. Configure these logical routers with core peer details by navigating to NGFW and Prisma AccessOverviewDevice SettingsRouters.
      2. In the Global VRF prisma-sdwan-global, assign the LAN and internet interfaces. (for example, eth-local, eth-internet).
      3. Enable BGP. Add the Router ID and Local AS using the defined variables.
      4. Make sure the peer group name matches, enable EBGP, and select IPv4 Family.
      5. Under the Advanced settings for BGP, ensure the Install Route option is checked.
      6. Configure the global-core-peer with Peer AS number, Local address, and Peer address.
      7. Similarly, configure the red-peer and blue-peerto interact.
      8. Click Update and Push the configuration to the NGFW.
    9. Create Security Zones and Traffic Objects.
      1. Create new security zones, red and blue, in the folder level with the interfaces in Device SettingsZones.
      2. Create Traffic Objects that map the created logical routers (VRF_Red, VRF_Blue) with the corresponding security zones (red, blue).
      3. Select the Traffic Object ID, Zone, and Router.
      4. Save your changes and push the configuration to the NGFW.
    10. Override variables at the folder level for interfaces so they can be accessed when attaching circuits by navigating to Configuration NGFW and Prisma AccessOverviewPrisma SD-WANCircuits.
    11. Create Branch sites and assign the respective ION devices.
      1. Associate the public and private circuits and change the Global VRF profile to the custom VRF profile csdwan_vrf_profile.
      2. Switch the Branch sites to Control mode. Configure the LAN and WAN interfaces on the ION devices, specifying the respective VRFs (Global, VRF_Red, VRF_Blue).
    12. Add the DC Sites in ConfigurationResourcesService and DC Groups.
    13. At the NGFW folder level, configure the NAT policy for Direct Internet Access (DIA) traffic originating from specific zones.

    Direct Internet Access Configuration

    Direct internet access (DIA) enables traffic from clients to reach the internet directly via the NG firewall. Follow these steps to configure Direct Internet Access for clients through the NGFW in the converged SD-WAN deployment.
    Traffic from clients intended for the internet server uses the tunnel to reach the NGFW. After reaching the NGFW, the traffic uses the underlay path (public internet circuit) to reach the internet server.
    1. To enable this flow, configure a NAT policy so that traffic destined for the Internet takes the public circuit.
    2. Navigate to ConfigurationNGFW and Prisma AccessNetwork PoliciesNAT Policy in SCM.
    3. Define a NAT policy that matches traffic coming from the zones associated with clients, for example, blue red zones to the branch zone) destined for any address in the internet zone.
    4. Configure Origin Packet Source address translation within the NAT policy.
    5. Select the translation type to be Dynamic IP and Port.
    6. Specify the Interface and IP address to be used for translation, typically the public-facing interface.
    7. Add this NAT policy in Service and DC Groups.
    8. Push the NAT policy configuration to the NGFW.

    © 2025 Palo Alto Networks, Inc. All rights reserved.