Home

Location

Documentation Home
Palo Alto Networks
Support
Live Community
Knowledge Base

Home
Prisma
Prisma SD-WAN
Prisma SD-WAN Administrator’s Guide
Prisma SD-WAN Administrator Authorization and Authentication
Role Based Access Control
Custom Roles

Last Updated:

Mar 7, 2023

Table of Contents

Filter

Get Started with Prisma SD-WAN

Prisma SD-WAN Key Elements

Deployment Modes

Activate and Launch Prisma SD-WAN

Prisma SD-WAN Web Interface—At a Glance

Prisma SD-WAN Summary

Site Summary Dashboard

Prisma SD-WAN Predictive Analytics Dashboard

Prisma SD-WAN Applications Dashboard

Prisma SD-WAN Link Quality

Prisma SD-WAN Sites and Devices

Set Up Sites

Configure Circuits

Configure Circuit Categories

Configure Device Initiated Connections for Circuits

Add a Branch

Add a Data Center

Manage Data Center Clusters

Configure a Site Prefix

Configure a DHCP Server

Configure NTP for Prisma SD-WAN

Set Up Devices

Connect the ION Device

Claim the ION Device

Assign the ION Device

Return Device to MSP

Configure Device Access One-Time Password

Configure the ION Device at a Branch Site

Configure the ION Device at a Data Center

Switch a Site to Control Mode

Allow IP Addresses in Firewall Configuration

Configure Layer 2 Switch Ports

Add a VLAN or Switch Virtual Interface (SVI)

Configure VLAN on Switch Ports

Edit Switch Configurations

Monitor Switch Activity and Statistics

Prisma SD-WAN Ports and Interfaces

Configure a Controller Port

Configure Internet Ports

Configure WAN/LAN Ports

Configure Cellular Modules

Configure Cellular Interfaces

Create a Customized APN Profile

Modify Cellular SIM Settings

Manage SIM Operations

Customize Cellular Firmware

Configure a Sub-Interface

Configure a Loopback Interface

Virtual Interface

Deployment Topologies of Virtual Interface

Add and Configure a Virtual Interface

Prisma SD-WAN Standard VPN

Create an IPsec Profile

Configure Generic Routing Encapsulation (GRE) Tunnels

Bypass Pair

Configure a Bypass Pair

Configure LAN State Propagation

Configure a PoE Port

Configure Interface level PoE Ports

Configure System Level PoE Ports

Monitor PoE Activity and Stats

Configure LLDP

Monitor LLDP Activity and Status

Configure a PPPoE Interface

Configure a Layer 3 LAN Interface

Configure Application Reachability Probes

Configure a Secondary IP Address

Configure a Static ARP

Configure a DHCP Relay

Configure IP Directed Broadcast

VPN Keep-Alives

Configure VPN Keep-Alives for Circuit Categories

Configure VPN Keep-Alives for Circuits

Configure VPN Keep-Alives for Secure Fabric Links

Use External Services for Monitoring

Prisma SD-WAN IP Flow Information Export (IPFIX) Protocol

Configure IPFIX

Configure IPFIX Profiles

Configure IPFIX Templates

Configure Collector Contexts

Configure Filter Contexts

Configure Global IPFIX Prefixes

Configure Local IPFIX Prefixes

Attach an IPFIX Profile to an ION Device

Attach a Collector Context to a Device Interface

Attach a Filter Context to a Device Interface

Configure High Availability (HA) for IPFIX

Flow Information Elements

Options Information Elements

Configure DNS on Prisma SD-WAN

DNS Service

Configure the DNS Service on the Prisma SD-WAN Interface

Configure DNS Roles

Configure DNS Profiles

Configure DNS Service on the ION Device

Prisma SD-WAN DNS Use Cases

DNS Survivability

Configure System for DNS Survivability

Syslog Server Support in Prisma SD-WAN

Syslog Flow Export

Logs Based on Severity Levels

Configure Syslog Server Support

Configure SNMP

Returned Merchandise Authorization (RMA)

RMA Wizard

Replace a Prisma SD-WAN ION Device

Return the ION Device to Prisma SD-WAN

Upgrade ION Device Software

Schedule Software Upgrade

View Device Software Upgrade Status

Prisma SD-WAN Administrator Authorization and Authentication

Role Based Access Control

System Roles

Add a New User on Prisma SD-WAN

Custom Roles

Create Custom Roles

Assign System or Custom Role

Add a Device User on Prisma SD-WAN

Add Device Access to User on Prisma SD-WAN

Single Sign On Access using SAML

Request SAML Access

Exchange SAML Metadata

Configure SAML Users and Groups

Map Roles and Permissions

Enable SAML Access to End Users

SAML Setup Errors

Client Authentication using 802.1x/MAC Authentication

Add the RADIUS Server

Supported RADIUS Attribute Value Pairs (AVPs)

Monitor RADIUS Server Stats and Activity

Audit Logs

Work with Audit Logs

Prisma SD-WAN Branch and Data Center Routing

Prisma SD-WAN Branch Routing

Prisma SD-WAN Data Center Routing

Configure a Static Route

Configure NextHop Reachability Probe

Configure Dynamic Routing

Enable BGP for Private WAN and LAN

Configure BGP Global Parameters

Global or Local Scope for BGP Peers

Configure a BGP Peer

Configure a Route Map

Configure a Prefix List

Configure an AS Path List

Configure an IP Community List

View Routing Status and Statistics

Prisma SD-WAN Multicast Routing

Configure Multicast

Create a WAN Multicast Configuration Profile

Assign WAN Multicast Configuration Profiles to Branch Sites

Configure a Multicast Source at a Branch Site

Configure Global Multicast Parameters

Configure a Multicast Static Rendezvous Point (RP)

Learn Rendezvous Points (RPs) Dynamically

View LAN Statistics for Multicast

View WAN Statistics for Multicast

View IGMP Membership

View the Multicast Route Table

View Multicast Flow Statistics

Prisma SD-WAN Stacked Policies

Migrate Original Policy Sets to Stacked Policy Sets

Simple Path and QoS Stacks

Add Simple Path or QoS Stacks

Advanced Path and QoS Stacks

Add Advanced Path or QoS Stacks

Add QoS Policy Sets

Add QoS Policy Rules

Add a Path Policy Set

Add a Path Policy Rule

L3 Failure Paths

Minimize Metered LTE Usage

Bind Path or QoS Stacks to Sites

Custom Applications and System Application Overrides

Configure Custom Applications

Configure System Application Overrides

Service and Data Center Groups

Add a Standard VPN Endpoint

Add Groups

Add Domains

Bind Domain to Sites

Use Prisma SD-WAN Data Center Endpoints

Use Service Endpoint Groups in Policies

Configure Network Contexts

Attach Network Contexts to LANs

Configure Circuit Capacities

Configure DSCP

Prefixes

Configure Global Prefixes

Configure Local Prefixes

Configure Syslog Profiles

Prisma SD-WAN Stacked Security Policies

Add a Security Policy Stack

Add Stacked Security Policy Sets

Add a Stacked Security Policy Rule

Add a Security Policy Set to a Security Stack

Bind Security Stacks to Sites

Add Security Zones for Stacked Security Policies

Bind Security Zones to Sites and Devices

Bind Security Zones to Sites

Bind Security Zones to Interfaces

Configure Security Prefixes

Attach Local Security Prefixes to Sites

Monitor Security Policy Rules

Security Policy Migration

Prisma SD-WAN Security Policies

Prisma SD-WAN Security Architecture

Prisma SD-WAN ZBFW

ZBFW Contructs

ZBFW Application

ZBFW Prefix Filters

ZBFW Zones

Security Policy Sets

Security Policy Rules

Actions

Configure Security Policies

Create Zones

Bind Zones to Sites and Devices

Bind Zones to Sites

Bind Zones to Devices

Create Prefix Filters

Create a Security Policy Set

Create Security Policy Rules

Bind a Security Policy Set to a Site

Modify and Delete Policy Rules and Sets

Change Security Rule Order

Manage Existing Security Policy Rules

Edit a Security Policy Set

Clone a Security Policy Set

Delete a Security Policy Set

Prisma SD-WAN NAT Policies

Add a NAT Stack

Add NAT Policy Sets

Add a NAT Policy Rule

Add a NAT Policy Set to a NAT Stack

Bind NAT Stacks to Sites

Configure NAT Zones

Bind NAT Zones to Interfaces

Configure NAT Pools

Bind NAT Pools to Interfaces

Configure NAT Prefixes

Use Cases

Default Source NAT

Destination NAT

Static NAT

ALG Disable

Prisma SD-WAN Event Policies

Event Policy Constructs

Event Policy Framework—Use Cases

Create a New Event Policy Set

Create New Event Policy Rule

Prisma SD-WAN Branch High Availability

Prisma SD-WAN Branch HA Key Concepts

Configure Branch HA

Configure HA Groups

Add ION Devices to HA Groups

View Device Configuration of HA Groups

Edit HA Groups and Group Membership

Branch HA with Internet, MPLS, and a Layer 3 LAN Switch-Topology 1

Configure Branch HA with Internet, MPLS, and a Layer 3 LAN Switch Topology-1

Branch HA with a Firewall on Internet, MPLS, and a Layer 3 LAN Switch

Branch HA with a Next-Generation Firewall on Internet, MPLS, and a Layer 3 LAN Switch

Branch HA with Internet, MPLS, and a Layer 2 LAN Switch-Topology 2

Configure Branch HA with Internet, MPLS, Layer 2 LAN Switch Topology-2

Configure Branch HA with a Firewall on Internet, MPLS, and a Layer 2 LAN Switch

Branch HA with Dual Internet and a Layer 3 LAN Switch-Topology 3

Configure Topology 3

Branch HA with Dual Internet and Next Gen Firewalls

Branch HA with Dual Internet and a Layer 2 LAN Switch-Topology 4

Configure Topology 4

Branch HA for ION Devices without Bypass Pairs

Configure Branch HA for ION Devices without Bypass Pairs

ION 1000 HA Topology

Prisma SD-WAN Application Visibility and Reporting

Get Started

Quick Filters

Activity Charts

Network Tab

View Network Tab

Network Activity Charts

Bandwidth Utilization

Transaction Stats

App Health

App Response Time

New Flows

Concurrent Flows

Media Tab

View Media Tab

Media Charts

Link Quality

View Link Quality Tab

Configure Private WAN Underlay Link Quality Aggregation

Configure Internet Circuit Underlay Link Aggregation

Flows Tab

View Flows Tab

Flows Chart

Flow Detail

Flow Decision Bitmap

Flow Decision Data

Routing Tab

View Routing Tab

System Tab

View System Tab

Cellular Tab

View Cellular Tab

Cellular Charts

Prisma SD-WAN Clarity Reports

WAN Clarity Branch Reports

WAN Clarity Data Center Reports

Prisma SD-WAN Alerts and Alarms

Alerts and Alarms

Filter Alerts and Alarms

Event Correlation of Alarms

Monitor Alarms

Acknowledge Alarms

Synchronize Alarms

Alert and Alarm Event Categories

Hardware and Software Issues

Device Related Issues

BGP Peering Issues

Site Level Issues

Secure Fabric Link Issues

Service Endpoint Level Issues

Logical Interface Level Issues

Alert and Alarm Event Codes

API Changes for Network Secure Fabric Link Event Codes

Troubleshoot Alarms

Correlate Alarms with SNMP Traps

Prisma SD-WAN Device and Tenant Management

Multi-Tenancy

Prisma SD-WAN MSP Dashboard

Monitor Tenant Devices

Monitor Tenant Branches

Monitor Tenant Alarms

Access Child Tenants

Device Lifecycle

Tenant Types

MSP Account Roles and Permissions

Add a User Role in the Child Tenant

Manage Devices for Client Tenants

Manage System Administration in the MSP Portal

Get Started with Prisma SD-WAN
Prisma SD-WAN Sites and Devices
Prisma SD-WAN Administrator Authorization and Authentication
Prisma SD-WAN Branch and Data Center Routing
Prisma SD-WAN Stacked Policies
Prisma SD-WAN Stacked Security Policies
Prisma SD-WAN Security Policies
Prisma SD-WAN NAT Policies
Prisma SD-WAN Event Policies
Prisma SD-WAN Branch High Availability
Prisma SD-WAN Application Visibility and Reporting
Prisma SD-WAN Alerts and Alarms
Prisma SD-WAN Device and Tenant Management

Document:Prisma SD-WAN Administrator’s Guide

Custom Roles

Last Updated:

Mar 7, 2023

Table of Contents

Filter

Get Started with Prisma SD-WAN

Prisma SD-WAN Key Elements

Deployment Modes

Activate and Launch Prisma SD-WAN

Prisma SD-WAN Web Interface—At a Glance

Prisma SD-WAN Summary

Site Summary Dashboard

Prisma SD-WAN Predictive Analytics Dashboard

Prisma SD-WAN Applications Dashboard

Prisma SD-WAN Link Quality

Prisma SD-WAN Sites and Devices

Set Up Sites

Configure Circuits

Configure Circuit Categories

Configure Device Initiated Connections for Circuits

Add a Branch

Add a Data Center

Manage Data Center Clusters

Configure a Site Prefix

Configure a DHCP Server

Configure NTP for Prisma SD-WAN

Set Up Devices

Connect the ION Device

Claim the ION Device

Assign the ION Device

Return Device to MSP

Configure Device Access One-Time Password

Configure the ION Device at a Branch Site

Configure the ION Device at a Data Center

Switch a Site to Control Mode

Allow IP Addresses in Firewall Configuration

Configure Layer 2 Switch Ports

Add a VLAN or Switch Virtual Interface (SVI)

Configure VLAN on Switch Ports

Edit Switch Configurations

Monitor Switch Activity and Statistics

Prisma SD-WAN Ports and Interfaces

Configure a Controller Port

Configure Internet Ports

Configure WAN/LAN Ports

Configure Cellular Modules

Configure Cellular Interfaces

Create a Customized APN Profile

Modify Cellular SIM Settings

Manage SIM Operations

Customize Cellular Firmware

Configure a Sub-Interface

Configure a Loopback Interface

Virtual Interface

Deployment Topologies of Virtual Interface

Add and Configure a Virtual Interface

Prisma SD-WAN Standard VPN

Create an IPsec Profile

Configure Generic Routing Encapsulation (GRE) Tunnels

Bypass Pair

Configure a Bypass Pair

Configure LAN State Propagation

Configure a PoE Port

Configure Interface level PoE Ports

Configure System Level PoE Ports

Monitor PoE Activity and Stats

Configure LLDP

Monitor LLDP Activity and Status

Configure a PPPoE Interface

Configure a Layer 3 LAN Interface

Configure Application Reachability Probes

Configure a Secondary IP Address

Configure a Static ARP

Configure a DHCP Relay

Configure IP Directed Broadcast

VPN Keep-Alives

Configure VPN Keep-Alives for Circuit Categories

Configure VPN Keep-Alives for Circuits

Configure VPN Keep-Alives for Secure Fabric Links

Use External Services for Monitoring

Prisma SD-WAN IP Flow Information Export (IPFIX) Protocol

Configure IPFIX

Configure IPFIX Profiles

Configure IPFIX Templates

Configure Collector Contexts

Configure Filter Contexts

Configure Global IPFIX Prefixes

Configure Local IPFIX Prefixes

Attach an IPFIX Profile to an ION Device

Attach a Collector Context to a Device Interface

Attach a Filter Context to a Device Interface

Configure High Availability (HA) for IPFIX

Flow Information Elements

Options Information Elements

Configure DNS on Prisma SD-WAN

DNS Service

Configure the DNS Service on the Prisma SD-WAN Interface

Configure DNS Roles

Configure DNS Profiles

Configure DNS Service on the ION Device

Prisma SD-WAN DNS Use Cases

DNS Survivability

Configure System for DNS Survivability

Syslog Server Support in Prisma SD-WAN

Syslog Flow Export

Logs Based on Severity Levels

Configure Syslog Server Support

Configure SNMP

Returned Merchandise Authorization (RMA)

RMA Wizard

Replace a Prisma SD-WAN ION Device

Return the ION Device to Prisma SD-WAN

Upgrade ION Device Software

Schedule Software Upgrade

View Device Software Upgrade Status

Prisma SD-WAN Administrator Authorization and Authentication

Role Based Access Control

System Roles

Add a New User on Prisma SD-WAN

Custom Roles

Create Custom Roles

Assign System or Custom Role

Add a Device User on Prisma SD-WAN

Add Device Access to User on Prisma SD-WAN

Single Sign On Access using SAML

Request SAML Access

Exchange SAML Metadata

Configure SAML Users and Groups

Map Roles and Permissions

Enable SAML Access to End Users

SAML Setup Errors

Client Authentication using 802.1x/MAC Authentication

Add the RADIUS Server

Supported RADIUS Attribute Value Pairs (AVPs)

Monitor RADIUS Server Stats and Activity

Audit Logs

Work with Audit Logs

Prisma SD-WAN Branch and Data Center Routing

Prisma SD-WAN Branch Routing

Prisma SD-WAN Data Center Routing

Configure a Static Route

Configure NextHop Reachability Probe

Configure Dynamic Routing

Enable BGP for Private WAN and LAN

Configure BGP Global Parameters

Global or Local Scope for BGP Peers

Configure a BGP Peer

Configure a Route Map

Configure a Prefix List

Configure an AS Path List

Configure an IP Community List

View Routing Status and Statistics

Prisma SD-WAN Multicast Routing