Add a Branch Gateway
Table of Contents
Add a Branch Gateway
Prisma SD-WAN
offers a new hybrid site type, which is the branch
gateway site to maximize the flexibility of the system. Where Can I Use
This? | What Do I
Need? |
|---|---|
|
|
Geographically distributed organizations often have smaller regional datacenters
colocated with users, manufacturing, and other business operations presenting both
configuration and operations challenges. The single-click capability to create
Regional Branch Gateways simplifies the adoption of this use case by automatically
creating VPN topologies and instantiating Hub (Policy Transit, LQM Server, etc )
& Branch (App visibility, path selection, etc) services to simplify Day 1 and
Day 2 operations for all traffic types and vectors.
You can enable the branch gateway functionality with a single click of the site level
configuration setting. Upon enabling the branch gateway mode, VPN tunnels will
automatically form between the branch gateway site and corresponding branch sites in
the domain.
Where Can I Use
This? | What Do I
Need? |
|---|---|
|
|
Prisma SD-WAN
supports branch gateway sites on the following
platforms:- ION 3200
- ION 5200
- ION 9200
- ION 3000
- ION 7000
- ION 9000
All virtual ION models also support a branch gateway site.
The ION device assigned to a branch gateway site supports the following
interfaces:
- Port
- Bypass Pair
- Subinterfaces
- Virtual Interfaces
- Standard VPN
Interfaces in the branch gateway site support IPv4 & IPv6 static and DHCP
addresses as well as secondary addresses.
You can create a new site as a branch gateway site or can convert an existing branch
site to a branch gateway site after completing the site configuration.
- Create a new branch gateway site.
- Select .
- Add aSite Nameand optionally enter description and tags.
- EnableConfigure as a Branch Gateway Site.
![]()
- Add the other details to set up a site and clickSave & Exit.
Assign a device to the created branch gateway site, enableL3 Direct Private WAN ForwardingandL3 LAN Forwardingfor the device and then configure the interfaces. - Convert an existing branch site to a branch gateway site.You can convert an existing branch site to a branch gateway site.Ensure that:
- The site is inControlmode.
- You have enabledL3 Direct Private WAN Forwarding.
- You have enabledL3 LAN Forwarding.
- There are no any existing branch-to-branch VPN tunnels. If any tunnels exist,Prisma SD-WANdeletes them during the conversion process.
- Select and click the ellipsis menu for the site.
- SelectSwitch to Branch Gateway Site.Switching a branch site to a branch gateway site causes the ION device to reboot.
![]()
Alternatively, you can selectBranch Sites, then select a site and then enableBranch Gateway.
- Edit branch gateway site settings.(Optional)After you create a branch gateway site, you can optionally edit the branch gateway site settings.
![]()
SelectPrefer LAN Default over WANin case your topology needs to take the LAN interface (with a default gateway) as the default route. This will mimic the path selection behavior of a data center site where the device forwards all incoming WAN traffic to the LAN peer.![]()
For example, if the traffic flow is — Branch ↔Branch Gateway ↔ LAN (Firewall → Internet). Typically, the ION device will have a default route (0.0.0.0/0) on the internet (WAN) interfaces (with the next hop as the default gateway configured on the wan interface or from DHCP). This is to steer packets to the internet (for DIA or otherwise) if no other specific route exists. In this particular scenario, the branch gateway site needs to take the LAN interface. The LAN interface has a default gateway configured either statically or via DHCP as a default route as against an internet interface, which would generally have a default route. You can achieve this by adding a default route with a lower admin cost on the LAN interface than the WAN interface when you selectPrefer LAN Default over WAN.Maximum Branch Site Count Infoindicates the maximum number of branch sites that you can associate with a branch gateway site. If you exceed this number,Prisma SD-WANgenerates an incident. However, it will still be possible to associate branches to the branch gateway by joining the domain or through the establishment of manual tunnels. - Create VPNs between branch gateway sites or branch sites.
![]()
Prisma SD-WANestablishes VPN tunnels as follows:- Branch -> Branch Gateway (Same Domain) —Prisma SD-WANautomatically builds Fabric VPN tunnels.
- Branch -> Branch Gateway (Different Domain) — You need to manually configure Fabric VPN Tunnels.
- Branch Gateway -> DC —Prisma SD-WANautomatically builds VPN tunnels.
- Branch Gateway -> Branch Gateway — You need to manually configure Fabric VPN Tunnels.
- (Optional)Changing the domain of a branch gateway site.
- Select a branch gateway site.
- Click the ellipsis menu and selectChange Site Domain.
- Choose the required domain and clickSubmit.
To establish an automatic VPN tunnel between a branch site and a branch gateway site, ensure that both are in the same domain. - (Optional)Create a manual VPN tunnel between two branch gateway sites.
- Select and select a branch gateway site.
- Select .
- Select a circuit and select the site for VPN establishment on theAdd Secure Fabric Linkpop-up.
- Prefix AdvertisementThe branch gateway site performs prefix advertisement and distribution in a variety of topologies.Prefix AdvertisementLearned ViaAdvertised ToFabric TunnelLAN BGP PeerStandard VPN BGP PeerStandard VPN Tunnel BGP PeerFabric (to branch)LAN BGP PeerLAN BGP PeerFabric → yesLAN BGP Peer → yesPrivate WAN BGP Peer → yesPrivate WAN BGP PeerLAN BGP Peer → yesLAN Static RouteFabric → yesLAN BGP Peer → yesPrivate WAN BGP Peer → yes
- Default Route in WAN BGP Peer.Prisma SD-WANhas enhanced the existing BGP Global configuration to allow an option to choose the default route as part of the prefix advertisement to WAN.For a BGP peer, selectAdvertise Default Route to Peerto distribute the default route to the peer, instead of explicitly configuring a prefix via route-maps.
![]()
