Add an SD-WAN Device
Table of Contents
Expand all | Collapse all
- Create a Link Tag
- Configure an SD-WAN Interface Profile
- Configure a Physical Ethernet Interface for SD-WAN
- Configure a Virtual SD-WAN Interface
- Create a Default Route to the SD-WAN Interface
- Create a Path Quality Profile
- SD-WAN Traffic Distribution Profiles
- Create a Traffic Distribution Profile
- Configure an SD-WAN Policy Rule
- Allow Direct Internet Access Traffic Failover to MPLS Link
- Distribute Unmatched Sessions
- Configure HA Devices for SD-WAN
- Create a VPN Cluster
- Create a Static Route for SD-WAN
Add an SD-WAN Device
Add a single SD-WAN hub or branch firewall to be managed by the Panorama management server.
Add an SD-WAN hub or branch firewall to be managed by the Panorama™ management server. When adding your devices, you specify what type of device it is (branch or hub) and you give each device its site name for easy identification. Before adding your devices, plan your SD-WAN configuration to ensure you have all the required IP addresses and that the SD-WAN topology is well understood. This helps in reducing any configuration errors.
If you have pre-existing zones for your Palo Alto Networks
®firewalls, you will be mapping them to the predefined zones used in SD-WAN.
If you want to have Active/Passive HA running on two branch firewalls or two hub firewalls, do not add those firewalls as SD-WAN devices at this time. You will add them as HA peers separately when you Configure HA Devices for SD-WAN.
If you are using BGP routing, you must add a security policy rule to allow BGP from the internal zone to the hub zone and from the hub zone to the internal zone. If you want to use 4-byte ASNs, you must first enable 4-byte ASNs for the virtual router.
- SelectandPanoramaSD-WANDevicesAdda new SD-WAN firewall.
- Select the managed firewallNameto add as an SD-WAN device. You must add your SD-WAN firewalls as managed devices before you can add them as an SD-WAN device.
- Select theTypeof SD-WAN device.
- Hub—A centralized firewall deployed at a primary office or location to which all branch devices connect using a VPN connection. Traffic between branches passes through the hub before continuing to the target branch, and connects branches to centralized resources at the hub location. The hub device processes traffic, enforces policy rules, and manages link swapping at the primary office or location.
- Branch—A firewall deployed at a physical branch location that connects the hub using a VPN connection and provides security at the branch level. The branch device processes traffic, enforces policy rules, and manages link swapping at the branch location.
- Select theVirtual Router Nameto use for routing between the SD-WAN hub and branches. By default, ansdwan-defaultvirtual router is created and enables Panorama to automatically push router configurations.
- Enter the SD-WANSitename to identify the geographical location or purpose of the device.The SD-WAN Site name supports all upper-case and lower-case alphanumerical and special characters. Spaces are not supported in the Site name and result in monitoring () data for that site not to be displayed.PanoramaSD-WANMonitoringIf you are adding an HA pair, you must use the sameSitename for the two peers.
- (PAN-OS 9.1.3 and later 9.1 releases and SD-WAN Plugin 1.0.3 and later 1.0 releases) If you are adding a hub that is behind a device performing NAT for the hub, you must specify the IP address or FQDN of the public-facing interface on that upstream NAT-performing device, so that Auto VPN Configuration can use that address as the tunnel endpoint of the hub. It is the IP address that the branch office’s IKE and IPSec flows must be able to reach. (You must have already configured a physical Ethernet interface for SD-WAN.)
- On theUpstream NATtab, enableUpstream NAT.
- AddanSD-WAN interface; select an interface you already configured for SD-WAN.
- SelectIP AddressorFQDNand enter the IPv4 address without a subnet mask (for example, 192.168.3.4) or the FQDN of the upstream device, respectively.
- ClickOK.You must also set up the inbound Destination NAT with a one-to-one NAT policy, and you must not configure port translation to the IKE or IPSec traffic flows.If the IP address on the upstream device changes, you must reconfigure the new IP address and push it out to the VPN cluster members. You must use the CLI commandsclear vpn ipsec-sa,clear vpn ike-sa, andclear session allon both the branch and hub. You must alsoclear session allon the virtual router where you configured the NAT policy for the IP addresses.
- (Required for pre-existing customers) You must modify your security policy rules by adding the SD-WAN predefined zones to the correct Source and Destination zones.
- (Optional) Configure Border Gateway Protocol (BGP) routing.To automatically set up BGP routing between the VPN cluster members, enter the BGP information below. If you want to manually configure BGP routing on each firewall or use a separate Panorama template to configure BGP routing for more control, leave the BGP information below blank.Before implementing SD-WAN with BGP routing in an environment where BGP is already in use, ensure that the BGP configuration generated by the SD-WAN plugin doesn’t conflict with your pre-existing BGP configuration. For example, you must use the existing BGP AS number and router ID values for the corresponding SD-WAN device values. If the BGP configuration generated by the plugin conflicts with your pre-existing BGP configuration, the pre-existing BGP configuration takes precedence. If you want the pushed configuration to take precedence, you must enable the force template value when doing a Panorama push.
- Select theBGPtab and enableBGPto configure BGP routing for SD-WAN traffic.
- Enter the BGPRouter ID, which must be unique among all routers.
- Specify a static IPv4Loopback Addressfor BGP peering. Auto VPN configuration automatically creates a Loopback interface with the same IPv4 address that you specify. If you specify an existing loopback address, the commit will fail, so you should specify an IPv4 address that is not already a loopback address.
- Enter theAS Number. The autonomous system number specifies a commonly defined routing policy to the internet. The AS number must be unique for every hub and branch location.
- EnterPrefix(es) to Redistribute. On a hub device, you must enter at least one prefix to redistribute. Branch devices do not have this option; subnets connected to branch locations are redistributed by default.
- (SD-WAN Plugin 1.0.1 and later releases) SelectGroup HA Peersat the bottom of the screen to display branches (or hubs) that are HA peers together.
- (PAN-OS 9.1.2 and later 9.1 releases, and SD-WAN Plugin 1.0.2 and later 1.0 releases) Have Panorama create and push to firewalls a Security policy rule that allows BGP to run between branches and hubs.
- SelectBGP Policyat the bottom of the screen andAdd.
- Enter aPolicy Namefor the Security policy rule that Panorama will automatically create.
- Select Device Groupsto specify the device groups to which Panorama pushes the Security policy rule.
- SelectPush to Devicesto push your configuration changes to your managed firewalls.