Bulk Import Multiple SD-WAN Devices
Table of Contents
Expand all | Collapse all
- Create a Link Tag
- Configure an SD-WAN Interface Profile
- Configure a Physical Ethernet Interface for SD-WAN
- Configure a Virtual SD-WAN Interface
- Create a Default Route to the SD-WAN Interface
- Create a Path Quality Profile
- SD-WAN Traffic Distribution Profiles
- Create a Traffic Distribution Profile
- Configure an SD-WAN Policy Rule
- Allow Direct Internet Access Traffic Failover to MPLS Link
- Distribute Unmatched Sessions
- Configure HA Devices for SD-WAN
- Create a VPN Cluster
- Create a Static Route for SD-WAN
Bulk Import Multiple SD-WAN Devices
Import multiple SD-WAN branch and hub devices to more quickly deploy your SD-WAN.
Add multiple SD-WAN devices to quickly onboard branch and hub firewalls, rather than manually adding each device one at a time. When adding your devices, you specify what type of device it is (branch or hub) and you give each device its site name for easy identification. Before adding your devices, plan your SD-WAN configuration to ensure you have all the required IP addresses and that the SD-WAN topology is well understood. This helps reduce any configuration errors.
If you want to have Active/Passive HA running on two branch firewalls or two hub firewalls, do not add those firewalls as SD-WAN devices in your CSV file. You will add them as HA peers separately when you Configure HA Devices for SD-WAN.
If you are using BGP routing, you must add a security policy rule to allow BGP from the internal zone to the hub zone and from the hub zone to the internal zone. If you want to use 4-byte autonomous system numbers (ASNs), you must first enable 4-byte ASNs for the virtual router.
If you have pre-existing zones for your Palo Alto Networks firewalls, you will be mapping them to the predefined zones used in SD-WAN.
- SelectandPanoramaSD-WANDevicesDevice CSVExportan empty SD-WAN device CSV. The CSV allows you to import multiple branch and hub devices at once, rather than adding each device manually.
- Populate the SD-WAN device CSV with the branch and hub information and save the CSV. All fields are required unless noted otherwise. You must enter the following for each hub and branch:
- device-serial—The serial number of the branch or hub firewall.
- type—Specify whether the device is abranchor ahub.
- site—Enter the SD-WAN device site name to help you identify the geographical location or purpose of the device.The SD-WAN Site name supports all upper-case and lower-case alphanumerical and special characters. Spaces are not supported in the Site name and result in monitoring () data for that site not to be displayed.PanoramaSD-WANMonitoring
- (Required for pre-existing customers) Map your pre-existing zones to predefined zones used for SD-WAN.
- zone-internet—Enter the names of pre-existing zones that SD-WAN traffic will egress to reach the internet.
- zone-to-branch—Enter the names of pre-existing zones that SD-WAN traffic will egress to reach a branch.
- zone-to-hub—Enter the names of pre-existing zones that SD-WAN traffic will egress to reach a hub.
- zone-internal—Enter the names of pre-existing zones that SD-WAN traffic will egress to reach an internal zone.
- (Optional)loopback-address—Specify a static loopback IPv4 address for Border Gateway Protocol (BGP) peering.
- (Optional)prefix-redistribute—Enter IP prefixes that the branch informs the hub it can reach. To add more than one prefix, separate prefixes with a space, an ampersand (&), and a space; for example, 22.214.171.124/24 & 192.168.40.0/24. By default, the branch firewall advertises all locally connected internet prefixes to the hub.Palo Alto Networks does not redistribute the branch office default route(s) learned from the ISP.
- (Optional)as-number—Enter the ASN of the private AS to which the virtual router on the hub or branch belongs. The SD-WAN plugin supports only private autonomous systems. The ASN must be unique for every hub and branch. The 4-byte ASN range is 4,200,000,000 to 4,294,967,294 or 64512.64512 to 65535.65534. The 2-byte ASN range is 64512 to 65534.Use a 4-byte private ASN. Before implementing SD-WAN with BGP routing in an environment where BGP is already in use, ensure that the BGP configuration generated by the SD-WAN plugin doesn’t conflict with your existing BGP configuration. For example, you must use the existing BGP AS number and router ID values for the corresponding SD-WAN device values.
- (Optional)router-id—Specify the BGP router ID, which must be unique among all virtual routers.Enter the Loopback Address as the router ID. Before implementing SD-WAN with BGP routing in an environment where BGP is already in use, ensure that the BGP configuration generated by the SD-WAN plugin doesn’t conflict with your existing BGP configuration. For example, you must use the existing BGP AS number and router ID values for the corresponding SD-WAN device values.
- vr-name—Enter the name of the virtual router to use for routing between the SD-WAN hub and branches. By default, Panorama creates ansdwan-defaultvirtual router and can automatically push router configurations.
- Import the SD-WAN device CSV into Panorama.Verify that there are no pending commits on Panorama or the import fails.
- On Panorama, SelectandPanoramaSD-WANDevicesDevice CSVImportthe CSV you edited in the previous step.
- Browseand select the SD-WAN device CSV.
- ClickOKto import the SD-WAN devices.
- Verify that your SD-WAN devices were successfully added.
- Commityour configuration changes.
- SelectPush to Devicesto push your configuration changes to your managed firewalls.