Bulk Import Multiple SD-WAN Devices

Import multiple SD-WAN branch and hub devices to more quickly deploy your SD-WAN.
Add multiple SD-WAN devices to quickly onboard branch and hub firewalls, rather than manually adding each device one at a time. When adding your devices, you specify what type of device it is (branch or hub) and you give each device its site name for easy identification. Before adding your devices, plan your SD-WAN configuration to ensure you have all the required IP addresses and that the SD-WAN topology is well understood. This helps reduce any configuration errors.
If you want to have Active/Passive HA running on two branch firewalls or two hub firewalls, do not add those firewalls as SD-WAN devices in your CSV file. You will add them as HA peers separately when you Configure HA Devices for SD-WAN.
If you are using BGP routing, you must add a security policy rule to allow BGP from the internal zone to the hub zone and from the hub zone to the internal zone. If you want to use 4-byte autonomous system numbers (ASNs), you must first enable 4-byte ASNs for the virtual router.
If you have pre-existing zones for your Palo Alto Networks firewalls, you will be mapping them to the predefined zones used in SD-WAN.
  1. Select
    Panorama
    SD-WAN
    Devices
    Device CSV
    and
    Export
    an empty SD-WAN device CSV. The CSV allows you to import multiple branch and hub devices at once, rather than adding each device manually.
  2. Populate the SD-WAN device CSV with the branch and hub information and save the CSV. All fields are required unless noted otherwise. You must enter the following for each hub and branch:
    • device-serial
      —The serial number of the branch or hub firewall.
    • type
      —Specify whether the device is a
      branch
      or a
      hub
      .
    • site
      —Enter the SD-WAN device site name to help you identify the geographical location or purpose of the device.
      The SD-WAN Site name supports all upper-case and lower-case alphanumerical and special characters. Spaces are not supported in the Site name and result in monitoring (
      Panorama
      SD-WAN
      Monitoring
      ) data for that site not to be displayed.
    • (
      Required for pre-existing customers
      ) Map your pre-existing zones to predefined zones used for SD-WAN.
      When you map your existing zones to an SD-WAN zone, you must modify your security policy rules and add the SD-WAN zones to the correct
      Source
      and
      Destination
      zones.
      • zone-internet
        —Enter the names of pre-existing zones that SD-WAN traffic will egress to reach the internet.
      • zone-to-branch
        —Enter the names of pre-existing zones that SD-WAN traffic will egress to reach a branch.
      • zone-to-hub
        —Enter the names of pre-existing zones that SD-WAN traffic will egress to reach a hub.
      • zone-internal
        —Enter the names of pre-existing zones that SD-WAN traffic will egress to reach an internal zone.
    • (
      Optional
      )
      loopback-address
      —Specify a static loopback IPv4 address for Border Gateway Protocol (BGP) peering.
    • (
      Optional
      )
      prefix-redistribute
      —Enter IP prefixes that the branch informs the hub it can reach. To add more than one prefix, separate prefixes with a space, an ampersand (&), and a space; for example, 192.2.10.0/24 & 192.168.40.0/24. By default, the branch firewall advertises all locally connected internet prefixes to the hub.
      Palo Alto Networks does not redistribute the branch office default route(s) learned from the ISP.
    • (
      Optional
      )
      as-number
      —Enter the ASN of the private AS to which the virtual router on the hub or branch belongs. The SD-WAN plugin supports only private autonomous systems. The ASN must be unique for every hub and branch. The 4-byte ASN range is 4,200,000,000 to 4,294,967,294 or 64512.64512 to 65535.65534. The 2-byte ASN range is 64512 to 65534.
      Use a 4-byte private ASN. Before implementing SD-WAN with BGP routing in an environment where BGP is already in use, ensure that the BGP configuration generated by the SD-WAN plugin doesn’t conflict with your existing BGP configuration. For example, you must use the existing BGP AS number and router ID values for the corresponding SD-WAN device values.
    • (
      Optional
      )
      router-id
      —Specify the BGP router ID, which must be unique among all virtual routers.
      Enter the Loopback Address as the router ID. Before implementing SD-WAN with BGP routing in an environment where BGP is already in use, ensure that the BGP configuration generated by the SD-WAN plugin doesn’t conflict with your existing BGP configuration. For example, you must use the existing BGP AS number and router ID values for the corresponding SD-WAN device values.
    • vr-name
      —Enter the name of the virtual router to use for routing between the SD-WAN hub and branches. By default, Panorama creates an
      sdwan-default
      virtual router and can automatically push router configurations.
  3. Import the SD-WAN device CSV into Panorama.
    Verify that there are no pending commits on Panorama or the import fails.
    1. On Panorama, Select
      Panorama
      SD-WAN
      Devices
      Device CSV
      and
      Import
      the CSV you edited in the previous step.
    2. Browse
      and select the SD-WAN device CSV.
    3. Click
      OK
      to import the SD-WAN devices.
  4. Verify that your SD-WAN devices were successfully added.
  5. Commit
    your configuration changes.
  6. Select
    Push to Devices
    to push your configuration changes to your managed firewalls.

Recommended For You