Create the SD-WAN Device Groups
Expand all | Collapse all
Create the SD-WAN Device Groups
Create SD-WAN device groups for your hubs and branches.
Create device groups, one for your hubs and
one for your branches, containing all the policy rules and configuration
objects for your SD-WAN hubs and branches. After you create the
device groups for your hubs and branches, you must create a Security policy
rule in each device group allowing traffic between the hub and branch
zones. Creating these Security policy rules ensures that traffic
between the SD-WAN device zones is allowed when the SD-WAN plugin
creates the VPN tunnels after you
create a VPN cluster.
Configure identical configurations across
your hub firewalls and an identical configuration across your branch
firewalls. This greatly reduces the operational overhead of having
to manage the configurations of multiple SD-WAN hubs and branches,
and allows you to troubleshoot, isolate, update configuration issues much
more rapidly.
Create the SD-WAN hub device group.
Select and
Add
a
device group.
Enter
SD-WAN_Hub
as the
Name
for
the device group.
(
Optional
) Enter a
Description
for
the template.
In the
Devices
section, select
the check boxes to assign the SD-WAN hubs to the group.
For the
Parent Device Group
,
select
Shared
.
Create the SD-WAN branch device group.
Select and
Add
a
device group.
Enter
SD-WAN_Branch
as the
Name
for
the device group.
(
Optional
) Enter a
Description
for
the template.
In the
Devices
section, select
the check boxes to assign the SD-WAN branches to the group.
For the
Parent Device Group
,
select
Shared
.
Create a Security policy rule to control traffic flows
from branch offices to the hub’s internal zone and from the hub’s
internal zone to branch offices.
Select and in the
Device
Group
context drop-down, select the
SD-WAN_Hub
device
group.
Enter a
Name
for the policy
rule, such as
SD-WAN access--hub DG
.
Select and
Add
the
zone-internal
and
zone-to-branch
.
Select and
Add
the
zone-internal
and
zone-to-branch
.
Select
Application
and
Add
applications
to allow.
You must allow BGP if you are using
BGP routing.
Select
Actions
and
Allow
to
allow the applications you selected.
Select
Target
and specify the
target devices to which Panorama™ should push this rule.
Create a Security policy rule to control traffic originating
from the branch offices’ internal zone to the hub and from the hub
to the branch offices’ internal zone.
Select and in the
Device
Group
context drop-down, select the
SD-WAN_Branch
device
group.
Enter a
Name
for the policy
rule, such as
SD-WAN access--branch DG
.
Select and
Add
the
zone-internal
and
zone-to-hub
.
Select and
Add
the
zone-internal
and
zone-to-hub
.
Select
Application
and
Add
applications
to allow.
You must allow BGP if you are using BGP routing.
Select
Actions
and
Allow
to
allow the applications you selected.
Select
Target
and specify the
target devices to which Panorama should push this rule.
Commit and push your configuration.
Commit
and
Commit
and Push
your configuration changes.
In the Push Scope section, click
Edit Selections
.
Enable (check)
Include Device and Network
Templates
and click
OK
.
Commit and Push
your configuration
changes.
There are two commit operations that are automatically
performed when you commit and push the device group and template
configuration. View the
Tasks
to verify that
the second commit is successful. Of these two commit operations, the
first always fails.