About SD-WAN
Palo Alto Networks supports an SD-WAN overlay that provides
dynamic, intelligent path selection based on applications, services,
and link conditions.
Software-Defined Wide Area Network (SD-WAN)
is a technology that allows you to use multiple internet and private
services to create an intelligent and dynamic WAN, which helps lower
costs and maximize application quality and usability. Beginning
with PAN-OS
®
9.1, Palo Alto Networks®
offers
strong security with an SD-WAN overlay in a single management system.
Instead of using costly and time-consuming MPLS with components such
as routers, firewalls, WAN path controllers, and WAN optimizers
to connect your WAN to the internet, SD-WAN on a Palo Alto Networks
firewall allows you to use less expensive internet services and
fewer pieces of equipment. You don’t need to purchase and maintain
other WAN components.PAN-OS Security
with SD-WAN Functionality
The SD-WAN plugin is integrated
with PAN-OS, so that you get the security features of a PAN-OS firewall
and SD-WAN functionality from a single vendor. The SD-WAN overlay
supports dynamic, intelligent path selection based on applications
and services and the conditions of links that each application or
service is allowed to use. The path health monitoring for each link
includes latency, jitter, and packet loss. Granular application
and service controls allow you to prioritize applications based
on whether the application is mission-critical, latency-sensitive,
or meets certain health criteria, for example. Dynamic path selection
avoids brownout and node failure problems because sessions fail
over to a better performing path in less than one second.
The
SD-WAN overlay works with all PAN-OS security features, such as
User-ID™ and App-ID™, to provide complete security control to branch
offices. The full suite of App-ID capabilities (App-ID decoder,
App-ID cache, and source/destination external dynamic list [EDL]
IP address lists) identifies applications for application-based control
of SD-WAN traffic. You can deploy the firewall with Zero Trust segmentation
of traffic. You can configure and manage SD-WAN centrally from the
Panorama web interface or the Panorama REST API.
You may have
cloud-based services and instead of having your internet traffic
flow from branches to the hub to the cloud, you want the internet
traffic to flow directly from branches to the cloud using a directly
connected ISP. Such access from a branch to the internet is Direct
Internet Access (DIA). You don’t need to spend your hub bandwidth
and money on internet traffic. The branch firewall is already doing
security, so you don’t need the hub firewall to enforce security
on internet traffic. Use DIA on branches for SaaS, web browsing,
or heavy-bandwidth applications that shouldn’t be backhauled to
a hub. The following figure illustrates a DIA virtual interface
consisting of three links from the branch to the cloud. The figure
also illustrates a VPN tunnel virtual interface consisting of four
links that connect the branch to the hub at the headquarters.

SD-WAN Link and
Firewall Support
Link bundling allows you to group multiple
physical links (that different ISPs use to communicate with the
same destination) into a virtual SD-WAN interface. On the basis
of applications and services, the firewall chooses from the links
(path selection) for session load sharing and to provide failover
protection in the event of a brownout or blackout. Thus you are
providing the application with the best quality performance. The
firewall automatically performs session load sharing over the links
in a virtual SD-WAN interface to use available bandwidth advantageously.
An SD-WAN interface must have all of the same type of connection
(either DIA or VPN). VPN links support the hub-and-spoke topology.
SD-WAN
supports the following types of WAN connections: ADSL/DSL, cable
modem, Ethernet, fiber, LTE/3G/4G/5G, MPLS, microwave/radio, satellite,
WiFi, and anything that terminates as Ethernet to the firewall’s
interface. You decide the appropriate strategy for how to use the
links. You could use inexpensive broadband connections before expensive
MPLS or LTE connections. Alternatively, you could use specific VPN
tunnels to reach specific hubs in a region.
The following
firewall models support SD-WAN software capabilities:
- PA-220
- PA-220R
- PA-820
- PA-850
- PA-3200 Series
- PA-5200 Series
- VM-300
- VM-500
- VM-700
If you are a new customer purchasing
a Palo Alto Networks next-generation firewall, you will use the
default virtual router for SD-WAN. If you are an existing customer,
you can choose to either let PAN-OS overwrite any existing virtual
routers or use a new virtual router and new zones for SD-WAN to
keep SD-WAN content separate from your pre-existing configuration.
Centralized Management
Panorama™
provides the means to configure and manage SD-WAN, which makes configuring
multiple options on many geographically-dispersed firewalls much
faster and easier than configuring firewalls individually. You can
change network configurations from a single location rather than
configuring each firewall individually. Auto VPN configuration allows
Panorama to configure branches and hubs with secure IKE/IPSec connections. A
VPN cluster defines the hubs and branches that communicate with
each other in a geographic region. The firewall uses VPN tunnels
for path health monitoring between a branch and a hub to provide
subsecond detection of brownout conditions.
The Panorama dashboard
provides visibility into your SD-WAN links and performance so that
you can adjust path quality thresholds and other aspects of SD-WAN
to improve its performance. Centralized statistics and reporting
include application and link performance statistics, path health
measurements and trend analysis, and focused views of application
and link issues.
Begin by understanding your SD-WAN use case,
then review the SD-WAN configuration elements, traffic distribution
methods, and plan your SD-WAN configuration. To greatly accelerate
the configuration, the best practice is for you to export an empty
SD-WAN device CSV and enter information such as branch office IP
address, the virtual router to use, the firewall site name, zones
to which the firewall belongs, and BGP route information. Panorama
uses the CSV file to configure the SD-WAN hubs and branches and
to automatically provision VPN tunnels between hubs and branches.
SD-WAN supports dynamic routing through eBGP and is configured using Panorama’s
SD-WAN plugin to allow all branches to communicate with the hub
only or with the hub and other branches.
Recommended For You
Recommended Videos
Recommended videos not found.