Before you add your firewalls as SD-WAN firewalls, you
must add them as managed devices.
Before you can begin configuring your SD-WAN
deployment, you must first Install the SD-WAN Plugin and add
your hub and branch firewalls as managed devices to the Panorama™
management server. As part of adding your SD-WAN firewall as a managed
device on the Panorama™ management server, you must activate the SD-WAN
license to enable SD-WAN functionality for the firewall.
part of adding your SD-WAN firewalls as managed devices, you must
configure your managed firewalls to forward logs to Panorama. Panorama
collects information from multiple sources, such as configuration
logs, traffic logs, and link characteristic measurements, to generate
the visibility for SD-WAN application and link health information.
Do not have your Panorama management server
connection to be only reliant on the SD-WAN overlay. To maintain a reliable
connection, where the Panorama is always reachable to the PAN-OS firewalls, we
recommend you to create a dedicated IPSec tunnel from the PAN-OS firewalls to reach
Panorama (that is outside the SD-WAN overlay between hub/branches where the Panorama
is located). With this approach, you can ensure that the Panorama management server
is always reachable even if there is any impact to the SD-WAN overlay.
Each firewall you intend to use in your SD-WAN deployment
requires a unique auth code to activate the license. For example,
if you have 100 firewalls, you must purchase 100 SD-WAN licenses
and activate each SD-WAN license on each firewall using one of the
100 unique auth codes.
For VM-Series firewalls, you
apply the SD-WAN auth code against the specific VM-Series firewall.
If you deactivate the VM-Series firewall,
the SD-WAN auth code can be activated on a different VM-Series firewall
of the same model.
your SD-WAN license remains valid to continue leveraging SD-WAN.
If the SD-WAN license expires, the following occurs:
warning displays when you
changes but no commit failure occurs.
Your SD-WAN configuration no longer functions but is not
Firewalls no longer monitor and gather link health metrics
and stop sending monitoring probes.
Firewalls no longer send app and link health metrics to Panorama.
default, HTTP/2 inspection is automatically enabled if decryption
is enabled for application traffic. The parent sessions using a
HTTP/2 connection does not generate any traffic logs because they
do not carry any application traffic. However, the child sessions
generated by the streams within the HTTP/2 parent session still
generate traffic logs. For more information on viewing logs for
HTTP/2 connections, see the Palo Alto Networks Knowledgebase.