Create the SD-WAN Device Groups

Create SD-WAN device groups for your hubs and branches.
Create device groups, one for your hubs and one for your branches, containing all the policy rules and configuration objects for your SD-WAN hubs and branches. After you create the device groups for your hubs and branches, you must create a Security policy rule in each device group allowing traffic between the hub and branch zones. Creating these Security policy rules ensures that traffic between the SD-WAN device zones is allowed when the SD-WAN plugin creates the VPN tunnels after you create a VPN cluster.
Configure identical configurations across your hub firewalls and an identical configuration across your branch firewalls. This greatly reduces the operational overhead of having to manage the configurations of multiple SD-WAN hubs and branches, and allows you to troubleshoot, isolate, update configuration issues much more rapidly.
  1. Create the SD-WAN hub device group.
    1. Select
      Panorama
      Device Groups
      and
      Add
      a device group.
    2. Enter
      SD-WAN_Hub
      as the
      Name
      for the device group.
    3. (
      Optional
      ) Enter a
      Description
      for the template.
    4. In the
      Devices
      section, select the check boxes to assign the SD-WAN hubs to the group.
    5. For the
      Parent Device Group
      , select
      Shared
      .
    6. Click
      OK
      .
  2. Create the SD-WAN branch device group.
    1. Select
      Panorama
      Device Groups
      and
      Add
      a device group.
    2. Enter
      SD-WAN_Branch
      as the
      Name
      for the device group.
    3. (
      Optional
      ) Enter a
      Description
      for the template.
    4. In the
      Devices
      section, select the check boxes to assign the SD-WAN branches to the group.
    5. For the
      Parent Device Group
      , select
      Shared
      .
    6. Click
      OK
      .
  3. Create a Security policy rule to control traffic flows from branch offices to the hub’s internal zone and from the hub’s internal zone to branch offices.
    1. Select
      Policies
      Security
      and in the
      Device Group
      context drop-down, select the
      SD-WAN_Hub
      device group.
    2. Add
      a new policy rule.
    3. Enter a
      Name
      for the policy rule, such as
      SD-WAN access--hub DG
      .
    4. Select
      Source
      Source Zone
      and
      Add
      the
      zone-internal
      and
      zone-to-branch
      .
    5. Select
      Destination
      Destination Zone
      and
      Add
      the
      zone-internal
      and
      zone-to-branch
      .
    6. Select
      Application
      and
      Add
      applications to allow.
      You must allow BGP if you are using BGP routing.
    7. Select
      Actions
      and
      Allow
      to allow the applications you selected.
    8. Select
      Target
      and specify the target devices to which Panorama™ should push this rule.
  4. Create a Security policy rule to control traffic originating from the branch offices’ internal zone to the hub and from the hub to the branch offices’ internal zone.
    1. Select
      Policies
      Security
      and in the
      Device Group
      context drop-down, select the
      SD-WAN_Branch
      device group.
    2. Add
      a new policy rule.
    3. Enter a
      Name
      for the policy rule, such as
      SD-WAN access--branch DG
      .
    4. Select
      Source
      Source Zone
      and
      Add
      the
      zone-internal
      and
      zone-to-hub
      .
    5. Select
      Destination
      Destination Zone
      and
      Add
      the
      zone-internal
      and
      zone-to-hub
      .
    6. Select
      Application
      and
      Add
      applications to allow.
      You must allow BGP if you are using BGP routing.
    7. Select
      Actions
      and
      Allow
      to allow the applications you selected.
    8. Select
      Target
      and specify the target devices to which Panorama should push this rule.
  5. Commit and push your configuration.
    1. Commit
      and
      Commit and Push
      your configuration changes.
    2. In the Push Scope section, click
      Edit Selections
      .
    3. Enable (check)
      Include Device and Network Templates
      and click
      OK
      .
    4. Commit and Push
      your configuration changes.
      There are two commit operations that are automatically performed when you commit and push the device group and template configuration. View the
      Tasks
      to verify that the second commit is successful. Of these two commit operations, the first always fails.

Recommended For You