Add an SD-WAN Device

Add a single SD-WAN hub or branch firewall to be managed by the Panorama management server.
Add an SD-WAN hub or branch firewall to be managed by the Panorama™ management server. When adding your devices, you specify what type of device it is (branch or hub) and you give each device its site name for easy identification. Before adding your devices, plan your SD-WAN configuration to ensure you have all the required IP addresses and that the SD-WAN topology is well understood. This helps in reducing any configuration errors.
If you have pre-existing zones for your Palo Alto Networks
®
firewalls, you will be mapping them to the predefined zones used in SD-WAN.
If you want to have Active/Passive HA running on two branch firewalls or two hub firewalls, do not add those firewalls as SD-WAN devices at this time. You will add them as HA peers separately when you Configure HA Devices for SD-WAN.
If you are using BGP routing, you must add a security policy rule to allow BGP from the internal zone to the hub zone and from the hub zone to the internal zone. If you want to use 4-byte ASNs, you must first enable 4-byte ASNs for the virtual router.
When viewing SD-WAN devices, if no data is present or the screen indicates that SD-WAN is undefined, check in the Compatibility Matrix that the Panorama release you are using supports the SD-WAN plugin release you are trying to use.
  1. Select
    Panorama
    SD-WAN
    Devices
    and
    Add
    a new SD-WAN firewall.
  2. Select the managed firewall
    Name
    to add as an SD-WAN device. You must add your SD-WAN firewalls as managed devices before you can add them as an SD-WAN device.
  3. Select the
    Type
    of SD-WAN device.
    • Hub
      —A centralized firewall deployed at a primary office or location to which all branch devices connect using a VPN connection. Traffic between branches passes through the hub before continuing to the target branch, and connects branches to centralized resources at the hub location. The hub device processes traffic, enforces policy rules, and manages link swapping at the primary office or location.
    • Branch
      —A firewall deployed at a physical branch location that connects the hub using a VPN connection and provides security at the branch level. The branch device processes traffic, enforces policy rules, and manages link swapping at the branch location.
  4. Select the
    Virtual Router Name
    to use for routing between the SD-WAN hub and branches. By default, an
    sdwan-default
    virtual router is created and enables Panorama to automatically push router configurations.
  5. Enter the SD-WAN
    Site
    name to identify the geographical location or purpose of the device.
    The SD-WAN Site name supports all upper-case and lower-case alphanumerical and special characters. Spaces are not supported in the Site name and result in monitoring (
    Panorama
    Monitoring
    ) data for that site not to be displayed.
    All SD-WAN devices, including SD-WAN devices in a high availability (HA) configuration, must have a unique Site name.
  6. (
    PAN-OS 10.0.3 and later 10.1 releases
    ) Select the
    Link Tag
    you created for the hub virtual interface (or branch virtual interface), which Auto VPN will assign to the virtual interface. You will use this Link Tag in a Traffic Distribution profile to allow the hub (or branch) to participate in DIA AnyPath.
  7. If you are adding a hub that is behind a device performing NAT for the hub, you must specify the IP address or FQDN of the public-facing interface on that upstream NAT-performing device, so that Auto VPN Configuration can use that address as the tunnel endpoint of the hub. It is the IP address that the branch office’s IKE and IPSec flows must be able to reach. (You must have already configured a physical Ethernet interface for SD-WAN.)
    1. On the
      Upstream NAT
      tab, enable
      Upstream NAT
      .
    2. Add
      an
      SD-WAN interface
      ; select an interface you already configured for SD-WAN.
    3. Select
      IP Address
      or
      FQDN
      and enter the IPv4 address without a subnet mask (for example, 192.168.3.4) or the FQDN of the upstream device, respectively.
    4. Click
      OK
      .
      Additionally, on the upstream device that is performing NAT you must set up the inbound Destination NAT with a one-to-one NAT policy, and you must not configure port translation to the IKE or IPSec traffic flows.
      If the IP address on the upstream device changes, you must configure the new IP address and push it to the VPN cluster. You must use the CLI commands
      clear ipsec
      ,
      clear ike-sa
      , and
      clear session all
      on both the branch and hub. You must also
      clear session all
      on the virtual router where you configured the NAT policy for the IP addresses.
      Upstream NAT is not supported on Layer 2 interfaces.
  8. (
    PAN-OS 10.0.3 and later 10.1 releases
    ) If you are adding a branch that is behind a device performing NAT for the branch, you must specify the IP address or FQDN of the public-facing interface on that upstream NAT-performing device, or select DDNS to indicate that the IP address for the interface on the NAT device is obtained from the Palo Alto Networks DDNS service. Thus, Auto VPN Configuration uses that public IP address as the tunnel endpoint for the branch. It is the IP address that the branch office’s IKE and IPSec flows must be able to reach. (You must have already configured a physical Ethernet interface for SD-WAN.)
    1. On the
      Upstream NAT
      tab, enable
      Upstream NAT
      .
    2. Add
      an
      SD-WAN interface
      ; select an interface you already configured for SD-WAN.
    3. If you select the
      NAT IP Address Type
      to be
      Static IP
      , select
      IP Address
      or
      FQDN
      and enter the IPv4 address without a subnet mask (for example, 192.168.3.4) or the FQDN of the upstream device, respectively.
    4. Alternatively, select the
      NAT IP Address Type
      to be
      DDNS
      .
    5. Click
      OK
      .
      Additionally, on the upstream device that is performing NAT you must set up the inbound Destination NAT with a one-to-one NAT policy, and you must not configure port translation to the IKE or IPSec traffic flows.
      If the IP address on the upstream device changes, you must configure the new IP address and push it to the VPN cluster. You must use the CLI commands
      clear ipsec
      ,
      clear ike-sa
      , and
      clear session all
      on both the branch and hub. You must also
      clear session all
      on the virtual router where you configured the NAT policy for the IP addresses.
      There is a second location in the UI where you can configure Upstream NAT for a branch, but the following location is not preferred and you should not configure Upstream NAT for a branch in both places. The secondary, non-preferred location to configure Upstream NAT is on Panorama at
      Network
      Interfaces
      Ethernet
      , select a template in the
      Template
      field, select an Ethernet interface, and select the
      SD-WAN
      tab. At this point you can
      Enable
      Upstream NAT, and select a
      NAT IP Address Type
      . This second method takes precedence. If Upstream NAT is first configured for the Ethernet interface on Panorama through the template stack, then the SD-WAN plugin will not change the settings, even if you use different settings on the plugin device configuration page. Only if there is no Upstream NAT configured on Panorama through the template stack, then the plugin configuration for Upstream NAT takes effect.
      Upstream NAT is not supported on Layer 2 interfaces.
  9. (
    Required for pre-existing customers
    ) Map your pre-existing zones to predefined zones used for SD-WAN.
    When you map your existing zones to an SD-WAN zone, you must modify your security policy rules and add the SD-WAN zones to the correct
    Source
    and
    Destination
    zones.
    1. Select
      Zone Internet
      and
      Add
      the pre-existing zones that will egress SD-WAN traffic to the internet.
    2. Select
      Zone to Hub
      and
      Add
      the pre-existing zones that will egress SD-WAN traffic to the hub.
    3. Select
      Zone to Branch
      and
      Add
      the pre-existing zones that will egress SD-WAN traffic to the branch.
    4. Select
      Zone Internal
      and
      Add
      the pre-existing zones that will egress SD-WAN traffic to an internal zone.
  10. (
    PAN-OS 10.1.5-h1 and later 10.1 releases, and SD-WAN Plugin 2.2.1 and later 2.2 releases
    ) If your application traffic is tagged with Type of Service (ToS) bits or Differentiated Services Code Point (DSCP) markings, copy the ToS field from the inner IPv4 header to the outer VPN header of encapsulated packets going through the VPN tunnel to preserve QoS information.
    1. Select the
      VPN Tunnel
      tab.
    2. Select
      Copy ToS Header
      .
    3. Click
      OK
      .
  11. (
    Optional
    ) Configure Border Gateway Protocol (BGP) routing.
    To automatically set up BGP routing between the VPN cluster members, enter the BGP information below. If you want to manually configure BGP routing on each firewall or use a separate Panorama template to configure BGP routing for more control, leave the BGP information below blank.
    Before implementing SD-WAN with BGP routing in an environment where BGP is already in use, ensure that the BGP configuration generated by the SD-WAN plugin doesn’t conflict with your existing BGP configuration. For example, you must use the existing BGP AS number and router ID values for the corresponding SD-WAN device values.
    1. Select the
      BGP
      tab and enable
      BGP
      to configure BGP routing for SD-WAN traffic.
    2. Enter the BGP
      Router ID
      , which must be unique among all routers.
    3. Specify a static IPv4
      Loopback Address
      for BGP peering. Auto VPN configuration automatically creates a Loopback interface with the same IPv4 address that you specify. If you specify an existing loopback address, the commit will fail, so you should specify an IPv4 address that is not already a loopback address.
    4. Enter the
      AS Number
      . The autonomous system number specifies a commonly defined routing policy to the internet. The AS number must be unique for every hub and branch location.
    5. Disable the
      Remove Private AS
      option (the default is enabled) if you have endpoints that need to exchange routes with a hub or branch firewall in an SD-WAN BGP topology and therefore you don’t want to remove private AS numbers (64512 to 65534) from the AS_PATH attribute in BGP Updates. In this case, you want to allow the private AS numbers to leave the SD-WAN private AS in BGP Updates.
      The
      Remove Private AS
      setting applies to all BGP peer groups on the branch or hub firewall. If you need this setting to differ among BGP peer groups or peers, you must configure the setting outside of the SD-WAN plugin.
      If you change the
      Remove Private AS
      setting, commit to all SD-WAN cluster nodes, and subsequently downgrade to an SD-WAN Plugin version earlier than 2.0.2, then all configuration related to
      Remove Private AS
      must be done outside of the SD-WAN plugin or directly on the firewalls.
    6. Enter
      Prefix(es) to Redistribute
      . On a hub device, you must enter at least one prefix to redistribute. Branch devices do not have this option; subnets connected to branch locations are redistributed by default.
  12. Click
    OK
    .
  13. Select
    Group HA Peers
    at the bottom of the screen to display branches (or hubs) that are HA peers together.
  14. Have Panorama create and push to firewalls a Security policy rule that allows BGP to run between branches and hubs.
    1. Select
      BGP Policy
      at the bottom of the screen and
      Add
      .
    2. Enter a
      Policy Name
      for the Security policy rule that Panorama will automatically create.
    3. Select Device Groups
      to specify the device groups to which Panorama pushes the Security policy rule.
    4. Click
      OK
      .
  15. Select
    Push to Devices
    to push your configuration changes to your managed firewalls.

Recommended For You