Create the Predefined Zones in Panorama
Create the predefined zones in Panorama.
SD-WAN policy rules use predefined zones for internal path selection and traffic forwarding purposes. There are two use cases; your use case depends on whether you are enabling SD-WAN on your current PAN-OS
®firewalls that have existing security policy rules or whether you are starting a brand new PAN-OS deployment with no previous security policy rules. If your current firewalls have security policy rules in place, you map your existing zones to the predefined zones that SD-WAN policies use.
The SD-WAN engine makes use of the predefined zones for forwarding traffic. Additionally, creating the predefined zones in the Panorama™ templates provides consistent visibility between the managed firewalls and Panorama:
- Zone Internet—For traffic going to and coming from the untrusted internet.
- Zone to Hub—For traffic going from branch firewalls to hub firewalls and for traffic going between hub firewalls.
- Zone to Branch—For traffic going from hub firewalls to branch firewalls and for traffic between branch firewalls.
- Zone Internal—For internal traffic at a specific location.
If you don’t create the predefined zones, the SD-WAN plugin will automatically create the predefined zones on your branch and hub firewall, but you won’t see them in Panorama.
There are two main use cases for predefined zones:
- Existing Zones—You already have pre-existing zones that you created for use in User-ID™ or various policies (security policy rules, QoS policy rules, zone protection, and packet buffer protection). You must map the pre-existing zones to the predefined zones that SD-WAN uses so the firewall can properly forward traffic. You should continue to use your pre-existing zones in all of your policies because the new predefined zones are used only for SD-WAN forwarding. You will map the zones when you to Add SD-WAN Devices to Panorama by creating your CSV file. (If you aren’t using a CSV file, you will map zones when you configureand add existing zones toPanoramaSD-WANDevicesZone Internet,Zone to Hub,Zone to Branch, andZone Internal.)The result of mapping is that a branch or hub firewall can do a forwarding lookup to determine the egress SD-WAN interface and thus the egress zone. If you don’t map pre-existing zones to predefined zones, an allowed session won’t use SD-WAN. The mapping is necessary because existing customers have different zone names in place, and the firewall must narrow all of those zone names down to the predefined zones. You don’t necessarily have to map zones to all of the predefined zones, but you should map existing zones to at least theZone to HubandZone to Branchzones.
- No Existing Zones—You have a brand new deployment of Palo Alto Networks®firewalls and SD-WAN. In this case, you don’t have zones to map; we recommend you use the predefined zones in your PAN-OS policies and User-ID to simplify deployment.
Before you begin configuring your SD-WAN deployment, for both use cases, you will create the required predefined zones in Panorama named
zone-to-branch. When you onboard your branch and hub firewalls, you will Add SD-WAN Devices to Panorama. For pre-existing customers, the SD-WAN plugin will internally map pre-existing zones with these predefined zones when executing SD-WAN policy rules, QoS policy rules, zone protection, User-ID, and packet buffer protection, and will use the predefined zones for zone logging and visibility in Panorama. For new customers, you are properly set up using the predefined zones.
The predefined zones are also required in order to automatically set up VPN tunnels between your SD-WAN hubs and branches when you push the configuration from Panorama to your managed SD-WAN devices.
The zone names are case-sensitive and must match the names provided in this procedure. Your commit fails on the firewall if the zone names don’t match those described in this procedure.
In this example, we are creating the zone named
- Selectand in theNetworkZonesTemplatecontext drop-down, select the network template you previously created.
- Adda new zone.
- Enterzone-internet, for example, as theNameof the zone.
- For zoneType, selectLayer3.
- Repeat the previous steps to create the remaining zones. In total, you must create the following zones:
- CommitandCommit and Pushyour configuration changes.
- Commityour changes.
Recommended For You
Recommended videos not found.