: Create the SD-WAN Device Groups
Focus
Focus

Create the SD-WAN Device Groups

Table of Contents

Create the SD-WAN Device Groups

Create SD-WAN device groups for your hubs and branches.
Create device groups, one for your hubs and one for your branches, containing all the policy rules and configuration objects for your SD-WAN hubs and branches. After you create the device groups for your hubs and branches, you must create a Security policy rule in each device group allowing traffic between the hub and branch zones. Creating these Security policy rules ensures that traffic between the SD-WAN device zones is allowed when the SD-WAN plugin creates the VPN tunnels after you create a VPN cluster.
Configure identical configurations across your hub firewalls and an identical configuration across your branch firewalls. This greatly reduces the operational overhead of having to manage the configurations of multiple SD-WAN hubs and branches, and allows you to troubleshoot, isolate, update configuration issues much more rapidly.
  1. Log in to the Panorama Web Interface.
  2. Create the Predefined Zones in Panorama.
  3. Create the SD-WAN hub device group.
    1. Select PanoramaDevice Groups and Add a device group.
    2. Enter SD-WAN_Hub as the Name for the device group.
    3. (Optional) Enter a Description for the template.
    4. In the Devices section, select the check boxes to assign the SD-WAN hubs to the group.
    5. For the Parent Device Group, select Shared.
    6. Click OK.
  4. Create the SD-WAN branch device group.
    1. Select PanoramaDevice Groups and Add a device group.
    2. Enter SD-WAN_Branch as the Name for the device group.
    3. (Optional) Enter a Description for the template.
    4. In the Devices section, select the check boxes to assign the SD-WAN branches to the group.
    5. For the Parent Device Group, select Shared.
    6. Click OK.
  5. Create a Security policy rule to control traffic flows from branch offices to the hub’s internal zone and from the hub’s internal zone to branch offices.
    1. Select PoliciesSecurity and in the Device Group context drop-down, select the SD-WAN_Hub device group.
    2. Add a new policy rule.
    3. Enter a Name for the policy rule, such as SD-WAN access--hub DG.
    4. Select SourceSource Zone and Add the zone-internal and zone-to-branch.
    5. Select DestinationDestination Zone and Add the zone-internal and zone-to-branch.
    6. Select Application and Add applications to allow.
      You must allow BGP if you are using BGP routing.
    7. Select Actions and Allow to allow the applications you selected.
    8. Select Target and specify the target devices to which Panorama™ should push this rule.
  6. Create a Security policy rule to control traffic originating from the branch offices’ internal zone to the hub and from the hub to the branch offices’ internal zone.
    1. Select PoliciesSecurity and in the Device Group context drop-down, select the SD-WAN_Branch device group.
    2. Add a new policy rule.
    3. Enter a Name for the policy rule, such as SD-WAN access--branch DG.
    4. Select SourceSource Zone and Add the zone-internal and zone-to-hub.
    5. Select DestinationDestination Zone and Add the zone-internal and zone-to-hub.
    6. Select Application and Add applications to allow.
      You must allow BGP if you are using BGP routing.
    7. Select Actions and Allow to allow the applications you selected.
    8. Select Target and specify the target devices to which Panorama should push this rule.
  7. Commit and push your configuration.
    1. Commit and Commit and Push your configuration changes.
    2. In the Push Scope section, click Edit Selections.
    3. Enable (check) Include Device and Network Templates and click OK.
    4. Commit and Push your configuration changes.
      There are two commit operations that are automatically performed when you commit and push the device group and template configuration. View the Tasks to verify that the second commit is successful. Of these two commit operations, the first always fails.