Configure an SD-WAN Interface Profile
Table of Contents
Expand all | Collapse all
- Create a Link Tag
- Configure an SD-WAN Interface Profile
- Configure a Physical Ethernet Interface for SD-WAN
- Configure an Aggregate Ethernet Interface and Subinterfaces for SD-WAN
- Configure Layer 3 Subinterfaces for SD-WAN
- Configure a Virtual SD-WAN Interface
- Create a Default Route to the SD-WAN Interface
- Create a Path Quality Profile
- Create a SaaS Quality Profile
- Use Case: Configure SaaS Monitoring for a Branch Firewall
- Use Case: Configure a Hub Firewall Failover for SaaS Monitoring from a Branch Firewall to the Same SaaS Application Destination
- Use Case: Configure a Hub Firewall Failover for SaaS Monitoring from a Branch Firewall to a Different SaaS Application Destination
- SD-WAN Traffic Distribution Profiles
- Create a Traffic Distribution Profile
- Create an Error Correction Profile
- Configure an SD-WAN Policy Rule
- Allow Direct Internet Access Traffic Failover to MPLS Link
- Configure DIA AnyPath
- Distribute Unmatched Sessions
- Configure HA Devices for SD-WAN
- Create a VPN Cluster
- Create a Full Mesh VPN Cluster with DDNS Service
- Create a Static Route for SD-WAN
- Configure Advanced Routing for SD-WAN
Configure an SD-WAN Interface Profile
Configure an SD-WAN interface profile to group physical links by link tag and control link speeds.
Create an SD-WAN interface profile to define the characteristics of ISP connections and to specify the speed of links and how frequently the firewall monitors the link, and specify a Link Tag for the link. When you specify the same Link Tag on multiple links, you are grouping (bundling) those physical links into a link bundle or fat pipe. You must configure an SD-WAN interface profile and specify it for an Ethernet interface enabled with SD-WAN before you can save the Ethernet interface.
Group links based on a common criterion. For example, group links by path preference from most preferred to least preferred, or group links by cost.
- Selectand select the appropriate template from theNetworkNetwork ProfilesSD-WAN Interface ProfileTemplatecontext drop-down.
- Addan SD-WAN interface profile.
- Enter a user-friendlyNamefor the SD-WAN interface profile, which you’ll see in reporting, troubleshooting, and statistics.
- Select the vsysLocationif you have a multi-vsys Panorama™ management server. By default, vsys1 is selected.
- Select theLink Tagthat this profile will assign to the interface.
- Add aDescriptionfor the profile.
- Select the physicalLink Typefrom the predefined list (ADSL/DSL,Cable modem,Ethernet,Fiber,LTE/3G/4G/5G,MPLS,Microwave/Radio,Satellite,WiFi, orOther). The firewall can support any CPE device that terminates and hands off as an Ethernet connection to the firewall; for example, WiFi access points, LTE modems, laser/microwave CPEs all can terminate with an Ethernet handoff.The following link types will form tunnels with only the same link type:
For existing PAN-OS deployments that have zones defined on the interfaces that will be used to support SD-WAN, Panorama may automatically configure the interface’s zone name to one of the predefined SD-WAN zones under the following conditions:
- Public (orOther) link types—Ethernet,ASDL/DSL,Cable modem,Fiber,LTE/3G/4G/5G,WiFi, andOther.Any public link type to any other public link type will create a tunnel successfully. For example, Ethernet-to-Other and Other-to-Other link types will create the tunnels successfully.
- Private and Point-to-Point link types—MPLS,Satellite, andMicrowave/Radio.A private link type can create the tunnel only with the same private link type. For example, MPLS-to-MPLS and satellite-to-satellite link types are valid and therefore the tunnels will be created successfully, but MPLS-to-satellite won't create the tunnel.
On the Hub firewall, the zone name is configured as “zone-to-branch” when condition a) is met. On the Branch firewall, the zone name is configured as “zone-to-hub” when both condition a) and condition b) are met. Panorama automates this step to simplify configuration to ensure proper communication between the hub and branch firewalls. If you have preexisting firewall policies that reference the old zone name, you must update the policies to reflect the new predefined SD-WAN zone name.
- The SD-WAN interface is configured as a point-to-point private Link Type (MPLS,Satellite, orMicrowave) in its Interface Profile.
- TheVPN Data Tunnel Supportcheckbox is disabled (unchecked) on the SD-WAN Interface Profile. This instructs PAN-OS to forward traffic in clear text outside of the SD-WAN VPN tunnel.
- Specify theMaximum Download (Mbps)speed from the ISP in megabits per second (range is 0 to 100,000; there is no default). You can enter a range using up to three decimal places, for example, 10.456. Ask your ISP for the link speed or sample the link’s maximum speeds with a tool such as speedtest.net and take an average of the maximums over a good length of time.
- Specify theMaximum Upload (Mbps)speed to the ISP in megabits per second (range is 0 to 100,000; there is no default). You can enter a range using up to three decimal places, for example, 10.456. Ask your ISP for the link speed or sample the link’s maximum speeds with a tool such as speedtest.net and take an average of the maximums over a good length of time.
- SelectEligible for Error Correction Profile interface selectionto enable Forward Error Correction (FEC) or packet duplication for interfaces. You must enable this on both the encoding and decoding firewalls; you must also create an Error Correction profile to apply to the SD-WAN policy rule for specific applications.
- VPN Data Tunnel Supportdetermines whether the branch-to-hub traffic and return traffic flows through a VPN tunnel for added security (the default method) or flows outside of the VPN tunnel to avoid encryption overhead.
- LeaveVPN Data Tunnel Supportenabled for public link types that have direct internet connections or internet breakout capability, such as cable modem, ADSL, and other internet connections.
- You can disableVPN Data Tunnel Supportfor private link types such as MPLS, satellite, or microwave that do not have internet breakout capability. However, you must first ensure the traffic cannot be intercepted because it will be sent outside of the VPN tunnel.
- The branch may have DIA traffic that needs to fail over to the private MPLS link connecting to the hub, and reach the internet from the hub. TheVPN Data Tunnel Supportsetting determines whether the private data flows through the VPN tunnel or flows outside the tunnel, and the failed over traffic uses the other connection (that the private data flow doesn’t use). The firewall uses zones to segment DIA failover traffic from private MPLS traffic.
- If you Configure DIA AnyPath, a principal virtual interface can have multiple hub virtual interfaces, so you must prioritize the order in which a particular hub is selected for failover. Specify such priority by setting theVPN Failover Metricfor the VPN tunnels bundled in the hub virtual interface where this profile is applied. The lower the metric, the higher the priority of the interface to be selected during failover. If multiple hub virtual interfaces have the same metric value, SD-WAN sends new session traffic to them in round-robin fashion.
- (Optional) Select thePath Monitoringmode in which the firewall monitors the interfaces where you apply this SD-WAN Interface Profile.The firewall selects what it considers the best monitoring method based onLink Type. Retain the default setting for the link type unless an interface (where you apply this profile) has issues that require more aggressive or more relaxed path monitoring.
- Aggressive—(Default for all link types except LTE and Satellite) Firewall sends probe packets to the opposite end of the SD-WAN link at a constant frequency. Use this mode if you need fast detection and failover for brownout and blackout conditions.
- Relaxed—(Default for LTE and Satellite link types) Firewall waits for a number of seconds (theProbe Idle Time) between sending sets of probe packets, making path monitoring less frequent. When the probe idle time expires, firewall sends probes for seven seconds at theProbe Frequencyconfigured. Use this mode when you have low bandwidth links, links that charge by usage (such as LTE), or when fast detection isn’t as important as preserving cost and bandwidth.
- Set theProbe Frequency (per second), which is the number of times per second that the firewall sends a probe packet to the opposite end of the SD-WAN link (range is 1 to 5; default is 5). The default setting provides subsecond detection of brownout and blackout conditions.If you change the Probe Frequency for a Panorama template, you should also adjust thePacket Losspercentage threshold in a Path Quality profile for a Panorama device group.
- If you selectRelaxedpath monitoring, you can set theProbe Idle Time (seconds)that the firewall waits between sets of probe packets (range is 1 to 60; default is 60).
- Enter theFailback Hold Time (seconds)that the firewall waits for a recovered link to remain qualified before the firewall reinstates that link as the preferred link after it has failed over (range is 20 to 120; default is 120).
- ClickOKto save the profile.
- CommitandCommit and Pushyour configuration changes.
- Monitor your application and link path health metrics, and generate reports of your application and link health performance. For more information, see Monitoring and Reporting.