Plan Your SD-WAN Configuration

1. Plan the branch and hub locations, link requirements, and IP addresses. From Panorama you will export an empty SD-WAN device CSV and populate it with branch and hub information.

   1. Decide the role of each firewall (branch or hub).
   2. Determine which branches will communicate with which hubs; each functional group of branch and hub firewalls that communicate with each other is a VPN cluster. For example, your VPN clusters might be organized geographically or by function.
   3. Determine the ISP link types that each branch and hub support: ADSL/DSL, cable modem, Ethernet, fiber, LTE/3G/4G/5G, MPLS, microwave/radio, satellite, and WiFi.
   4. Determine the maximum download and upload bandwidth (Mbps) that the link types support and how you want to apply these speed controls to links, as described in Step 2. Record the ISP link’s maximum download and upload bandwidth (Mbps). This information will serve as reference egress maximums if you need to configure QoS to control the application bandwidth.
   5. Gather the public IP addresses of branch firewalls, whether they are static or dynamically assigned. The firewall must have an internet-routable, public IP address so it can initiate and terminate IPSec tunnels and route application traffic to and from the internet.

      The ISP’s customer premise equipment must be directly connected to the Ethernet interface on the firewall.

      If you have a device that performs NAT located between the branch firewall and the hub, the NAT device can prevent the firewall from bringing up IKE peering and IPSec tunnels. If the tunnel fails, work with the administrator of the remote NAT device to resolve the issue.
   6. Gather the private network prefixes and serial numbers of branch and hub firewalls.
   7. Decide the link type of each firewall interface.

      Allocate the same link types on the same Ethernet interfaces across the branch firewalls to make configuration easier. For example, Ethernet1/1 is always cable modem.
   8. Decide on the naming conventions for your sites and SD-WAN devices.

      Do not use the simple hostnames “hub” or “branch” because Auto VPN configuration uses these keywords to generate various configuration elements.
   9. If you already have zones in place before configuring SD-WAN, decide how to map those zones to the predefined zones that SD-WAN uses for path selection. You will map existing zones to the predefined zones named zone-internal, zone-to-hub, zone-to-branch, and zone-internet.

      Information you will enter into a CSV (so that you can add multiple SD-WAN devices at once) includes: serial number, type of device (branch or hub), names of zones to map to predefined zones (pre-existing customers), loopback address, prefixes to redistribute, AS number, router ID, and virtual router name.
2. Plan link bundles and VPN security for private links.

   A link bundle lets you combine multiple physical links into one virtual SD-WAN interface for purposes of path selection and failover protection. By having a bundle of more than one physical link, you maximize application quality in case a physical link deteriorates. You create a bundle by applying the same link tag to multiple links (via an SD-WAN Interface Profile). The link tag identifies a bundle of links that have a similar type of access and similar type of SD-WAN policy handling. For example, you can create a link tag named low cost broadband and include the cable modem and fiber broadband services.
3. Identify the applications that will use SD-WAN and QoS optimization.

   1. Identify the critical and the latency-sensitive business applications for which you will provide SD-WAN control and policies. These are applications that require a good user experience, and are likely to fail under poor link conditions.

      Start with the most critical and latency-sensitive applications; you can add applications after SD-WAN is functioning smoothly.
   2. Identify the applications that require QoS policies so you can prioritize bandwidth. These should be the same applications you identified as critical or latency-sensitive.

      Start with the most critical and latency-sensitive applications; you can add applications after SD-WAN is functioning smoothly.
4. Determine when and how you want links to fail over to a different link in the event the original link degrades or fails.

   1. Decide on the path monitoring mode for a link, although the best practice is to retain the default setting for the link type:

      • Aggressive—The firewall sends probe packets to the opposite end of the SD-WAN link at a constant frequency (five probes per second by default). Aggressive mode is appropriate for links where monitoring path quality is critical; where you need fast detection and failover for brownout and blackout conditions. Aggressive mode provides subsecond detection and failover.
      • Relaxed—The firewall observes a configurable idle time between sending probe packets for seven seconds (at the probe frequency you configure), which makes path monitoring less frequent than aggressive mode. Relaxed mode is appropriate for links that have very low bandwidth, links that are expensive to operate, such as satellite or LTE, or when fast detection isn’t as important as preserving cost and bandwidth.
   2. Prioritize the order in which the firewall selects the first link for a new session and the order in which links should be a candidate to replace a link that is failing over, if there is more than one candidate.

      For example, if you want an expensive backup LTE link to be the last link used (only when the inexpensive broadband links are oversubscribed or completely down), then use the Top Down Priority traffic distribution method and place the tag that is on the LTE link last in the list of tags for the Traffic Distribution profile.
   3. For the applications and services, determine the path health thresholds at which you consider a path to have degraded enough in quality that you want the firewall to select a new path (fail over). The quality characteristics are latency (range is 10 to 2,000 ms), jitter (range is 10 to 1,000 ms), and packet loss percentage.

      These thresholds constitute a Path Quality profile, which you reference in an SD-WAN policy rule. When any single threshold (for packet loss, jitter, or latency) is exceeded (and the remaining rule criteria are met), the firewall chooses a new preferred path for the matching traffic. For example, you can create Path Quality profile AAA with latency/jitter/packet loss thresholds of 1000/800/10 to use in Rule 1 when FTP packets come from source zone XYZ, and create Path Quality profile BBB (with thresholds of 50/200/5) to use in Rule 2 when FTP packets come from source IP address 10.1.2.3. Best practice is to start with high thresholds and test how the application tolerates them. If you set the values too low, the application may switch paths too frequently.

      Consider whether the applications and services you are using are especially sensitive to latency, jitter, or packet loss. For example, a video application might have good buffering that mitigates latency and jitter, but would be sensitive to packet loss, which impacts the user experience. You can set the sensitivity of the path quality parameters in the profile to high, medium or low. If the sensitivity settings for latency, jitter, and packet loss are the same, the firewall examines the parameters in the order of packet loss, latency, jitter.
   4. Decide if there are links among which to load share new sessions for an application or service.
5. Plan the BGP configurations that Panorama will push to branches and hubs to dynamically route traffic between them.

   1. Plan BGP route information, including a four-byte autonomous system number (ASN). Each firewall site is in a separate AS and therefore must have a unique ASN. Each firewall must also have a unique Router ID.
   2. Before implementing SD-WAN with BGP routing in an environment where BGP is already in use, ensure that the BGP configuration generated by the SD-WAN plugin doesn’t conflict with your existing BGP configuration. For example, you must use the existing BGP AS number and router ID values for the corresponding SD-WAN device values.
   3. If you don’t want to use BGP dynamic routing, plan to use Panorama’s network configuration features to push out other routing configurations. You can do static routing between the branch and hubs. Simply omit all of the BGP information in the Panorama plugin and use normal virtual router static routes to perform static routing.
6. Consider the capacities of firewall models for virtual SD-WAN interfaces, SD-WAN policy rules, log size, IPSec tunnels (including proxy IDs), IKE peers, BGP and static route tables, BGP routing peers, and performance for your firewall mode (App-ID™, threat, IPSec, decryption). Ensure the branch and hub firewall models you intend to use support the capacities you require.