PAN-OS & Panorama

1. Log in to the Panorama Web Interface.
2. Select NetworkNetwork ProfilesSD-WAN Interface Profile and select the appropriate template from the Template context drop-down.
3. Add an SD-WAN interface profile.
4. Enter a user-friendly Name for the SD-WAN interface profile, which you’ll see in reporting, troubleshooting, and statistics.
5. Select the vsys Location if you have a multi-vsys Panorama™ management server. By default, vsys1 is selected.
6. Select the Link Tag that this profile will assign to the interface.
7. Add a Description for the profile.
8. Select the physical Link Type from the predefined list (ADSL/DSL, Cable modem, Ethernet, Fiber, LTE/3G/4G/5G, MPLS, Microwave/Radio, Satellite, WiFi, Private Link1, Private Link2, Private Link3, Private Link4, or Other). (Beginning with PAN-OS 11.0.4, SD-WAN plugin 3.1.3 and later 3.1 releases) (PAN-OS 11.1.3, SD-WAN plugin 3.2.1 and later releases) We support the additional point-to-point private link types such as, Private Link1, Private Link2, Private Link3, and Private Link4. We do not support plain text traffic from SD-WAN branch firewall to SD-WAN hub firewall for Private Link1, Private Link2, Private Link3, and Private Link4 link types. When you configure any of the new private link types, ensure that you have an SD-WAN policy rule on the hub that is configured only with public link type. Because when the internet-bound traffic backhauls or fails to the hub from the branch, it must match with this SD-WAN policy rule. Otherwise, the traffic gets dropped as these private links (Private Link1, Private Link2, Private Link3, and Private Link4) are part of the direct internet access (DIA) SD-WAN interface.

   (For PAN-OS 11.0.4 and later releases, SD-WAN plugin 3.1.3 and later releases) To enable the additional point-to-point private link types, you must ensure the following:

   • Panorama Management Server should be running on PAN-OS 11.0.4
   • Panorama managed devices must be running on PAN-OS 11.0.4
   • SD-WAN plugin version must be 3.1.3

   (For PAN-OS 11.1.3 and later releases, SD-WAN plugin 3.2.1 and later releases) To enable the additional point-to-point private link types, you must ensure the following:

   • Panorama Management Server should be running on PAN-OS 11.1.3
   • Panorama managed devices must be running on PAN-OS 11.1.3
   • SD-WAN plugin version must be 3.2.1

   (For PAN-OS 11.2.0 and later releases, SD-WAN plugin 3.3.0 and later releases ) To enable the additional point-to-point private link types, you must ensure the following:

   • Panorama Management Server should be running on PAN-OS 11.2.0
   • Panorama managed devices must be running on PAN-OS 11.2.0
   • SD-WAN plugin version must be 3.3.0

   The firewall can support any CPE device that terminates and hands off as an Ethernet connection to the firewall; for example, WiFi access points, LTE modems, laser/microwave CPEs all can terminate with an Ethernet handoff.

   The following link types will form tunnels with only the same link type:

   • Public (or Other) link types—Ethernet, ASDL/DSL, Cable modem, Fiber, LTE/3G/4G/5G, WiFi, and Other.
     Any public link type to any other public link type will create a tunnel successfully. For example, Ethernet-to-Other and Other-to-Other link types will create the tunnels successfully.
   • Private and Point-to-Point link types—MPLS, Satellite, Private Link1, Private Link2, Private Link3, Private Link4, and Microwave/Radio.
     A private link type can create the tunnel only with the same private link type. For example, MPLS-to-MPLS and satellite-to-satellite link types are valid and therefore the tunnels will be created successfully, but MPLS-to-satellite won't create the tunnel.

   (SD-WAN plugin 2.0 and later versions) For existing PAN-OS deployments that have zones defined on the interfaces that will be used to support SD-WAN, Panorama may automatically configure the interface’s zone name to one of the predefined SD-WAN zones under the following conditions:

   1. The SD-WAN interface is configured as a point-to-point private Link Type (MPLS, Satellite, or Microwave) in its Interface Profile.
   2. The VPN Data Tunnel Support checkbox is disabled (unchecked) on the SD-WAN Interface Profile. This instructs PAN-OS to forward traffic in clear text outside of the SD-WAN VPN tunnel. Because Private Link1, Private Link2, Private Link3, and Private Link4 link types don't support plain text traffic from SD-WAN branch firewall to SD-WAN hub firewall, you must leave VPN Data Tunnel Support option enabled when you configure these private link types.

   (SD-WAN plugin 2.0 and later versions) On the Hub firewall, the zone name is configured as “zone-to-branch” when condition a) is met. On the Branch firewall, the zone name is configured as “zone-to-hub” when both condition a) and condition b) are met. Panorama automates this step to simplify configuration to ensure proper communication between the hub and branch firewalls. If you have preexisting firewall policies that reference the old zone name, you must update the policies to reflect the new predefined SD-WAN zone name.
9. Specify the Maximum Download (Mbps) speed from the ISP in megabits per second (range is 0 to 100,000; there is no default). You can enter a range using up to three decimal places, for example, 10.456. Ask your ISP for the link speed or sample the link’s maximum speeds with a tool such as speedtest.net and take an average of the maximums over a good length of time.
10. Specify the Maximum Upload (Mbps) speed to the ISP in megabits per second (range is 0 to 100,000; there is no default). You can enter a range using up to three decimal places, for example, 10.456. Ask your ISP for the link speed or sample the link’s maximum speeds with a tool such as speedtest.net and take an average of the maximums over a good length of time.
11. (SD-WAN plugin 2.0 and later versions) Select Eligible for Error Correction Profile interface selection to enable Forward Error Correction (FEC) or packet duplication for interfaces. You must enable this on both the encoding and decoding firewalls; you must also create an error correction profile to apply to the SD-WAN policy rule for specific applications.
12. (PAN-OS 9.1.2 and later versions) VPN Data Tunnel Support determines whether the branch-to-hub traffic and return traffic flows through a VPN tunnel for added security (the default method) or flows outside of the VPN tunnel to avoid encryption overhead.

    • Leave VPN Data Tunnel Support enabled for public link types that have direct internet connections or internet breakout capability, such as cable modem, ADSL, and other internet connections.
    • You can disable VPN Data Tunnel Support for private link types such as MPLS, satellite, or microwave that do not have internet breakout capability except Private Link1, Private Link2, Private Link3, and Private Link4 link types. However, you must first ensure the traffic cannot be intercepted because it will be sent outside of the VPN tunnel.
    • (SD-WAN plugin 3.1.3 and later releases) Because Private Link1, Private Link2, Private Link3, and Private Link4 link types don't support plain text traffic from SD-WAN branch firewall to SD-WAN hub firewall, you must leave VPN Data Tunnel Support enabled when you configure these private link types.
    • The branch may have DIA traffic that needs to fail over to the private MPLS link connecting to the hub, and reach the internet from the hub. The VPN Data Tunnel Support setting determines whether the private data flows through the VPN tunnel or flows outside the tunnel, and the failed over traffic uses the other connection (that the private data flow doesn’t use). The firewall uses zones to segment DIA failover traffic from private MPLS traffic.
13. (PAN-OS 10.0.3 and later versions) If you configure DIA AnyPath, a principal virtual interface can have multiple hub virtual interfaces, so you must prioritize the order in which a particular hub is selected for failover. Specify such priority by setting the VPN Failover Metric for the VPN tunnels bundled in the hub virtual interface where this profile is applied. The lower the metric, the higher the priority of the interface to be selected during failover. If multiple hub virtual interfaces have the same metric value, SD-WAN sends new session traffic to them in round-robin fashion.

14. (Optional) Select the Path Monitoring mode in which the firewall monitors the interfaces where you apply this SD-WAN Interface Profile.

    The firewall selects what it considers the best monitoring method based on Link Type. Retain the default setting for the link type unless an interface (where you apply this profile) has issues that require more aggressive or more relaxed path monitoring.

    • Aggressive—(Default for all link types except LTE and Satellite) Firewall sends probe packets to the opposite end of the SD-WAN link at a constant frequency. Use this mode if you need fast detection and failover for brownout and blackout conditions.
    • Relaxed—(Default for LTE and Satellite link types) Firewall waits for a number of seconds (the Probe Idle Time) between sending sets of probe packets, making path monitoring less frequent. When the probe idle time expires, firewall sends probes for seven seconds at the Probe Frequency configured. Use this mode when you have low bandwidth links, links that charge by usage (such as LTE), or when fast detection isn’t as important as preserving cost and bandwidth.
15. Set the Probe Frequency (per second), which is the number of times per second that the firewall sends a probe packet to the opposite end of the SD-WAN link (range is 1 to 5; default is 5). The default setting provides subsecond detection of brownout and blackout conditions.

    If you change the Probe Frequency for a Panorama template, you should also adjust the Packet Loss percentage threshold in a Path Quality profile for a Panorama device group.
16. If you select Relaxed path monitoring, you can set the Probe Idle Time (seconds) that the firewall waits between sets of probe packets (range is 1 to 60; default is 60).
17. Enter the Failback Hold Time (seconds) that the firewall waits for a recovered link to remain qualified before the firewall reinstates that link as the preferred link after it has failed over (range is 20 to 120; default is 120).
18. Click OK to save the profile.
19. Commit and Commit and Push your configuration changes.
20. Monitor your application and link path health metrics, and generate reports of your application and link health performance. For more information, see monitoring and reporting.