>
    Strata Copilot
    PAN-OS & Panorama
    Focus
    Download PDF
    Focus
    1. Home
    2. SD-WAN
    3. SD-WAN Deployment Workflow
    4. PAN-OS & Panorama
    Download PDF
    SD-WAN

    PAN-OS & Panorama

    Table of Contents

    PAN-OS & Panorama

    Set up and configure SD-WAN on PAN-OS & Panorama for Palo Alto Networks Next-Generation Firewalls.
    The following list is a preview of the configuration tasks you need to perform to prepare for your SD-WAN deployment. The detailed steps for you to take to accomplish each task appear in subsequent task topics.
    1. Onboard the firewall to the Panorama management server either manually or using ZTP. Create basic device groups and templates.
    2. Create link tags. Link tags enable you to identify common link types and link it with the SD-WAN interface profiles. They are free form entries that are referenced in multiple locations. Be consistent and meaningful when creating the link tags.
    3. Create an SD-WAN interface profile to define the link type, link tag, upload and download bandwidth speed of the link, and path monitoring link types (aggressive or relaxed).
    4. Enable SD-WAN in Ethernet, sub Ethernet, and Aggregated Ethernet Interfaces; then add the next hop gateway and apply the SD-WAN interface profile.
    5. As part of your SD-WAN policy, you use SD-WAN traffic distribution profiles to assign which traffic distribution method the path-selection algorithm uses for an application. The path-selection algorithm uses the path metrics, thresholds, and sensitivities as defined in a path quality profile.
    6. (Optional) Each SD-WAN path quality profile (PQP) consists of a set of ranked metrics and thresholds that an application requires for optimal performance. There are predefined PQPs or you can also create custom PQPs.
    7. Create zone-internal, zone-to-branch, and zone-to-hub security zones (case sensitive). The SD-WAN plugin will create these zones, but the best practice is to preprovision these zones so they can be added to existing Security policy rules (prior to SD-WAN transition). Every transport or interface participating in SD-WAN needs to be in the same security zone.
    8. Define the SD-WAN policy rules. SD-WAN policies are similar to security policy rules. You can also apply Path Quality Profiles and Traffic Distribution Profiles in the SD-WAN policy rules.
    9. After completing the above steps, follow this workflow to complete your SD-WAN deployment using the SD-WAN plugin.
    10. Add the Palo Alto Networks firewall as an SD-WAN hub or a branch device to the SD-WAN plugin.
    11. Create a VPN Cluster with the appropriate cluster type (hub and spoke or mesh) based on your network topology requirement. Then add the branches and hubs to your selected topology.

    © 2025 Palo Alto Networks, Inc. All rights reserved.