>
    Strata Copilot
    SD-WAN Devices
    Focus
    Download PDF
    Focus
    1. Home
    2. SD-WAN
    3. Panorama SD-WAN Plugin
    4. SD-WAN Devices
    Download PDF
    SD-WAN

    SD-WAN Devices

    Table of Contents

    SD-WAN Devices

    Add SD-WAN branch and hub firewalls to be managed by Panorama.
    • PanoramaSD-WANDevices
    Add the SD-WAN firewall branches and hubs that make up your VPN cluster and SD-WAN topology that the Panorama management server will manage.
    You can also Group HA Peers so HA peers appear consecutively on the list of devices for ease of use.
    You can select BGP Policy to have Panorama create and push to firewalls a Security policy rule that allows BGP to run between branches and hubs. In SD-WAN plugin 3.1.1 and later releases, select IPv4 BGP Policy or IPv6 BGP Policy.
    Field
    Description
    Add
    Name
    Enter a Name that identifies the SD-WAN firewall.
    Type
    Select the Type of SD-WAN firewall:
    • Hub—A centralized firewall deployed at a primary office or location, such as a data center or business headquarters, to which all branch firewalls connect using a VPN connection. Traffic between branches passes through the hub before continuing to the target branch. Branches connect to hubs to gain access to centralized resources at the hub location; the hub processes traffic, enforces policy rules, and manages link swapping at the primary office or location.
    • Branch—A firewall deployed at a physical branch location that connects to a hub using a VPN connection and provides security at the branch level. The branch connects to a hub for access to centralized resources. In SD-WAN Plugin 2.0.1 and later 2.0 releases, a branch can connect to another branch in a full mesh VPN cluster. The branch firewall processes traffic, enforces policy rules, and manages link swapping at the branch location.
    Enable Multi-VR Support
    (Optional) (PAN-OS 11.1.3 and later releases, and SD-WAN Plugin 3.2.1 and later releases) Enable Multi-VR Support to configure multiple virtual routers on the SD-WAN hub.
    With multiple virtual routers on the SD-WAN hub, you can have overlapping IP subnet addresses on branch devices connecting to the same SD-WAN hub. When you select the Type of SD-WAN device as Hub, you will be able to configure multiple virtual routers by selecting Enable Multi-VR Support option.
    When you enable this feature, ensure that the virtual router names on branches match with the virtual router name on at least one hub part of the VPN cluster.
    Router Name
    Select the virtual router to use for routing between the SD-WAN hub and branches. By default, Panorama creates an sdwan-default virtual router and enables Panorama to automatically push router configurations.
    Site
    Enter a user-friendly Site name that identifies the hub or branch. For example, enter the city name where the branch firewall is deployed.
    BGP
    Enable BGP to configure BGP routing for SD-WAN traffic.
    Router ID
    Specify the BGP router ID, which must be unique for all routers.
    Use the Loopback Address as the Router ID.
    Loopback Address
    Specify a static loopback IPv4 address for BGP peering.
    AS Number
    Enter the Autonomous System number of the private AS to which the virtual router on the hub or branch belongs. The SD-WAN plugin supports only private autonomous systems. The AS number must be unique for every hub and branch. The 4-byte ASN range is 4,200,000,000 to 4,294,967,294 or 64512.64512 to 65535.65534. The 2-byte ASN range is 64512 to 65534.
    Use a 4-byte private ASN.
    IPv4 BGP
    Enable IPv4 BGP support
    Enable IPv4 BGP to configure BGP routing for SD-WAN traffic.
    Loopback Address
    Enter the IPv4 Loopback address for BGP peering.
    Remove Private AS
    Disable (uncheck) the Remove Private AS option (default is enabled) if you have endpoints that need to exchange routes with a hub or branch firewall in an SD-WAN BGP topology and therefore you don’t want to remove private AS numbers (64512 to 65534) from the AS_PATH attribute in BGP Updates.
    This setting applies to all BGP peer groups on the branch or hub firewall. If you need this setting to differ among BGP peer groups or peers, you must configure the setting outside of the SD-WAN plugin.
    If you change the Remove Private AS setting, commit to all SD-WAN cluster nodes, and subsequently downgrade to an SD-WAN plugin version earlier than 2.0.2, then you must perform all configuration related to Remove Private AS outside of the SD-WAN plugin or directly on the firewalls.
    Prefixes to Redistribute
    Add IPv4 prefixes with /prefix length to redistribute to the hub router from the branch. By default, all locally connected internet prefixes are advertised to the hub. However, a hub doesn't redistribute every route to the branch because the hub can have many connected routes to different branches or ISPs. Therefore, when configuring a hub device, a prefix to redistribute is mandatory.
    Palo Alto Networks does not redistribute the branch office default routes learned from the ISP.
    IPv6 BGP
    Enable IPv6 BGP support
    Enable IPv6 BGP to configure BGP routing for SD-WAN traffic.
    IPv6 Loopback Address
    Enter the IPv46 Loopback address for BGP peering.
    Prefixes to Redistribute
    Add IPv6 prefixes with /prefix length to redistribute to the hub router from the branch. By default, all locally connected internet prefixes are advertised from the branch to the hub. However, a hub doesn't redistribute every route to the branch because the hub can have many connected routes to different branches or ISPs. Therefore, when configuring a hub device, a prefix to redistribute is mandatory.
    Palo Alto Networks does not redistribute the branch office default routes learned from the ISP.
    BGP Security Policy
    BGP Policy
    Select BGP Security Policy and then Add to have Panorama automatically create and push to firewalls a Security policy rule that allows BGP to run between branches and hubs.
    Policy Name
    Enter a name for the Security policy rule that Panorama automatically creates.
    Select Device Groups
    Select the device groups to which Panorama pushes the Security policy rule.
    Panorama Connectivity (Optional) (PAN-OS 11.1.8 and later releases, and SD-WAN Plugin 3.2.4 and later releases)
    Create dedicated tunnels to Panorama
    Enable Create dedicated tunnels to Panorama to establish secure IPSec tunnels between SD-WAN devices and Panorama through designated termination devices, ensuring continuous management connectivity even when the primary SD-WAN overlay network fails.
    VPN Address Pool
    Enter a non-overlapping IP address subnet (CIDR block) for establishing dedicated tunnels between SD-WAN devices and Panorama. Ensure that this address don't conflict with an existing SD-WAN overlay network addressing.
    Primary Termination Device
    Enter the branch or hub firewall (in the SD-WAN deployment) responsible for terminating IPSec tunnels from branch locations and providing connectivity to Panorama.
    Primary termination device acts as the primary gateway between your SD-WAN network and the Panorama management system.
    Preferred DIA
    Select a primary SD-WAN-enabled interface on the termination device. The SD-WAN plugin uses the preferred DIA as the primary path for establishing dedicated tunnels to Panorama for providing the main connectivity route for management traffic.
    (Optional)
    Backup DIA
    Select a secondary SD-WAN-enabled interface on the termination device that will be used if the preferred DIA interface fails, providing redundancy for maintaining continuous connectivity to Panorama.
    (Optional) Secondary Termination Device
    Select a backup SD-WAN device to handle tunnel termination if the primary termination device becomes unavailable. This device provides an additional layer of redundancy for maintaining Panorama connectivity throughout the network.
    Preferred DIA (for Secondary Termination Device)
    Select SD-WAN-enabled interface on the backup termination device that is used as the primary path for establishing dedicated tunnels to Panorama when the secondary device is active.
    (Optional)
    Backup DIA (for Secondary Termination Device)
    Select a secondary SD-WAN-enabled interface on the backup termination device that will be used if its preferred DIA interface fails, providing an additional layer of redundancy for maintaining Panorama connectivity when the secondary termination device is active.
    Dedicated Tunnel NAT Policy (Mandatory when enabling dedicated tunnel to Panorama) (PAN-OS 11.1.8 and later releases, and SD-WAN Plugin 3.2.4 and later releases)
    NAT Policy
    Select Dedicated Tunnel NAT Policy and then Add the NAT policy for the dedicated tunnel to the selected device group.
    Select the Device Group Type
    Select the Hub or Branch device group type.
    Select Device Groups
    Select the device groups to which Panorama pushes the NAT policy rule.
    Virtual Routers (Optional) (PAN-OS 11.1.3 and later releases, and SD-WAN Plugin 3.2.1 and later releases)
    Virtual Router
    Enter virtual router name to define a new virtual router.
    Zone
    		Select an already created Zone in the hub template (NetworkZones) that is appropriate for the virtual router that you are configuring.
    Enable IPv4 BGP support
    BGP routing uses IPv4 addresses and hence Enable IPv4 BGP Support is enabled by default.
    Upstream NAT
    Select this tab if you are adding an SD-WAN hub or branch device that is behind a NAT device.
    Upstream NAT
    Enable Upstream NAT for the hub. Beginning with SD-WAN Plugin 2.0.1, you can enable Upstream NAT for a branch.
    SD-WAN Interface
    Select an interface on the hub or branch that you have already configured for SD-WAN.
    NAT IP Address Type
    Select one of the following:
    • Static IP. Select IP Address or FQDN and enter a single IP address or FQDN of the public-facing interface on the upstream, NAT-performing device.
    • DDNS
    Auto VPN Configuration uses this address as the tunnel endpoint of the hub or branch.
    (SD-WAN Plugin 3.1.1 and later 3.1 releases) IPv4 BGP Policy
    Policy Name
    Enter a name for the Security policy rule that Panorama automatically creates.
    TypeSelect Hub or Branch.
    Select Device Groups
    Select the device groups to which Panorama pushes the Security policy rule.
    (SD-WAN Plugin 3.1.1 and later 3.1 releases) IPv6 BGP Policy
    Policy Name
    Enter a name for the Security policy rule that Panorama automatically creates.
    TypeSelect Hub or Branch.
    Select Device Groups
    Select the device groups to which Panorama pushes the Security policy rule.
    VPN Tunnel
    Copy ToS Header
    (PAN-OS 10.2.1 and later 10.2 releases and SD-WAN 3.0.1 and later 3.0 releases) Copy the (Type of Service) ToS field (ToS bits or Differentiated Service Code Point [DSCP] markings) from the inner IPv4 header to the VPN header of the encapsulated packets in order to preserve the original ToS information. This also copies the Explicit Congestion Notification (ECN) field.
    Authentication
    Select the type of authentication: Pre Shared Key or Certificate that will occur with the peer gateway.
    Certificate Fields
    Local Certificate
    If Certificate is selected as the Authentication type, select a certificate that is already on the firewall.
    Alternatively, you could Import a certificate, or Generate a new certificate, as follows:
    Import:
    • Certificate Type—The Local certificate type is selected by default. SCEP is not supported.
    • Certificate Name—Enter a name for the certificate you are importing.
    • File Format—Select one of the following:
      • Encrypted Private Key and Certificate (PKCS12)—Contains both the certificate and the key.
      • Multiple Certificates (.tar)—Contains multiple certificates archived in a tar format.
        • CSV File Name—Enter the CSV file name that you want to import.
        • Download Sample CSV—To import multiple certificates, click and download the Certificates.csv file and enter the required details.
          Archive all the certificates along with the .csv file into a .tar file. Certificate format .pkcs12 is supported.
    • Certificate File—Click Browse to navigate to the location where the certificate file is located. Click on the file and select Open.
    • Block Private Key Export—Click to prevent any administrators, including Superusers, from exporting the private key for the specified certificate.
    • Passphrase and Confirm Passphrase—Enter to access the key.
    Local Certificate (cont)
    Generate:
    • Certificate Type—The Local certificate type is selected by default. SCEP is not supported.
    • Certificate Name—Enter a name for the certificate you are creating.
    • Common Name—Enter the common name, which is the IP address or FQDN to appear on the certificate.
    • Shared—Click if this certificate is to be shared among multiple virtual systems.
    • Signed By—Select External Authority (CSR) or enter the firewall IP address. This entry must be a CA.
    • Certificate Authority—Click if the firewall is the root CA.
    • Block Private Key Export—Prevents any administrators, including Superusers, from exporting the private key.
    • Algorithm—Select RSA or Elliptic Curve DSA to generate the key for the certificate.
    • Number of Bits—Select 512, 1024, 2048, or 3072 as the number of bits in the key.
    • Digest—Select md5, sha1, sha256, sha384, or sha512 as the method to revert the string from the hash.
    • Expiration (days)—Enter the number of days that the certificate is valid.
    • Certificate Attributes: Type—Select additional attribute types (DN, FQDN, IPADDR, UFQDN) from the drop-down to be in the certificate.
    • Value—Enter a value for the attribute.
    Certificate Profile
    Select a profile or create a new Certificate Profile that configures the certificate options that apply to the certificate that the local gateway sends to the peer gateway. See Panorama > Certificate Management > Certificate Profile.
    Enable strict validation of peer’s extended key use
    Select if you want to strictly control how the key is used.
    Comment
    Enter an optional description.
    Group HA Peers
    Click the checkbox at the bottom of the screen to cause HA peers to appear consecutively on the list of devices for ease of use.
    Prisma Access Onboarding
    Interface
    Select the physical, sub-interface, or aggregate ethernet interface for which you have enabled SD-WAN functionality.
    Tenant
    Select the Prisma Access deployment for which to leverage SD-WAN.
    Comment
    Enter a comment to describe the Prisma Access deployment leveraging SD-WAN. Up to 1,024 characters are supported.
    Region
    Select the location where the Prisma Access hub is deployed. The list of available regions is based on the Tenant you select.
    IPSec Termination Nodes
    Select an IPSec Termination Node associated with the remote network secured by the Prisma Access deployment. You can select up to four (4) IPSec Termination Nodes for a single Prisma Access deployment. The list of available IPSec Termination Nodes is based on the Region and Tenant you selected.
    BGP
    Check (enable) BGP for the IPSec tunnel. Displays true if enabled and false if disabled.
    Advertise Default Route
    Check (enable) to allow Prisma Access to advertise a default route for the remote network using eBGP when leveraging SD-WAN for Prisma Access deployments. Displays true if enabled and false if disabled.
    When onboarding and configuring remote networks for your Prisma Access deployment, you must publish your default routes before you make the selection to advertise them. In addition, be sure that the remote network does not have another default route advertised by BGP, or you could introduce routing issues in your network.
    Summarize Mobile User Routes Before Advertising
    Check (enable) to summarize mobile user IP subnets advertised over BGP to reduce the number of mobile user IP subnets are to customer premises equipment (CPE). Displays true if enabled and false if disabled.
    By default, Prisma Access advertises the mobile users IP address pools in blocks of /24 subnets. If you summarize them, Prisma Access advertises the pool based on the subnet you specified. For example, Prisma Access advertises a public user mobile IP pool of 10.8.0.0/20 using the /20 subnet, rather than dividing the pool into subnets of 10.8.1.0/24, 10.8.2.0/24, 10.8.3.0/24, and so on before advertising them. Summarizing routes in advertisements can reduce the number of routes stored in CPE routing tables.
    Don’t Advertise Prisma Access Routes
    Check (enable) to prevent Prisma Access BGP peer from forwarding routes into your organization’s network when leveraging SD-WAN for Prisma Access deployments. Displays true if enabled and false if disabled.
    By default, Prisma Access advertises all BGP routing information, including local routes and all prefixes it receives from other service connections, remote networks, and mobile user subnets. Enable this setting to prevent Prisma Access from sending any BGP advertisements when leveraging SD-WAN, but still use the BGP information it receives to learn routes from other BGP neighbors.
    Because Prisma Access does not send BGP advertisements if this setting is enabled, you must configure static routes on the on-premises equipment to establish routes back to Prisma Access.
    Prisma AS Number
    The Autonomous System number of the private AS to which the virtual router on the Prisma Access hub belongs. The SD-WAN plugin supports only private autonomous systems. The AS number must be unique for every hub and branch. The 4-byte ASN range is 4,200,000,000 to 4,294,967,294 or 64512.64512 to 65535.65534. The 2-byte ASN range is 64512 to 65534.
    Tunnel Monitor IP
    The tunnel monitor IP address provided by Prisma Access for IPSec tunnel monitoring. This is displayed after you successfully onboard a Prisma Access hub.
    Service IP
    The public IP address of the Prisma Access hub. This is displayed after you successfully onboard a Prisma Access hub.
    Secret
    Enter and confirm a passphrase to authenticate BGP peer communications.
    Link Tag
    Configure a link tag to identify the Prisma Access hub when applications and services use this link during SD-WAN traffic distribution and failover.
    Operations
    Click to perform one of the following operations when configuring Prisma Access to leverage SD-WAN.
    • Add—Add a new Prisma Access hub to SD-WAN.
    • Delete—Delete a Prisma Access hub from SD-WAN.
    • Sync to Prisma—Click to synchronize the branch firewall to Prisma Access and retrieve the service IP address(es) to the Prisma Access compute nodes.

    © 2025 Palo Alto Networks, Inc. All rights reserved.