: Secure SD-WAN
Focus
Focus
Table of Contents
End-of-Life (EoL)

Secure SD-WAN

Palo Alto Networks supports an SD-WAN overlay that provides dynamic, intelligent path selection based on applications, services, and link conditions.
Software-Defined Wide Area Network (SD-WAN) is a technology that allows you to use multiple internet and private services to create an intelligent and dynamic WAN, which helps lower costs and maximize application quality and usability. Beginning with PAN-OS® 9.1, Palo Alto Networks offers strong security with an SD-WAN subscription in a single management system. Instead of using costly and time-consuming MPLS with components such as routers, firewalls, WAN link controllers, and WAN optimizers to connect your WAN to the internet, SD-WAN on a Palo Alto Networks® firewall allows you to use less expensive internet services and fewer pieces of equipment. You don’t need to purchase and maintain other WAN components.
You install the SD-WAN plugin on the Panorama™ management server, so that you get the security features of a PAN-OS management and firewall, and SD-WAN functionality from a single vendor. The SD-WAN subscription supports dynamic, intelligent link selection based on applications and services and the conditions of links that each application or service is allowed to use. The path health monitoring for each link includes latency, jitter, and packet loss. Granular application and service controls allow you to prioritize applications based on whether the application is mission-critical, latency-sensitive, or meets certain health criteria, for example. Dynamic path selection avoids brownout and node failure problems because sessions fail over to a better performing path in less than one second.
The SD-WAN subscription works with all PAN-OS security features, such as User-ID™ and App-ID™, to provide complete security control to branch offices. The App-ID capabilities identify applications (App-ID decoder, App-ID cache, and source/destination external dynamic list [EDL] IP address lists) for application-based control. You can deploy the firewall with Zero Trust segmentation of traffic. You can configure and manage SD-WAN centrally from the Panorama web interface or the Panorama REST API.
You may have cloud-based services and instead of having your internet traffic flow from branches to the hub to the cloud, you want the internet traffic to flow directly from branches to the cloud using a directly connected ISP. Such access from a branch to the internet is Direct Internet Access (DIA). You don’t need to spend your hub bandwidth and money on internet traffic. The branch firewall is already doing security, so you don’t need the hub firewall to enforce security on internet traffic. Use DIA on branches for SaaS, web browsing, or heavy-bandwidth applications that shouldn’t be backhauled to a hub.
PA-220, PA-220R, PA-820, and PA-850 firewalls are supported as SD-WAN branch firewalls. PA-3200 Series, PA-5200 Series, VM-300, VM-500, and VM-700 firewalls are supported as SD-WAN hub firewalls. Each firewall (branch or hub) requires an SD-WAN subscription. Each Panorama requires the SD-WAN plugin.
  1. Read about SD-WAN to learn more about SD-WAN and the SD-WAN configuration elements.
  2. Plan your SD-WAN configuration. This includes planning the hub and branch firewall locations, link requirements, IP addresses and link bundles, as well as determining which applications will use SD-WAN and QoS optimization, and determining when and how you want links to fail over in the event the original link degrades or fails.
  3. Set up SD-WAN.
    1. Install the SD-WAN plugin.
    2. Set up Panorama and firewalls for SD-WAN by adding your SD-WAN firewalls as managed firewalls, as well as creating the template, template stacks, device groups, and zones required to push configuration changes from Panorama to your SD-WAN firewalls.
  4. Create your link tags to identify one or more physical links that you want applications and services to use in specific order during SD-WAN traffic distribution and failover protection.
  5. Configure an SD-WAN interface profile to define the characteristics of ISP connections and to specify the speed of links and how frequently the firewalls monitor the link.
  6. Configure a physical Ethernet interface for SD-WAN to enable SD-WAN functionality.
  7. Configure a virtual SD-WAN interface to specify one or more physical, SD-WAN-capable ethernet interfaces that go to the same destination.
  8. Create a path quality profile for each set of applications, application filters, application groups, service objects, and service group objects that has unique network health requirements. The health requriements are based on latency, jitter, and packet loss percentage.
  9. Create a traffic distribution profile to instruct the firewall how to select a new link in the event of link degradation to ensure users experience the best performance. The traffic distribution profile is applied to SD-WAN policy rules.
  10. Configure an SD-WAN policy rule to specify application(s) or service(s) and a traffic distribution profile to determine how the firewall selects the preferred path for incoming traffic.
  11. Add SD-WAN devices to Panorama. You can add a single managed firewall as an SD-WAN firewall or bulk import multiple managed firewalls.
  12. Create a VPN cluster to determine which branch firewalls communicate with which hub firewalls and create a secure connection between those branch and hub firewalls.
  13. Monitor your SD-WAN apps and links to troubleshoot and generate reports as needed.