Focus

Panorama SD-WAN Plugin Help

SD-WAN Devices

Table of Contents

SD-WAN Devices

Add SD-WAN branch and hub firewalls to be managed by Panorama.

PanoramaSD-WANDevices

Add the SD-WAN firewall branches and hubs that make up your VPN cluster and SD-WAN topology to be managed by the Panorama management server.

You can also Group HA Peers so HA peers appear consecutively on the list of devices for ease of use.

You can select BGP Policy to have Panorama create and push to firewalls a Security policy rule that allows BGP to run between branches and hubs.

Field	Description
Add
Name	Enter a Name that identifies the SD-WAN firewall.
Type	Select the Type of SD-WAN firewall: Hub—A centralized firewall deployed at a primary office or location, such as a data center or business headquarters, to which all branch firewalls connect using a VPN connection. Traffic between branches passes through the hub before continuing to the target branch. Branches connect to hubs to gain access to centralized resources at the hub location and the hub processes traffic, enforces policy rules, and manages link swapping at the primary office or location. Branch—A firewall deployed at a physical branch location that connects to a hub using a VPN connection and provides security at the branch level. The branch connects to a hub for access to centralized resources. In `SD-WAN Plugin 2.0.1 and later 2.0 releases`, a branch can connect to another branch in a full mesh VPN cluster. The branch firewall processes traffic, enforces policy rules, and manages link swapping at the branch location.
Virtual Router Name	Select the virtual router to use for routing between the SD-WAN hub and branches. By default, Panorama creates an sdwan-default virtual router and enables Panorama to automatically push router configurations.
Site	Enter a user-friendly Site name that identifies the hub or branch. For example, enter the city name where the branch firewall is deployed.
Zone Internet	Add one or more pre-existing zones to map them to the predefined zone named zone-internet. SD-WAN traffic egresses this zone to go to the internet.
Zone Hub	Add one or more pre-existing zones to map them to the predefined zone named To_Hub. SD-WAN traffic egresses this zone to go to a hub.
Zone Branch	Add one or more pre-existing zones to map them to the predefined zone named To_Branch. SD-WAN traffic egresses this zone to go to a branch.
Zone Internal	Add one or more pre-existing zones to map them to the predefined zone named zone-internal. SD-WAN traffic egresses this zone to go to an internal zone.
BGP	Enable BGP to configure BGP routing for SD-WAN traffic.
Router ID	Specify the BGP router ID, which must be unique for all routers. Use the Loopback Address as the Router ID.
Loopback Address	Specify a static loopback IPv4 address for BGP peering.
AS Number	Enter the Autonomous System number of the private AS to which the virtual router on the hub or branch belongs. The SD-WAN plugin supports only private autonomous systems. The AS number must be unique for every hub and branch. The 4-byte ASN range is 4,200,000,000 to 4,294,967,294 or 64512.64512 to 65535.65534. The 2-byte ASN range is 64512 to 65534. Use a 4-byte private ASN.
Remove Private AS	Disable (uncheck) the Remove Private AS option (default is enabled) if you have endpoints that need to exchange routes with a hub or branch firewall in an SD-WAN BGP topology and therefore you don’t want to remove private AS numbers (64512 to 65534) from the AS_PATH attribute in BGP Updates. This setting applies to all BGP peer groups on the branch or hub firewall. If you need this setting to differ among BGP peer groups or peers, you must configure the setting outside of the SD-WAN plugin. If you change the Remove Private AS setting, commit to all SD-WAN cluster nodes, and subsequently downgrade to an SD-WAN Plugin version earlier than 2.0.2, then all configuration related to Remove Private AS must be done outside of the SD-WAN plugin or directly on the firewalls.
Prefixes to Redistribute	Enter prefixes to redistribute to the hub router from the branch. By default, all locally connected internet prefixes are advertised to the hub location. Palo Alto Networks does not redistribute the branch office default routes learned from the ISP.
Upstream NAT	Select tab if you are adding an SD-WAN hub or branch device that is behind a NAT device.
Upstream NAT	Enable Upstream NAT for the hub. Beginning with SD-WAN Plugin 2.0.1, you can enable Upstream NAT for a branch.
SD-WAN Interface	Select an interface on the hub or branch that you have already configured for SD-WAN.
NAT IP Address Type	Select one of the following: Static IP. Select IP Address or FQDN and enter a single IP address or FQDN of the public-facing interface on the upstream, NAT-performing device. DDNS Auto VPN Configuration uses this address as the tunnel endpoint of the hub or branch.
Group HA Peers	Click the checkbox at the bottom of the screen to cause HA peers to appear consecutively on the list of devices for ease of use.
BGP Policy
BGP Policy	Select BGP Policy and then Add to have Panorama automatically create and push to firewalls a Security policy rule that allows BGP to run between branches and hubs.
Policy Name	Enter a name for the Security policy rule that Panorama will automatically create.
Select Device Groups	Select the device groups to which Panorama pushes the Security policy rule.

Panorama > SD-WAN

SD-WAN VPN Clusters