Prisma SD-WAN Administrator’s Guide
    : Add a Branch Gateway
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma
    3. Prisma SD-WAN
    4. Prisma SD-WAN Administrator’s Guide
    5. Prisma SD-WAN Sites and Devices
    6. Set Up Sites
    7. Add a Branch Gateway
    Download PDF

    Prisma SD-WAN Administrator’s Guide

    Add a Branch Gateway

    Table of Contents

    Add a Branch Gateway

    Prisma SD-WAN offers a new hybrid site type, which is the branch gateway site to maximize the flexibility of the system.
    Where Can I Use This?What Do I Need?
    • Prisma SD-WAN
    • Active Prisma SD-WAN license
    • Physical and virtual ION devices running software versions 6.4.1 or higher
    Geographically distributed organizations often have smaller regional datacenters colocated with users, manufacturing, and other business operations presenting both configuration and operations challenges. The single-click capability to create Regional Branch Gateways simplifies the adoption of this use case by automatically creating VPN topologies and instantiating Hub (Policy Transit, LQM Server, etc ) & Branch (App visibility, path selection, etc) services to simplify Day 1 and Day 2 operations for all traffic types and vectors.
    You can enable the branch gateway functionality with a single click of the site level configuration setting. Upon enabling the branch gateway mode, VPN tunnels will automatically form between the branch gateway site and corresponding branch sites in the domain.
    Where Can I Use This?What Do I Need?
    • Prisma SD-WAN
    • Active Prisma SD-WAN license.
    • Physical and virtual ION devices running software versions 6.4.1 or higher.
    Prisma SD-WAN supports branch gateway sites on the following platforms:
    • ION 3200
    • ION 5200
    • ION 9200
    • ION 3000
    • ION 7000
    • ION 9000
    All virtual ION models also support a branch gateway site.
    The ION device assigned to a branch gateway site supports the following interfaces:
    • Port
    • Bypass Pair
    • Subinterfaces
    • Virtual Interfaces
    • Standard VPN
    Interfaces in the branch gateway site support IPv4 & IPv6 static and DHCP addresses as well as secondary addresses.
    You can create a new site as a branch gateway site or can convert an existing branch site to a branch gateway site after completing the site configuration.
    You can:
    • Create a new branch gateway site.
      1. Select WorkflowsBranch SitesAdd Site.
      2. Add a Site Name and optionally enter description and tags.
      3. Enable Configure as a Branch Gateway Site.
      4. Add the other details to set up a site and click Save & Exit.
      Assign a device to the created branch gateway site, enable L3 Direct Private WAN Forwarding and L3 LAN Forwarding for the device and then configure the interfaces.
    • Convert an existing branch site to a branch gateway site.
      You can convert an existing branch site to a branch gateway site.
      Ensure that:
      • The site is in Control mode.
      • You have enabled L3 Direct Private WAN Forwarding.
      • You have enabled L3 LAN Forwarding.
      • There are no any existing branch-to-branch VPN tunnels. If any tunnels exist, Prisma SD-WAN deletes them during the conversion process.
      1. Select WorkflowsBranch Sites and click the ellipsis menu for the site.
      2. Select Switch to Branch Gateway Site.
        Switching a branch site to a branch gateway site causes the ION device to reboot.
        Alternatively, you can select Branch Sites, then select a site and then enable Branch Gateway.
    • Edit branch gateway site settings.
      (Optional) After you create a branch gateway site, you can optionally edit the branch gateway site settings.
      Select Prefer LAN Default over WAN in case your topology needs to take the LAN interface (with a default gateway) as the default route. This will mimic the path selection behavior of a data center site where the device forwards all incoming WAN traffic to the LAN peer.
      For example, if the traffic flow is — Branch ↔Branch Gateway ↔ LAN (Firewall → Internet). Typically, the ION device will have a default route (0.0.0.0/0) on the internet (WAN) interfaces (with the next hop as the default gateway configured on the wan interface or from DHCP). This is to steer packets to the internet (for DIA or otherwise) if no other specific route exists. In this particular scenario, the branch gateway site needs to take the LAN interface. The LAN interface has a default gateway configured either statically or via DHCP as a default route as against an internet interface, which would generally have a default route. You can achieve this by adding a default route with a lower admin cost on the LAN interface than the WAN interface when you select Prefer LAN Default over WAN.
      Maximum Branch Site Count Info indicates the maximum number of branch sites that you can associate with a branch gateway site. If you exceed this number, Prisma SD-WAN generates an incident. However, it will still be possible to associate branches to the branch gateway by joining the domain or through the establishment of manual tunnels.
    • Create VPNs between branch gateway sites or branch sites.
      Prisma SD-WAN establishes VPN tunnels as follows:
      • Branch -> Branch Gateway (Same Domain) — Prisma SD-WANautomatically builds Fabric VPN tunnels.
      • Branch -> Branch Gateway (Different Domain) — You need to manually configure Fabric VPN Tunnels.
      • Branch Gateway -> DC — Prisma SD-WAN automatically builds VPN tunnels.
      • Branch Gateway -> Branch Gateway — You need to manually configure Fabric VPN Tunnels.
      1. (Optional) Changing the domain of a branch gateway site.
        1. Select a branch gateway site.
        2. Click the ellipsis menu and select Change Site Domain.
        3. Choose the required domain and click Submit.
        To establish an automatic VPN tunnel between a branch site and a branch gateway site, ensure that both are in the same domain.
      2. (Optional) Create a manual VPN tunnel between two branch gateway sites.
        1. Select WorkflowsSites and select a branch gateway site.
        2. Select Overlay ConnectionsBranch Gateway — Branch GatewayAdd Link.
        3. Select a circuit and select the site for VPN establishment on the Add Secure Fabric Link pop-up.
    • Prefix Advertisement
      The branch gateway site performs prefix advertisement and distribution in a variety of topologies.
      Prefix Advertisement
      Learned ViaAdvertised To
      Fabric Tunnel
      LAN BGP Peer
      Standard VPN BGP Peer
      Standard VPN Tunnel BGP Peer
      Fabric (to branch)
      LAN BGP Peer
      LAN BGP Peer
      Fabric → yes
      LAN BGP Peer → yes
      Private WAN BGP Peer → yes
      Private WAN BGP PeerLAN BGP Peer → yes
      LAN Static Route
      Fabric → yes
      LAN BGP Peer → yes
      Private WAN BGP Peer → yes
    • Default Route in WAN BGP Peer.
      Prisma SD-WAN has enhanced the existing BGP Global configuration to allow an option to choose the default route as part of the prefix advertisement to WAN.
      For a BGP peer, select Advertise Default Route to Peer to distribute the default route to the peer, instead of explicitly configuring a prefix via route-maps.

    © 2024 Palo Alto Networks, Inc. All rights reserved.