device-serial—The serial number of the branch or hub
firewall.
type—Specify whether the device is a
branch or a
hub.
site—Enter the SD-WAN device site name to help
you identify the geographical location or purpose of the device.
The SD-WAN Site name supports all upper-case and
lower-case alphanumerical and special characters. Spaces aren’t
supported in the Site name and result in monitoring () data for that site not to be displayed.
All SD-WAN devices, including SD-WAN devices in a high availability (HA) configuration, must have
a unique Site name.
(Required for pre-existing customers)
(SD-WAN plugin
3.1.0
and earlier
versions)
Map your pre-existing zones to predefined zones used for
SD-WAN.
When you map your existing zones to an
SD-WAN
zone, you must modify your
security policy rules
and add the
SD-WAN zones to the correct
Source and
Destination zones.
zone-internet—Enter the names of pre-existing zones
that SD-WAN traffic will egress to reach the
internet.
zone-to-branch —Enter the names of pre-existing zones
that SD-WAN
traffic will egress to reach a branch.
zone-to-hub—Enter the names of pre-existing zones that
SD-WAN traffic will egress to reach a
hub.
zone-internal—Enter the names of pre-existing zones
that SD-WAN traffic will egress to reach an
internal zone.
(SD-WAN
plugin
3.1.0
and earlier
versions)
vr-name—Enter the name of the virtual router or logical
router to use for routing between the SD-WAN
hub and branches. By default, Panorama
creates an sdwan-default virtual router
and can automatically push router configurations.
(SD-WAN
plugin
3.1.0
version)
Enter the logical router name if you have enabled
advanced routing.
(SD-WAN
plugin
3.2.0
and later versions) router-name—Enter the virtual
router to use for routing between the SD-WAN
hub and branches. By default, Panorama
creates an sdwan-default virtual router
and enables Panorama
to automatically push router configurations.
vif-link-tag—Specify a link tag to identify the hub when
applications and services use this link during SD-WAN
traffic distribution and failover.
(Optional) router-id—Specify the BGP router ID, which
must be unique among all virtual or logical routers.
Enter the Loopback Address as the router ID.
Before implementing SD-WAN with BGP routing in an
environment where BGP is already in use, ensure that the BGP
configuration generated by the SD-WAN plugin
doesn’t conflict with your existing BGP configuration. For
example, you must use the existing BGP AS number and router ID
values for the corresponding SD-WAN device
values.
(Optional) as-number—Enter the ASN of the private AS
to which the virtual router on the hub or branch belongs. The SD-WAN plugin supports only private autonomous
systems. The ASN must be unique for every hub and branch. The 4-byte
ASN range is 4,200,000,000 to 4,294,967,294 or 64512.64512 to
65535.65534. The 2-byte ASN range is 64512 to 65534.
Use a 4-byte private ASN.
Before implementing SD-WAN with BGP routing in an
environment where BGP is already in use, ensure that the BGP
configuration generated by the SD-WAN plugin
doesn’t conflict with your existing BGP configuration. For
example, you must use the existing BGP AS number and router ID
values for the corresponding SD-WAN device
values.
(Optional) ipv4-bgp-enable—Specify yes or no to
enable or disable BGP for IPv4 addresses.
(Optional) loopback-address—Specify a static loopback
IPv4 address for BGP peering. SD-WAN
plugin 3.1.1 and later 3.1 releases support an IPv6 loopback
address for BGP peering.
(Optional) remove-private-as—Specify no to disable
the Remove Private AS option (default is enabled) if you have
endpoints that need to exchange routes with a hub or branch firewall
in an SD-WAN
BGP topology and therefore you don’t want to remove private AS
numbers (64512 to 65534) from the AS_PATH attribute in BGP
Updates.
This setting applies to all BGP peer groups on the branch or hub
firewall. If you need this setting to differ among BGP peer groups
or peers, you must configure the setting outside of the
SD-WAN
plugin.
(Optional) prefix-redistribute—Enter IP prefixes that
the branch informs the hub it can reach. To add more than one
prefix, separate prefixes with a space, an ampersand (&), and a
space; for example, 192.2.10.0/24 & 192.168.40.0/24. By default,
the branch firewall advertises all locally connected internet
prefixes to the hub.
Palo Alto Networks doesn’t redistribute the branch office default
route(s) learned from the ISP.
(Optional) (SD-WAN
plugin
3.2.0
and later versions) ipv6-bgp-enable—Specify yes/no
to enable/disable BGP for IPv6 addresses.
(Optional) (SD-WAN
plugin
3.2.0
and later versions) ipv6-loopback-address—Specify a
static loopback IPv6 address for BGP peering.
(Optional) (SD-WAN
plugin
3.2.0
and later versions) ipv6-prefix-redistribute—Enter
IPv6 prefixes to redistribute to the hub router from the branch. By
default, all locally connected internet IPv6 prefixes are advertised
to the hub location.
(Optional) copy-tos-header—Specify yes/no to
enable/disable this option to copy the Type of Service (TOS) header
from the inner IP header to the outer IP header of the encapsulated
packets in order to preserve the original TOS information.
(SD-WAN
plugin
3.2.0
and later versions) authentication-type—Specify the
authentication type that the device (hub or branch) supports:
pre-shared key or certificate authentication.
(Only for Certificate authentication
type)
(SD-WAN
plugin
3.2.0
and later versions)
certificate-name—Enter
a certificate name. The name is case-sensitive and can have up to 63
characters on the firewall or up to 31 characters on the
Panorama.
It must be unique and use only letters, numbers, hyphens, and
underscores.
For pre-shared key authentication type, this field should be left
empty.
