Bulk Import Multiple SD-WAN Devices
Table of Contents
Expand all | Collapse all
-
- Create a Link Tag
- Configure an SD-WAN Interface Profile
- Configure a Physical Ethernet Interface for SD-WAN
- Configure a Virtual SD-WAN Interface
- Create a Default Route to the SD-WAN Interface
- Create a Path Quality Profile
- SD-WAN Traffic Distribution Profiles
- Create a Traffic Distribution Profile
- Configure an SD-WAN Policy Rule
- Allow Direct Internet Access Traffic Failover to MPLS Link
- Distribute Unmatched Sessions
- Configure HA Devices for SD-WAN
- Create a VPN Cluster
- Create a Static Route for SD-WAN
Bulk Import Multiple SD-WAN Devices
Import multiple SD-WAN branch and hub devices to more
quickly deploy your SD-WAN.
Add multiple SD-WAN devices to quickly onboard
branch and hub firewalls, rather than manually adding each device
one at a time. When adding your devices, you specify what type of
device it is (branch or hub) and you give each device its site name
for easy identification. Before adding your devices, plan your SD-WAN configuration to
ensure you have all the required IP addresses and that the SD-WAN
topology is well understood. This helps reduce any configuration errors.
If you want to have Active/Passive HA running
on two branch firewalls or two hub firewalls, do not add those firewalls
as SD-WAN devices in your CSV file. You will add them as HA peers
separately when you Configure HA Devices for SD-WAN.
If
you are using BGP routing, you must add a security policy rule to
allow BGP from the internal zone to the hub zone and from the hub
zone to the internal zone. If you want to use 4-byte autonomous
system numbers (ASNs), you must first enable 4-byte ASNs for the
virtual router.
If you have pre-existing zones for
your Palo Alto Networks firewalls, you will be mapping them to the
predefined zones used in SD-WAN.
- Log in to the Panorama Web Interface.Select PanoramaSD-WANDevicesDevice CSV and Export an empty SD-WAN device CSV. The CSV allows you to import multiple branch and hub devices at once, rather than adding each device manually.Populate the SD-WAN device CSV with the branch and hub information and save the CSV. All fields are required unless noted otherwise. You must enter the following for each hub and branch:
- device-serial—The serial number of the branch or hub firewall.
- type—Specify whether the device is a branch or a hub.
- site—Enter the SD-WAN device site name to help you identify the geographical location or purpose of the device.The SD-WAN Site name supports all upper-case and lower-case alphanumerical and special characters. Spaces are not supported in the Site name and result in monitoring (PanoramaSD-WANMonitoring) data for that site not to be displayed.
- (Required for pre-existing customers) Map your pre-existing zones to predefined zones used for SD-WAN.When you map your existing zones to an SD-WAN zone, you must modify your security policy rules and add the SD-WAN zones to the correct Source and Destination zones.
- zone-internet—Enter the names of pre-existing zones that SD-WAN traffic will egress to reach the internet.
- zone-to-branch —Enter the names of pre-existing zones that SD-WAN traffic will egress to reach a branch.
- zone-to-hub—Enter the names of pre-existing zones that SD-WAN traffic will egress to reach a hub.
- zone-internal—Enter the names of pre-existing zones that SD-WAN traffic will egress to reach an internal zone.
- (Optional) loopback-address—Specify a static loopback IPv4 address for Border Gateway Protocol (BGP) peering.
- (Optional) prefix-redistribute—Enter IP prefixes that the branch informs the hub it can reach. To add more than one prefix, separate prefixes with a space, an ampersand (&), and a space; for example, 192.2.10.0/24 & 192.168.40.0/24. By default, the branch firewall advertises all locally connected internet prefixes to the hub.Palo Alto Networks does not redistribute the branch office default route(s) learned from the ISP.
- (Optional) as-number—Enter the ASN of the private AS to which the virtual router on the hub or branch belongs. The SD-WAN plugin supports only private autonomous systems. The ASN must be unique for every hub and branch. The 4-byte ASN range is 4,200,000,000 to 4,294,967,294 or 64512.64512 to 65535.65534. The 2-byte ASN range is 64512 to 65534.Use a 4-byte private ASN. Before implementing SD-WAN with BGP routing in an environment where BGP is already in use, ensure that the BGP configuration generated by the SD-WAN plugin doesn’t conflict with your existing BGP configuration. For example, you must use the existing BGP AS number and router ID values for the corresponding SD-WAN device values.
- (Optional) router-id—Specify the BGP router ID, which must be unique among all virtual routers.Enter the Loopback Address as the router ID. Before implementing SD-WAN with BGP routing in an environment where BGP is already in use, ensure that the BGP configuration generated by the SD-WAN plugin doesn’t conflict with your existing BGP configuration. For example, you must use the existing BGP AS number and router ID values for the corresponding SD-WAN device values.
- vr-name—Enter the name of the virtual router to use for routing between the SD-WAN hub and branches. By default, Panorama creates an sdwan-default virtual router and can automatically push router configurations.
Import the SD-WAN device CSV into Panorama.Verify that there are no pending commits on Panorama or the import fails.- On Panorama, Select PanoramaSD-WANDevicesDevice CSV and Import the CSV you edited in the previous step.Browse and select the SD-WAN device CSV.Click OK to import the SD-WAN devices.Verify that your SD-WAN devices were successfully added.Commit your configuration changes.Select Push to Devices to push your configuration changes to your managed firewalls.