Create the SD-WAN Device Groups
Table of Contents
Expand all | Collapse all
-
- Create a Link Tag
- Configure an SD-WAN Interface Profile
- Configure a Physical Ethernet Interface for SD-WAN
- Configure an Aggregate Ethernet Interface and Subinterfaces for SD-WAN
- Configure Layer 3 Subinterfaces for SD-WAN
- Configure a Virtual SD-WAN Interface
- Create a Default Route to the SD-WAN Interface
-
- Create a Path Quality Profile
-
- Create a SaaS Quality Profile
- Use Case: Configure SaaS Monitoring for a Branch Firewall
- Use Case: Configure a Hub Firewall Failover for SaaS Monitoring from a Branch Firewall to the Same SaaS Application Destination
- Use Case: Configure a Hub Firewall Failover for SaaS Monitoring from a Branch Firewall to a Different SaaS Application Destination
- SD-WAN Traffic Distribution Profiles
- Create a Traffic Distribution Profile
- Create an Error Correction Profile
- Configure an SD-WAN Policy Rule
- Allow Direct Internet Access Traffic Failover to MPLS Link
- Configure DIA AnyPath
- Distribute Unmatched Sessions
- Configure HA Devices for SD-WAN
- Create a VPN Cluster
- Create a Full Mesh VPN Cluster with DDNS Service
- Create a Static Route for SD-WAN
- Configure Advanced Routing for SD-WAN
Create the SD-WAN Device Groups
Create SD-WAN device groups for your hubs and branches.
Create device groups, one for your hubs and
one for your branches, containing all the policy rules and configuration
objects for your SD-WAN hubs and branches. After you create the
device groups for your hubs and branches, you must create a Security policy
rule in each device group allowing traffic between the hub and branch
zones. Creating these Security policy rules ensures that traffic
between the SD-WAN device zones is allowed when the SD-WAN plugin
creates the VPN tunnels after you create a VPN cluster.
Configure identical configurations across
your hub firewalls and an identical configuration across your branch
firewalls. This greatly reduces the operational overhead of having
to manage the configurations of multiple SD-WAN hubs and branches,
and allows you to troubleshoot, isolate, update configuration issues much
more rapidly.
- Log in to the Panorama Web Interface.
- Create the Predefined Zones in Panorama.
- Create the SD-WAN hub device group.
- Select PanoramaDevice Groups and Add a device group.
- Enter SD-WAN_Hub as the Name for the device group.
- (Optional) Enter a Description for the template.
- In the Devices section, select the check boxes to assign the SD-WAN hubs to the group.
- For the Parent Device Group, select Shared.
- Click OK.
- Create the SD-WAN branch device group.
- Select PanoramaDevice Groups and Add a device group.
- Enter SD-WAN_Branch as the Name for the device group.
- (Optional) Enter a Description for the template.
- In the Devices section, select the check boxes to assign the SD-WAN branches to the group.
- For the Parent Device Group, select Shared.
- Click OK.
- Create a Security policy rule to control traffic flows
from branch offices to the hub’s internal zone and from the hub’s
internal zone to branch offices.
- Select PoliciesSecurity and in the Device Group context drop-down, select the SD-WAN_Hub device group.
- Add a new policy rule.
- Enter a Name for the policy rule, such as SD-WAN access--hub DG.
- Select SourceSource Zone and Add the zone-internal and zone-to-branch.
- Select DestinationDestination Zone and Add the zone-internal and zone-to-branch.
- Select Application and Add applications
to allow.You must allow BGP if you are using BGP routing.
- Select Actions and Allow to allow the applications you selected.
- Select Target and specify the target devices to which Panorama™ should push this rule.
- Create a Security policy rule to control traffic originating
from the branch offices’ internal zone to the hub and from the hub
to the branch offices’ internal zone.
- Select PoliciesSecurity and in the Device Group context drop-down, select the SD-WAN_Branch device group.
- Add a new policy rule.
- Enter a Name for the policy rule, such as SD-WAN access--branch DG.
- Select SourceSource Zone and Add the zone-internal and zone-to-hub.
- Select DestinationDestination Zone and Add the zone-internal and zone-to-hub.
- Select Application and Add applications
to allow.You must allow BGP if you are using BGP routing.
- Select Actions and Allow to allow the applications you selected.
- Select Target and specify the target devices to which Panorama should push this rule.
- Commit and push your configuration.
- Commit and Commit and Push your configuration changes.
- In the Push Scope section, click Edit Selections.
- Enable (check) Include Device and Network Templates and click OK.
- Commit and Push your configuration
changes.There are two commit operations that are automatically performed when you commit and push the device group and template configuration. View the Tasks to verify that the second commit is successful. Of these two commit operations, the first always fails.