About SD-WAN
Table of Contents
Expand all | Collapse all
-
- Create a Link Tag
- Configure an SD-WAN Interface Profile
- Configure a Physical Ethernet Interface for SD-WAN
- Configure an Aggregate Ethernet Interface and Subinterfaces for SD-WAN
- Configure Layer 3 Subinterfaces for SD-WAN
- Configure a Virtual SD-WAN Interface
- Create a Default Route to the SD-WAN Interface
-
- Create a Path Quality Profile
-
- Create a SaaS Quality Profile
- Use Case: Configure SaaS Monitoring for a Branch Firewall
- Use Case: Configure a Hub Firewall Failover for SaaS Monitoring from a Branch Firewall to the Same SaaS Application Destination
- Use Case: Configure a Hub Firewall Failover for SaaS Monitoring from a Branch Firewall to a Different SaaS Application Destination
- SD-WAN Traffic Distribution Profiles
- Create a Traffic Distribution Profile
- Create an Error Correction Profile
- Configure an SD-WAN Policy Rule
- Allow Direct Internet Access Traffic Failover to MPLS Link
- Configure DIA AnyPath
- Distribute Unmatched Sessions
- Configure Multiple Virtual Routers on SD-WAN Hub
- Configure Multiple Virtual Routers on SD-WAN Branch
- Configure HA Devices for SD-WAN
- Create a VPN Cluster
- Create a Full Mesh VPN Cluster with DDNS Service
- Create a Static Route for SD-WAN
- Configure Advanced Routing for SD-WAN
About SD-WAN
Palo Alto Networks supports an SD-WAN overlay that provides
dynamic, intelligent path selection based on applications, services,
and link conditions.
Software-Defined Wide Area Network (SD-WAN)
is a technology that allows you to use multiple internet and private
services to create an intelligent and dynamic WAN, which helps lower
costs and maximize application quality and usability. Beginning
with PAN-OS® 9.1, Palo Alto Networks® offers
strong security with an SD-WAN overlay in a single management system.
Instead of using costly and time-consuming MPLS with components
such as routers, firewalls, WAN path controllers, and WAN optimizers
to connect your WAN to the internet, SD-WAN on a Palo Alto Networks
firewall allows you to use less expensive internet services and
fewer pieces of equipment. You don’t need to purchase and maintain
other WAN components.
- PAN-OS Security with SD-WAN Functionality
- SD-WAN Link and Firewall Support
- Prisma Access Hub Support
- Centralized Management
PAN-OS Security with SD-WAN Functionality
The SD-WAN plugin is integrated
with PAN-OS, so that you get the security features of a PAN-OS firewall
and SD-WAN functionality from a single vendor. The SD-WAN overlay
supports dynamic, intelligent path selection based on applications and
services and the conditions of links that each application or service
is allowed to use. The path health monitoring for each link includes
latency, jitter, and packet loss. Granular application and service
controls allow you to prioritize applications based on whether the
application is mission-critical, latency-sensitive, or meets certain health
criteria, for example. Dynamic path selection avoids brownout and
node failure problems because sessions fail over to a better performing
path in less than one second.
The SD-WAN overlay works with
all PAN-OS security features, such as User-ID™ and App-ID™, to provide
complete security control to branch offices. The full suite of App-ID
capabilities (App-ID decoder, App-ID cache, and source/destination
external dynamic list [EDL] IP address lists) identifies applications
for application-based control of SD-WAN traffic. You can deploy
the firewall with Zero Trust segmentation of traffic. You can configure
and manage SD-WAN centrally from the Panorama web interface or the
Panorama REST API.
You may have cloud-based services and instead
of having your internet traffic flow from branches to the hub to
the cloud, you want the internet traffic to flow directly from branches
to the cloud using a directly connected ISP. Such access from a
branch to the internet is Direct Internet Access (DIA). You don’t
need to spend your hub bandwidth and money on internet traffic.
The branch firewall is already doing security, so you don’t need
the hub firewall to enforce security on internet traffic. Use DIA
on branches for SaaS, web browsing, or heavy-bandwidth applications
that shouldn’t be backhauled to a hub. The following figure illustrates
a DIA virtual interface consisting of three links from the branch
to the cloud. The figure also illustrates a VPN tunnel virtual interface
consisting of four links that connect the branch to the hub at the
headquarters.
SD-WAN Link and Firewall Support
Link bundling allows you to group multiple
physical links (that different ISPs use to communicate with the
same destination) into a virtual SD-WAN interface. On the basis
of applications and services, the firewall chooses from the links
(path selection) for session load sharing and to provide failover
protection in the event of a brownout or blackout. Thus you are
providing the application with the best quality performance. The
firewall automatically performs session load sharing over the links in
a virtual SD-WAN interface to use available bandwidth advantageously.
An SD-WAN interface must have all of the same type of connection
(either DIA or VPN). VPN links support the hub-and-spoke topology.
SD-WAN
supports the following types of WAN connections: ADSL/DSL, cable modem,
Ethernet, fiber, LTE/3G/4G/5G, MPLS, microwave/radio, satellite,
WiFi, and anything that terminates as Ethernet to the firewall’s
interface. You decide the appropriate strategy for how to use the
links. You could use inexpensive broadband connections before expensive
MPLS or LTE connections. Alternatively, you could use specific VPN
tunnels to reach specific hubs in a region.
See the system requirements
for SD-WAN for a full list of firewall models that support
SD-WAN software capabilities.
If you are a new customer purchasing
a Palo Alto Networks next-generation firewall, you will use the
default virtual router for SD-WAN. If you are an existing customer,
you can choose to either let PAN-OS overwrite any existing virtual
routers or use a new virtual router and new zones for SD-WAN to
keep SD-WAN content separate from your pre-existing configuration.
Beginning
with PAN-OS 11.0, SD-WAN plugin 3.1 supports advanced routing engine that
uses industry-standard configuration methodology to facilitate administrator
tasks. Although conceptually equivalent, the advanced routing engine
uses logical routers rather
than virtual routers to instantiate
routing domains. When you enable advanced routing,
logical routers are created and advanced routing engine is used
for routing. When you disable Advanced Routing, virtual routers
are created and legacy engine is used for routing.
Prisma Access Hub Support
With SD-WAN plugin 2.2 and later releases,
PAN-OS Secure SD-WAN provides you with Prisma Access hub support
to give you full control of how and where applications are secured.
Prisma Access Hub support allows PAN-OS firewalls to connect to
Prisma Access compute nodes (CNs) to achieve cloud-based security
in an SD-WAN hub-and-spoke topology. This support enables a seamless
link failover from on-premises security to Prisma Access and the
ability to mix both to meet your security needs.
In a mixed topology with both
SD-WAN
firewalls and Prisma Access hubs, the SD-WAN hubs are Prisma Access CNs (IPSec
Termination Nodes) and the SD-WAN branches are PAN-OS firewalls. SD-WAN
automatically creates IKE and IPSec tunnels that connect the branch to the hub.
Using Traffic Distribution profiles, you can create SD-WAN policies to match
specific internet applications and redirect them to a PAN-OS firewall or Prisma
Access deployment of your choice. With Prisma Access hub support, on-premises and
cloud security platforms work together to provide a complete solution with
consistent security policies managed by Panorama.
See the system requirements
for SD-WAN for the minimum PAN-OS and SD-WAN plugin versions
required for Prisma Access Hub support.
Prisma Access hub
support has the following limitations:
- Importing and exporting an SD-WAN configuration related to Prisma Access are not supported.
- Load, Partial Load, Revert, and Partial Revert for the Prisma Access configuration are not supported.
- Onboarding to an existing Prisma Access Remote Network Security Proccessing Node (RN-SPN) is not supported. For an existing branch that is connected to Prisma Access, you need to delete the branch and then onboard it again.
- No SD-WAN CLI commands are available on Prisma Access firewalls.
- On a CN, there is no path selection for traffic that originates on the CN.
- Prisma Access statistics are not provided in SD-WAN reporting and statistics.
Centralized Management
Panorama™
provides the means to configure and manage SD-WAN, which makes configuring
multiple options on many geographically-dispersed firewalls much
faster and easier than configuring firewalls individually. You can
change network configurations from a single location rather than
configuring each firewall individually. Auto VPN configuration allows
Panorama to configure branches and hubs with secure IKE/IPSec connections.
A VPN cluster defines the hubs and branches that communicate with
each other in a geographic region. The firewall uses VPN tunnels
for path health monitoring between a branch and a hub to provide subsecond
detection of brownout conditions.
The Panorama dashboard provides
visibility into your SD-WAN links and performance so that you can
adjust path quality thresholds and other aspects of SD-WAN to improve
its performance. Centralized statistics and reporting include application and
link performance statistics, path health measurements and trend
analysis, and focused views of application and link issues.
Begin
by understanding your SD-WAN use case, then review the SD-WAN configuration
elements, traffic distribution methods, and plan your SD-WAN configuration.
To greatly accelerate the configuration, the best practice is for
you to export an empty SD-WAN device CSV and enter information such
as branch office IP address, the virtual router to use, the firewall
site name, zones to which the firewall belongs, and BGP route information.
Panorama uses the CSV file to configure the SD-WAN hubs and branches
and to automatically provision VPN tunnels between hubs and branches.
SD-WAN supports dynamic routing through eBGP and is configured using
Panorama’s SD-WAN plugin to allow all branches to communicate with the
hub only or with the hub and other branches.
If Panorama
is managing a multi-vsys firewall, all SD-WAN
enabled interfaces and configurations must be configured on vsys1.
SD-WAN
does not support an SD-WAN configuration across multiple virtual systems
of a multi-VSYS firewall.
SD-WAN interfaces
must be configured in the same virtual router; they cannot be split
among virtual routers.