SD-WAN DIA AnyPath

When your SD-WAN direct internet access (DIA) links from an ISP experience a blackout or brownout, you need those links to fail over to another link to ensure business continuity. DIA links can fail over to an MPLS link, but you may not have an MPLS link. DIA links must be able to fail over to another link that has a direct path or indirect path (through a hub or branch) to the internet; the DIA traffic can take any path available to get to the internet and isn’t restricted to DIA. DIA AnyPath supports a DIA link failing over to a private VPN tunnel going to a hub firewall to then reach the internet. Furthermore, if your topology is full mesh (branch-to-branch) and there is no hub, the DIA traffic can fail over to a branch firewall to reach the internet.

DIA AnyPath requires PAN-OS 10.0.3 or a later 10.0 release and SD-WAN Plugin 2.0.1 or a later 2.0 release.

DIA AnyPath introduces the concept of a principal virtual interface, which can include both DIA links and nested hub virtual interfaces and branch virtual interfaces (VPN tunnels) that each include their own links. The principal virtual interface can have a maximum of nine DIA (Ethernet) interfaces, hub virtual interfaces, and branch virtual interfaces. You assign a Link Tag to a hub when you add the hub device to Panorama. Assuming you use the SD-WAN plugin, Auto VPN assigns that Link Tag to the hub virtual interface, which allows you to specify the tag in a Traffic Distribution profile to control the failover order among virtual interfaces.

The following topology example shows Branch1 with two ISP connections and an MPLS link. Branch1 also has a Hub1 virtual interface with three VPN tunnels connecting to Hub1, and a Hub2 virtual interface of three VPN tunnels connecting to Hub2. Branch1 also has a branch2 virtual interface with three VPN tunnels connecting to Branch2 and a branch3 virtual interface with three VPN tunnels connecting to Branch3. The goal of DIA AnyPath is to configure the order in which DIA can fail over to VPN tunnels to reach the internet directly or indirectly and thus maintain business continuity.

When you configure a principal virtual interface, it automatically becomes the default route so that internet traffic is routed properly to any of the members of the principal virtual interface (both DIA links and VPN tunnels). The path selection is based on SD-WAN Path Quality profiles and Traffic Distribution profiles, which you would set to use the Top Down Priority distribution method to control the failover order. In the example topology, a Traffic Distribution profile can list the tag for the principal virtual interface first, then the tag for the Hub1 virtual interface, and then the tag for the Hub2 virtual interface.

Zooming in to a deeper level of failover priority, a hub virtual interface has multiple tunnel members, so you need a way to prioritize the failover order of the members, such as prioritizing that a broadband VPN tunnel be used before an LTE VPN tunnel. You specify the priority using the VPN Failover Metric in the SD-WAN Interface Profile that you apply to the Ethernet interface. The lower the metric value, the higher the priority for the tunnel to be selected upon failover. In the topology example, in the Hub1 virtual interface, a lower VPN Failover Metric for t11 than for t12 causes internet traffic to fail over to t11 before t12. If multiple tunnels in a virtual interface have the same metric, SD-WAN sends new session traffic to the tunnels in round-robin fashion.

1. Log in to the Panorama Web Interface
2. Specify the failover priority for a VPN tunnel (that is bundled in a hub virtual interface or branch virtual interface) by creating an SD-WAN Interface Profile.
3. Configure a physical Ethernet interface for SD-WAN and on the SD-WAN tab, apply the SD-WAN Interface Profile you created.
4. Repeat the prior two steps to configure additional SD-WAN Interface Profiles with a different VPN failover metric and apply the profiles to different Ethernet interfaces to determine the order in which failover occurs to the links.
5. Create a Link Tag for a hub virtual interface.
6. Add the Link Tag to a hub that you want to participate in DIA AnyPath.
7. Repeat the prior two steps to create a Link Tag for each hub virtual interface and add the tag to each hub that will participate in DIA AnyPath. Do the same for any branch virtual interface.
8. Create a Traffic Distribution Profile (using Top Down Priority) to implement DIA AnyPath.
9. Create identically named SaaS Quality profiles for both the hub and branch firewalls.
10. Allow the hubs to participate in DIA AnyPath.
11. Create an SD-WAN policy rule for specific application(s) to use DIA AnyPath.
12. Route new sessions that don’t match any SD-WAN policy rule and sessions that arrive during a Panorama or firewall configuration change.
13. Commit and Push to Devices.
14. Create a Security policy rule to allow DIA traffic to the Destination Zones named zone-internet and zone-to-hub and specify the Applications subject to the rule. Commit and push to the branches.