Network > Network Profiles > SD-WAN Interface Profile
Table of Contents
Expand all | Collapse all
-
- Firewall Overview
- Features and Benefits
- Last Login Time and Failed Login Attempts
- Message of the Day
- Task Manager
- Language
- Alarms
- Commit Changes
- Save Candidate Configurations
- Revert Changes
- Lock Configurations
- Global Find
- Threat Details
- AutoFocus Intelligence Summary
- Configuration Table Export
- Change Boot Mode
-
- Objects > Addresses
- Objects > Address Groups
- Objects > Regions
- Objects > Dynamic User Groups
- Objects > Application Groups
- Objects > Application Filters
- Objects > Services
- Objects > Service Groups
- Objects > Devices
- Objects > External Dynamic Lists
- Objects > Custom Objects > Spyware/Vulnerability
- Objects > Custom Objects > URL Category
- Objects > Security Profiles > Antivirus
- Objects > Security Profiles > Anti-Spyware Profile
- Objects > Security Profiles > Vulnerability Protection
- Objects > Security Profiles > File Blocking
- Objects > Security Profiles > WildFire Analysis
- Objects > Security Profiles > Data Filtering
- Objects > Security Profiles > DoS Protection
- Objects > Security Profiles > Mobile Network Protection
- Objects > Security Profiles > SCTP Protection
- Objects > Security Profile Groups
- Objects > Log Forwarding
- Objects > Authentication
- Objects > Packet Broker Profile
- Objects > Schedules
-
-
- Firewall Interfaces Overview
- Common Building Blocks for Firewall Interfaces
- Common Building Blocks for PA-7000 Series Firewall Interfaces
- Tap Interface
- HA Interface
- Virtual Wire Interface
- Virtual Wire Subinterface
- PA-7000 Series Layer 2 Interface
- PA-7000 Series Layer 2 Subinterface
- PA-7000 Series Layer 3 Interface
- Layer 3 Interface
- Layer 3 Subinterface
- Log Card Interface
- Log Card Subinterface
- Decrypt Mirror Interface
- Aggregate Ethernet (AE) Interface Group
- Aggregate Ethernet (AE) Interface
- Network > Interfaces > VLAN
- Network > Interfaces > Loopback
- Network > Interfaces > Tunnel
- Network > Interfaces > SD-WAN
- Network > Interfaces > PoE
- Network > Interfaces > Cellular
- Network > Interfaces > Fail Open
- Network > VLANs
- Network > Virtual Wires
-
- Network > Routing > Logical Routers > General
- Network > Routing > Logical Routers > Static
- Network > Routing > Logical Routers > OSPF
- Network > Routing > Logical Routers > OSPFv3
- Network > Routing > Logical Routers > RIPv2
- Network > Routing > Logical Routers > BGP
- Network > Routing > Logical Routers > Multicast
-
- Network > Routing > Routing Profiles > BGP
- Network > Routing > Routing Profiles > BFD
- Network > Routing > Routing Profiles > OSPF
- Network > Routing > Routing Profiles > OSPFv3
- Network > Routing > Routing Profiles > RIPv2
- Network > Routing > Routing Profiles > Filters
- Network > Routing > Routing Profiles > Multicast
- Network > Proxy
-
- Network > Network Profiles > GlobalProtect IPSec Crypto
- Network > Network Profiles > IPSec Crypto
- Network > Network Profiles > IKE Crypto
- Network > Network Profiles > Monitor
- Network > Network Profiles > Interface Mgmt
- Network > Network Profiles > QoS
- Network > Network Profiles > LLDP Profile
- Network > Network Profiles > SD-WAN Interface Profile
- Network > Network Profiles > MACsec Profile
-
-
- Device > Setup
- Device > Setup > Management
- Device > Setup > Interfaces
- Device > Setup > Telemetry
- Device > Setup > Content-ID
- Device > Setup > WildFire
- Device > Setup > ACE
- Device > Setup > DLP
- Device > Log Forwarding Card
- Device > Config Audit
- Device > Administrators
- Device > Admin Roles
- Device > Access Domain
- Device > Authentication Sequence
- Device > IoT Security > DHCP Server Log Ingestion
- Device > Device Quarantine
-
- Security Policy Match
- QoS Policy Match
- Authentication Policy Match
- Decryption/SSL Policy Match
- NAT Policy Match
- Policy Based Forwarding Policy Match
- DoS Policy Match
- Routing
- Test Wildfire
- Threat Vault
- Ping
- Trace Route
- Log Collector Connectivity
- External Dynamic List
- Update Server
- Test Cloud Logging Service Status
- Test Cloud GP Service Status
- Device > Virtual Systems
- Device > Shared Gateways
- Device > Certificate Management
- Device > Certificate Management > Certificate Profile
- Device > Certificate Management > OCSP Responder
- Device > Certificate Management > SSL/TLS Service Profile
- Device > Certificate Management > SCEP
- Device > Certificate Management > SSL Decryption Exclusion
- Device > Certificate Management > SSH Service Profile
- Device > Response Pages
- Device > Server Profiles
- Device > Server Profiles > SNMP Trap
- Device > Server Profiles > Syslog
- Device > Server Profiles > Email
- Device > Server Profiles > HTTP
- Device > Server Profiles > NetFlow
- Device > Server Profiles > RADIUS
- Device > Server Profiles > SCP
- Device > Server Profiles > TACACS+
- Device > Server Profiles > LDAP
- Device > Server Profiles > Kerberos
- Device > Server Profiles > SAML Identity Provider
- Device > Server Profiles > DNS
- Device > Server Profiles > Multi Factor Authentication
- Device > Local User Database > Users
- Device > Local User Database > User Groups
- Device > Scheduled Log Export
- Device > Software
- Device > Dynamic Updates
- Device > Licenses
- Device > Support
- Device > Policy Recommendation > IoT
- Device > Policy > Recommendation SaaS
- Device > Policy Recommendation > IoT or SaaS > Import Policy Rule
-
- Device > User Identification > Connection Security
- Device > User Identification > Terminal Server Agents
- Device > User Identification > Group Mapping Settings
- Device > User Identification> Trusted Source Address
- Device > User Identification > Authentication Portal Settings
- Device > User Identification > Cloud Identity Engine
-
- Network > GlobalProtect > MDM
- Network > GlobalProtect > Clientless Apps
- Network > GlobalProtect > Clientless App Groups
- Objects > GlobalProtect > HIP Profiles
-
- Use the Panorama Web Interface
- Context Switch
- Panorama Commit Operations
- Defining Policies on Panorama
- Log Storage Partitions for a Panorama Virtual Appliance in Legacy Mode
- Panorama > Setup > Interfaces
- Panorama > High Availability
- Panorama > Firewall Clusters
- Panorama > Administrators
- Panorama > Admin Roles
- Panorama > Access Domains
- Panorama > Device Groups
- Panorama > Plugins
- Panorama > Log Ingestion Profile
- Panorama > Log Settings
- Panorama > Server Profiles > SCP
- Panorama > Scheduled Config Export
- Panorama > Device Registration Auth Key
Network > Network Profiles > SD-WAN Interface Profile
Create an SD-WAN Interface Profile to
group physical links by Link Tag and to control the speed of links
and how frequently the firewall monitors the link.
SD-WAN Interface Profile | |
|---|---|
Name | Enter the name of the SD-WAN Interface Profile
using a maximum of 31 alphanumeric characters. The name must begin
with an alphanumeric character and can contain letters, numbers,
underscores (_), hyphens (-), periods (.), and spaces. |
Location | Select a virtual system for a multi-vsys
device. |
Link Tag | Select the Link Tag that this profile will
assign to the interface or add a new tag. A link tag bundles physical
links (different ISPs) for the firewall to select from during path
selection and failover. |
Description | It is a best practice to enter a user-friendly
description of the profile. |
Link Type |
Select the physical link type from the predefined list
(ADSL/DSL, Cable
Modem, Ethernet,
Fiber,
LTE/3G/4G/5G,
MPLS, Microwave/Radio,
Satellite, WiFi,
Private
Link1, Private Link2,
Private Link3, Private
Link4, or Other).
With PAN-OS 11.1.3,
SD-WAN plugin 3.2.1 and later releases support the additional
point-to-point private link types, Private
Link1, Private Link2,
Private Link3, and Private
Link4.
The firewall can support any CPE device that terminates and hands off
as an Ethernet connection to the firewall; for example, WiFi access
points, LTE modems, laser-microwave CPEs all can terminate with an
Ethernet hand-off. For existing PAN-OS deployments that have zones defined on interfaces that will be used to
support SD-WAN, Panorama may automatically configure the
interface’s zone name to one of the predefined SD-WAN zones
under the following conditions: 1. The SD-WAN interface is configured as a point-to-point private
link type (MPLS,
Satellite, Private
Link1, Private Link2,
Private Link3, Private
Link4, or
Microwave) in its Interface
Profile. 2. The VPN Data Tunnel Support checkbox is
disabled (unchecked) on the SD-WAN Interface Profile. This
instructs PAN-OS to forward traffic in clear text outside of the
SD-WAN VPN tunnel. Because Private Link1,
Private Link2, Private
Link3, and Private
Link4 link types don't support plain text
traffic from SD-WAN branch firewall to SD-WAN hub firewall,
you must leave the VPN Data Tunnel
Support option enabled when you configure
these private link types. On
the Hub firewall, the zone name is configured as “zone-to-branch”
when condition #1 is met. On the Branch firewall, the zone name
is configured as “zone-to-hub” when
both condition #1 and condition #2 are met. Panorama automates this
step to simplify configuration to ensure proper communication between
the hub and branch firewalls. If you have preexisting firewall policies
that referenced the old zone name, you must update the policies
to reflect the new predefined SD-WAN zone name. |
Maximum Download (Mbps) | Enter the maximum download speed from the
ISP in megabits per second; range is 1 to 100,000, there is no default
value. Ask your ISP for the link speed or sample the link’s maximum
speeds with a tool such as speedtest.net and take an average of
the maximums over a good length of time. |
Maximum Upload (Mbps) | Enter the maximum upload speed from the
ISP in megabits per second; range is 1 to 100,000, there is no default
value. Ask your ISP for the link speed or sample the link’s maximum
speeds with a tool such as speedtest.net and take an average of
the maximums over a good length of time. |
Eligible for Error Correction Profile interface selection | Select this setting to make interfaces (where
you apply this profile) eligible for the encoding firewall to select
them for Forward Error Correction (FEC) or packet duplication. You
can deselect this setting so that expensive FEC or packet duplication
is never used on an expensive link (interface) where you apply the
profile. The Link Type specified for the
profile determines whether the default setting of Eligible
for Error Correction Profile interface selection is
selected or not. To configure FEC or packet duplication, create
an SD-WAN Error Correction
Profile. |
VPN Data Tunnel Support | Determines whether the branch-to-hub traffic
and the return traffic flows through a VPN tunnel for added security
(enabled by default) or flows outside of the VPN tunnel to avoid
encryption overhead.
|
VPN Failover Metric | (PAN-OS 10.0.3 and later releases)
When you configure DIA AnyPath, you need a way to specify the failover
order of individual VPN tunnels bundled in a hub virtual interface
or branch virtual interface to which DIA fails over. Specify the
VPN Failover Metric for the VPN tunnel (link); range is 1 to 65,535;
default is 10. The lower the metric value, the higher the priority
of the tunnel (link where you apply this profile) to be chosen during
failover. For example, set the metric to a low value and apply
the profile to a broadband interface; then create a different profile
that sets a high metric to apply to an expensive LTE interface to
ensure it is used only after broadband has failed over. If
you have only one link at the hub, that link supports all of the
virtual interfaces and DIA traffic. If you want to use the link
types in a specific order, you must apply a Traffic Distribution
profile to the hub that specifies Top Down Priority,
and then order the Link Tags to specify the preferred order. (If
you apply a Traffic Distribution profile that instead specifies Best
Available Path, the firewall will use the link, regardless
of cost, to choose the best performing path to the branch.) In summary,
Link Tags in a Traffic Distribution Profile, the Link Tag applied
to a hub virtual interface,
and a VPN Failover Metric work only when the Traffic Distribution
profile specifies Top Down Priority. |
Path Monitoring | Select the path monitoring mode in which
the firewall monitors the interfaces where you apply this SD-WAN
Interface Profile.
|
Probe Frequency (per second) | Enter the probe frequency, which is the
number of times per second that the firewall sends a probe packet
to the opposite end of the SD-WAN link (range is 1 to 5; default
is 5). |
Probe Idle Time (seconds) | If you select Relaxed path
monitoring, you can set the probe idle time (in seconds) that the
firewall waits between sets of probe packets (range is 1 to 60;
default is 60). |
Failback Hold Time (seconds) | Enter the length of time (in seconds) that
the firewall waits for a recovered link to remain qualified before
the firewall reinstates that link as the preferred link after it
has failed over (range is 20 to 120; default is 120). The failback
hold time prevents a recovered link from being reinstated as the preferred
link too quickly and having it fail again right away. |