: Create the Predefined Zones in Panorama
Focus
Focus

Create the Predefined Zones in Panorama

Table of Contents

Create the Predefined Zones in Panorama

Create the predefined zones in Panorama.
SD-WAN policy rules use predefined zones for internal path selection and traffic forwarding purposes. There are two use cases; your use case depends on whether you are enabling SD-WAN on your current PAN-OS® firewalls that have existing security policy rules or whether you are starting a brand new PAN-OS deployment with no previous security policy rules. If your current firewalls have security policy rules in place, you map your existing zones to the predefined zones that SD-WAN policies use.
The SD-WAN engine makes use of the predefined zones for forwarding traffic. Additionally, creating the predefined zones in the Panorama™ templates provides consistent visibility between the managed firewalls and Panorama:
  • Zone Internet—For traffic going to and coming from the untrusted internet.
  • Zone to Hub—For traffic going from branch firewalls to hub firewalls and for traffic going between hub firewalls.
  • Zone to Branch—For traffic going from hub firewalls to branch firewalls and for traffic between branch firewalls.
  • Zone Internal—For internal traffic at a specific location.
  • (SD-WAN plugin 2.2 and later versions) Zone to PA Hub—For internal traffic to reach Prisma Access hub.
    (SD-WAN plugin 2.2 and later versions) For the Prisma Access hub support, when you enable Zone to PA Hub, you must first ensure that your firewall supports enough zones. Because when the Zone to PA Hub predefined zone is configured, the SD-WAN plugin consumes one zone from the total available zones from the firewall. Therefore, the following lower-end firewall models that support up to 15 zones will have an impact on the available zones when you configure Zone to PA Hub:
    • PA-220
    • PA-220R
    • PA-820
    • VM-Series firewalls on public clouds with two virtual CPUs (AWS, Azure, GCP, OCI, Nutanix, IBM) and private clouds (VMware ESXi, KVM hypervisor, and Nutanix)
    • PA-410
    For example, if you have an existing Security policy with zones assigned to it, you might want to update the zone when you enable Prisma Access hub support as the Prisma Access hub support will consume one zone from the available zones. Otherwise, the traffic using that Security policy will fail.
If you don’t create the predefined zones, the SD-WAN plugin will automatically create the predefined zones on your branch and hub firewall, but you won’t see them in Panorama.
There are two main use cases for predefined zones:
  • Existing Zones—You already have pre-existing zones that you created for use in User-ID™ or various policies (security policy rules, QoS policy rules, zone protection, and packet buffer protection). You must map the pre-existing zones to the predefined zones that SD-WAN uses so the firewall can properly forward traffic. You should continue to use your pre-existing zones in all of your policies because the new predefined zones are used only for SD-WAN forwarding. You will map the zones when you to Add SD-WAN Devices to Panorama by creating your CSV file. (If you aren’t using a CSV file, you will map zones when you configure PanoramaSD-WANDevices and add existing zones to Zone Internet, Zone to Hub, Zone to Branch, and Zone Internal.)
    The result of mapping is that a branch or hub firewall can do a forwarding lookup to determine the egress SD-WAN interface and thus the egress zone. If you don’t map pre-existing zones to predefined zones, an allowed session won’t use SD-WAN. The mapping is necessary because existing customers have different zone names in place, and the firewall must narrow all of those zone names down to the predefined zones. You don’t necessarily have to map zones to all of the predefined zones, but you should map existing zones to at least the Zone to Hub and Zone to Branch zones.
  • No Existing Zones—You have a brand new deployment of Palo Alto Networks® firewalls and SD-WAN. In this case, you don’t have zones to map; we recommend you use the predefined zones in your PAN-OS policies and User-ID to simplify deployment.
Before you begin configuring your SD-WAN deployment, for both use cases, you will create the required predefined zones in Panorama named zone-internet, zone-internal, zone-to-hub, zone-to-branch, and zone-to-pa-hub. When you onboard your branch and hub firewalls, you will Add SD-WAN Devices to Panorama. For pre-existing customers, the SD-WAN plugin will internally map pre-existing zones with these predefined zones when executing SD-WAN policy rules, QoS policy rules, zone protection, User-ID, and packet buffer protection, and will use the predefined zones for zone logging and visibility in Panorama. For new customers, you are properly set up using the predefined zones.
The predefined zones are also required in order to automatically set up VPN tunnels between your SD-WAN hubs and branches when you push the configuration from Panorama to your managed SD-WAN devices.
The zone names are case-sensitive and must match the names provided in this procedure. Your commit fails on the firewall if the zone names don’t match those described in this procedure.
In this example, we are creating the zone named zone-internet.
  1. Select NetworkZones and in the Template context drop-down, select the network template you previously created.
  2. Add a new zone.
  3. Enter zone-internet, for example, as the Name of the zone.
  4. For zone Type, select Layer3.
  5. Click OK.
  6. Repeat the previous steps to create the remaining zones. In total, you must create the following zones:
    • zone-to-branch
    • zone-to-hub
    • zone-internal
    • zone-internet
    • zone-to-pa-hub
  7. Commit and Commit and Push your configuration changes.
  8. Commit your changes.