Error:
An unexpected error occurred. Please click Reload to try again.
Error:
An unexpected error occurred. Please click Reload to try again.
How to migrate to SDWAN setup? - Knowledge Base - Palo Alto Networks

How to migrate to SDWAN setup?

26736
Created On 05/06/21 02:07 AM - Last Modified 06/14/22 03:07 AM


Objective


This article will show how to migrate 2 firewalls to SDWAN architecture.

Base architecture:

base architecture 
Both firewalls are dual connection to Internet : one link is used as the primary link and the second one as a secondary link (backup link if outage on the primary link).
Public facing interfaces (E1/1 and E1/2) are in L3-Untrust zone. The internal interface (E1/6) is in the L3-Trust zone.

Target architecture:

Once the SDWAN is deployed, the WAN section is handled by the overlay data plane.

sdwan dataplane


Below, you can see the actual setup introduced with the SDWAN :

  • multiple IPSec tunnels are created for the to link HQ to Site-A - in the sdwan.902 interface.
  • the internet access interfaces are attached to the sdwan.901 interface.

target architecture

Environment


  • PAN-OS 9.1 or above
  • Panorama
  • SDWAN plugin

Procedure


Planification

Routing

The available options for routing are : static routing or BGP.
The traffic engineering possibility for BGP are limited. The main benefit of using BGP is to administrative overload due to managing the static routes.

Number of tunnels

For a  interfaces on the Hub and b interfaces on the Branch used in SDWAN, there will be a*b tunnels between the hub and the branch.
For hub and spoke topology, for n spokes, the hub will have up to  n*a*b  IPsec tunnels generated by the SDWAN plugin.
The actual number depends on the number of interface per interface type (DIA / VPN): there is a full mesh of tunnels between the DIA interface, there is only 1 tunnel for the VPN (private) interface.
The number of tunnels need to be within the supported number of tunnels by the firewall.

VPN address pool

The VPN address pool need to be defined for the VPN cluster to assign IP address to the tunnels. Up to 20 pools can be defined. 
Based on the number of tunnels (defined above), the total number of addresses needed can be evaluated as twice the total number of tunnels (1 tunnel needs 2 IP addresses).

BGP loopback pool

In case BGP is chosen as the routing protocol to use over static routing to advertise the subnets, an address pool need to be defined for the BGP usage.
The Address will be automatically assigned to the loopback.901 interface (itself also created by the SDWAN plugin).

BGP AS number

In case BGP is chosen as the routing protocol, the BGP AS number pool need to be defined.
If the BGP AS number format need to be 4 bytes long, the option need to be checked in the virtual router configuration.

Firewall pushed configuration

The interfaces, and the virtual router configuration need to be totally managed by Panorama.

Implementation

 

Create a new template

  1. Go to Panorama>Templates
    Add a new template
  2. Click on Add.
  3. Give a name to the template - in this case, "sdwan-branch".
    Note : Do not create the "sdwan-hub" template right now.
    Create the template
  4. Click on OK.

Create a new device group

  1. Go to Panorama>Device Groups
    Add a new Device Group
  2. Click on Add.
  3. Set the name of the Device Group.
  4. Set the Parent Device Group to "Shared"
    configure the Device Group
  5. Click on OK.

Create the security zones

The security zones "zone-public", "zone-to-hub", "zone-to-branch", "zone-internal" need to be created for the SDWAN plugin to work correctly.
Please note that the zone name is case sensitive
You will need to create the existing zones (in this case "L3-Trust" and "L3-Untrust") in the template to keep the security policies.
  1. Go to Network>Zones.
    Make sure to select the template created earlier (sdwan-branch)
    Add a security zone
  2. Click on Add.
  3. Set the zone name.
  4. Set the zone type to Layer3
    Create the security zone
  5. Click on OK.

Create the virtual router

  1. Go to Network>Virtual Routers
    Make sure to select the template created earlier (sdwan-branch)
    Add a virtual router
  2. Click on Add.
  3. Set the name of the virtual router to the actual virtual router name on the device.
    In this case, the virtual name is named "default".
    Create the virtual-router
  4. Click on OK.

Create the interfaces

The interfaces attached to the virtual router need to be created in this template.
As the purpose of the template is to be reused by all branches, we will also use the template variables.
So the interfaces E1/1 (L3-Untrust), E1/2 (L3-Untrust) , and E1/6 (L3-Trust) will be created.

  1. Go to Network>Interfaces>Ethernet
    Make sure to select the template created earlier (sdwan-branch)
    Add an interface
  2. Click on Add Interface.
In the new window:
  1. Set the slot
  2. Set the interface name.
  3. Set the interface type.
    Create the interface - general

Config tab

  1. Set the Virtual Router to the virtual router created earlier.
  2. Set the Virtual System.
    Note : the Virtual System is only visible on Panorama, when the mode set is "multi VSYS".
  3. Set the Security Zone to the actual security zone (L3-Untrust).
    Config tab settings

IPv4 tab

  1. Check the option Enable SD-WAN.
    Enable SD-WAN
  2. Click on Add.
  3. Click on the IP field.
  4. Click on New Variable.
    Set the Variable for the IP address
In the new window :
  1. Set the variable name.
  2. Set the value to None.
    Create the IP address variable
  3. Click on OK.
  4. Click on the next hop gateway field.
  5. Click on New Variable.
    Set the Variable for the next hop gateway
In the new window:
  1. Set the variable name.
  2. Set the value to None.
    Create the next hop gateway variable
  3. Click on OK.

SDWAN tab

  1. Click on the SD-WAN Interface Profile.
  2. Click on New SD-WAN Interface Profile.
    Add a new SD-WAN Interface Profile
In the new window:
  1. Set the Name of the interface profile.
  2. Set the tag associated to this profile.
  3. Set the link parameters.
    Create the link profile
  4. Click on OK twice.
Proceed with the same steps for the interface E1/2 and E1/6.

Create the SDWAN interface

  1. Go to Network>Interfaces>SD-WAN
    Make sure to select the template created earlier (sdwan-branch).
    Add the SD-WAN interface
  2. Click on Add.
In the new window:
  1. Set the interface name
    Note : the Link tag is not for the SD-WAN DIA AnyPath feature, not in the scope of this document.
    Create the SD-WAN interface

Config tab

  1. Set the virtual Router to the virtual router created earlier.
  2. Set the Virtual System.
    Note : the Virtual System is only visible on Panorama, when the mode set is "multi VSYS".
  3. Set the Security Zone to the actual security zone (L3-Untrust).
    SD-WAN configuration

Advanced tab

For each interface to be attached in this SD-WAN interface:
  1. Click on Add.
  2. Select the interface that need to be bundle in this interface.
    Note : all the interfaces need to be same type (DIA or VPN).
    In this case, the interfaces E1/1 and E1/2 are added into this interface.
    Select the interfaces to be used in the SD-WAN bundle
  3. Click on OK.

Routing

Static routing

It is possible to create the static routes pointing either to the DIA or the VPN SDWAN interface.
The name of the static route is important and needs to be formatted as $peerhostname_clustername.customname.
For routes pointing to the DIA interface, the peerhostname value needs to be DIA.

Note : The default route pointing to the DIA SDWAN interface is automatically created by the plugin.

Example : Create the default route to sdwan.1
  1. Go to Network>Virtual Routers
    Make sure to select the template created earlier (sdwan-branch).
  2. Click on the virtual router created earlier (default).
    Edit the virtual router configuration
In the new window:
  1. Go to Static Routes.
  2. Click on Add.
    Add a static route
In the new window:
  1. Set the Name of the static route.
    For VPN routes, the name needs to be $peerhostname_clustername.customname.
    For DIA routes, the name needs to be $DIA_clustername.customname.
  2. Set the Destination to 0.0.0.0/0
  3. Set the Interface to sdwan.1.
    For sdwan route, select the "sdwan" interface.
  4. Set the Next Hop to None.
    Note : Do not change the default metric.
    Set the default route
  5. Click OK twice.

Dynamic Routing - BGP

The configuration of the BGP routing setting is done in the SDWAN plugin section.
See Section Migration / SD-WAN Plugin.

Create the Traffic distribution Profile

  1. Go to Objects>Traffic Distribution Profile.
    Make sure to select the device group created earlier (SDWAN).
    Add a new traffic distribution
  2. Click on Add.
  3. Set the name for the traffic distribution.
  4. Set the distribution method
    • best available: it will consider all the links meeting the path quality requirements and having the link tag.
    • top down priority: the links with the first link tag will be consider first. If no match, the links with the next link tag will be consider and so on.
    • weighted session distribution: sessions are load shared as per the weigh set on the link tag.
  5. Click on Add.
  6. Select the link tag to consider.
    Traffic distribution configuration
  7. Click on OK.

Create the Path Quality Profile

Multiple path quality profiles are already present.
However, a path quality profile needs to be created for the catch-all rule SDWAN rule (see next).
  1. Go to Objects>Path Quality Profile.
    Make sure to select the device group created earlier (SDWAN).
    Add a Path Quality Profile
  2. Click on Add.
  3. Set the Path Quality Profile Name.
  4. Set the Thresholds for the worse situation.
    Configure the Path Quality Profile
  5. Click on OK.

Create a default SDWAN rule (catch all)

  1. Go to Policies>SD-WAN>Post rules.
    Make sure to select the device group created earlier (SDWAN)
  2. Create a SDWAN rule to catch all traffic:
    • Source : any zone
    • Destination : any zone
    • Path Quality Profile : worse-scenario
    • Traffic Distribution Profile : best-effort
    Catch All rule
    Note : This Catch-all rule need to remain at the bottom of the rule set.

Override the default monitor profile (optional)

The default monitor profile created by the SDWAN plugin is set to "Wait Recover".
  1. Go to Network>Monitor.
    Make sure to select the template created earlier (sdwan-branch).
    Override the default monitor profile
  2. Click on Add.
  3. Set the name to sdwan-default.
    Note: the name is case sensitive.
  4. Set the action to Fail Over.
    The monitor profile configuration
  5. Click on OK.

Create another template (optional)

So far, only 1 template has been created (for branches as it has been named sdwan-branch)
In case the Hub and the Branches have a non-matching setup, for instance if the used interfaces are different or if specific routing settings need to be in place.
  1. Go to Panorama>Templates.
  2. Select the template created earlier.
    Clone the template
  3. Click on Clone.
  4. Rename the template
  5. Edit the new template with the specific settings for the Hub.

SD-WAN plugin

  1. Go to Panorama>VPN Clusters.
  2. Click on VPN Address Pool.
    Add the VPN Address Pool
  3. Click on Add.
  4. Enter the Address pool(s).
    Add the Address Pool(s)
  5. Click on OK.
  6. Click on Add.
    Add a VPN Cluster
  7. Set the Name of the VPN Cluster.
  8. Set the type of the VPN Cluster.
    Note : Mesh is available only from PAN-OS 10.0.3
    Set the VPN Cluster
  9. Click on OK.

Commit

Commit the configuration

Migration

Template

  1. Go to Panorama>Templates.
  2. Select the template stack of the devices to be migrated
    Note : all devices using the template stack will be migrated.
    Edit the template stack
  3. Add the Template SDWAN.
  4. Move it before any template with virtual router and interface configuration.
    Add the template into the template stack
  5. Click on OK.

Device Group

  1. Go to Panorama>Device Groups.
  2. Select the Device group of the devices to be migrated
    Note: all devices assigned to the device groups will be migrated.
    Edit the Device Group
  3. Change the Parent Device Group to SDWAN.
    Change the Parent Device Group
  4. Click on OK.

Variables

  1. Go to Panorama>Summary.
  2. Click on Create.
    Note: if some variables were already set, the "Create" link becomes "Edit".
    Create the variables
  3. Click on No.
    Click on No
  4. Click on OK.
In the new window.
  1. Click on the variable to set.
    Override the variable $wan-1-ip
  2. Click on Override.
  3. Set the value which will be assigned to the firewall.
    In this case, the Interface E1/1 IP Address is set to 3.3.3.1/30 for the device HQ.
    Definition of the variable $wan-1-ip
  4. Click on OK.
  5. Perform the same for the other variables.
    All variables are overridden.
  6. Click on Close.

SD-WAN Plugin

  1. Go to Panorama>Devices.
    Add a device for SD-WAN
  2. Click on Add.
  3. Select the device.
  4. Set the type of the device.
  5. Set the name for the device's site.
If BGP routing is the chosen routing protocol:
  1. Check the BGP option.
  2. Set the router ID (optional).
  3. Set the Loopback address.
  4. Set the AS number.
  5. Click on Add.
  6. Add the prefix(es) to advertise.
    Set the Device SD-wan parameters
  7. Click on OK.
  8. Go to Panorama>VPN Clusters.
    Edit the VPN Cluster
  9. Click on the VPN Cluster created earlier.
In the new window:
  1. Click on Add.
  2. Select the Device you have added. The device list is based on the device type defined earlier (hub or branch).
    If the device added is a gateway, the hub failover priority needs to be defined (lower priority will take precedence).
    Add a device into the VPN Cluster
  3. Click on OK.

Commit

Commit and push the configuration to the device.

Additional Information


The configuration of the sdwan.1 interface and the default route associated is not mandatory.
However, it helps to visualise the configuration on Panorama as the autogenerated configuration from the SD-WAN plugin is not visible on Panorama.

Admin Guide
SD-WAN Features

Technical Specs
Product comparison

 
Other users also viewed:
Updating results
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000001VJZCA2&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language