Error:
An unexpected error occurred. Please click Reload to try again.
Error:
An unexpected error occurred. Please click Reload to try again.
How to configure SDWAN: Basic connection - Knowledge Base - Palo Alto Networks

How to configure SDWAN: Basic connection

33038
Created On 05/27/22 05:10 AM - Last Modified 07/16/24 02:00 AM


Objective


Configure the basic SDWAN setup using the topology below.

sdwan-topology1.png

Once the needed IPSEC tunnels are up, the routing will look like the below.

sdwan-topology2.png


Environment


  • Panorama with SD-WAN Plugin 2.1.2 installed
  • PAN-OS 10.1.3


Procedure


  1. Add the devices to Panorama
    1. Panorama > Managed Devices > Summary > Add > Serial [paste Firewall's serial number] > click Generate Auth Key (copy and save it in a notepad) > OK > Commit to Panorama

sdwan1.png

  1. Configure Firewall to communicate with Panorama.
    1. Device > Setup > Management > Panorama Settings > click the gear Icon
    2. Panorama Server: provide Panorama's IP
    3. Auth Key: past the key from your notepad
    4. Click OK > Commit

sdwan2.png

  1. Repeat the first two steps for the rest of the other firewalls 
  2. Create a template
    1. Panorama > Template > Add > Name: HUB1 > OK
  3. Create a Template Stack by associating the device with a Template
Panorama > Template > Add Stack
Name: HUB1_TS
Devices: put a check mark next to the device
TEMPLATES > Add > HUB1 [you can opt to add other templates like seen below, or not]

sdwan3.png
 
  1. Repeat steps 4 and 5 for the two branches 
sdwan-Templatestack-branch.png
7. Create the Device Group and associate it with  the template 
Panorama > Device Groups > Add
Name: HUB1
Parent Device Group: Shared
NAME: put a check mark next to the device
REFERENCE TEMPLATE: Add >  HUB1
 
sdwan-DG.png

8. Repeat step 7 for the two branches 
sdwan-DG-branch.png
 
  1. Configure the zones for all the devices; it is important that the zones highlighted below need to be configured the same as shown below. The said zones are the preconfigured zones that the sdwan plugin uses.
sdwan4.png
10. Configure the needed security policy to allow traffic to go thru SDWAN, and you can tighten the policy accordingly.
Policies> Security > Pre Rules 
sdwan5.pngsdwan61.png
  1. Configure the Tags, which will eventually be used for Traffic Distribution Profile and Interfaces. For this article, we'll use four different links, which are Broadband-fast, Broadband-slow, MPLS, and Microwave.
You'll need to make sure that the tags are Shared for them to be visible on other parts of the SDWAN config parts.
Since the Tags are shared, you'll only need to configure it on one of the Device Group, and it will be reflected on the rest. 
Objects > Tags > Add
sdwan8.png

 

TOPOLOGY: Connectivity

sdwan-topology1.png
Note: The IP addresses in 172.16.x.x will be used for IPSEC tunnel build-up.
172.16.x (1 digit for the third octet) is used for point-to-multipoint links (ethernet)
172.16.xx (2 digits for the third octet) is used for point-to-point links (MPLS, Microwave)
With the above, later on in this article, we'll notice that tunnels form only with the same type.
  1. Configure the SD-WAN interface profiles based on the above connectivity topology.
Since all firewalls have their unique interface profiles, below are the three different snapshots based on the setup.
Network > SD-WAN Interface Profile
sdwan-interfaceprofile.png
sdwan-interfaceprofile2.png
sdwan-interfaceprofile3.png
  1. Configure the Ethernet interfaces based on connectivity topology.
Network > Interfaces > Ethernet
sdwan-eth1.png
sdwan-eth2.png
sdwan-eth3.png

 

Topology: Routing

sdwan-topology2.png
  1. Configure the routing part, we'll use the routing topology as a guide in configuring the device's BGP parameters.
Panorama > SD-WAN > Devices
sdwan-bgp routing.png
  1.  The VPN Cluster part is where we inform how the devices will behave in the network accordingly.
Panorama > SD-WAN > VPN Cluster > Add
Name: SDWANClustter
Type: Hub-Spoke
Branches: Branch1 & Branch2
Gateways: Hub 
Hub Failover Priority: 1
Allow DIA VPN: Checked
sdwan-vpnCLuster.png
  1. 16. Configure the VPN Address Pool, which will provide the necessary IP addresses to be used by each IPSEC tunnel.
Panorama > SD-WAN > VPN Clusters > VPN Address Pool
sdwan-vpnpool.png


Results:

Remember the 1digit/2digits for the third octet? Now you'll see those come into play below.

sdwan-results1.png

Note: sdwan.901 is the logical interface that is used for Direct Internet Access (DIA); in the above, the two ethernet interfaces are part of it.
Of the three sdwan interfaces, sdwan.901 is the only one that doesn't have an IPSEC tunnel in it.

sdwan-results2.png

Note: Although Branch1 has a single SD-WAN interface profile of ethernet. Since ethernet is a point-to-multipoint link type, two IPSEC tunnels are created for the hub.

sdwan-results3.png

NOTE: Highlighted above is Branch2's SD-WAN interface profile of Microwave, which is a private, point-to-point link, this type of link will only form an IPSEC tunnel to another Microwave link.
Other private, point-to-point links are MPLS, Satellite, and Other. 
If you go back to the result of Branch1, we also have a single IPSEC tunnel via the MPLS link type, which is tunnel.936.


Topology: SDWAN interfaces (based from the above results)


sdwan-topology-result.png

sdwan-bgp-results.png


Additional Information


How to configure SDWAN: Traffic Distribution using weighted session distribution
How to configure SDWAN: Traffic Distribution using best available path
How to configure SDWAN: Traffic Distribution using Top Down Priority


How to troubleshoot SD-WAN link down
SDWAN: Validation Error: At most 9 occurrences are allowed for interface/member ​​​​​​​


Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000CpkeCAC&lang=en_US%E2%80%A9&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language