Professional Documents
Culture Documents
2.0
paloaltonetworks.com/documentation
Contact Information
Corporate Headquarters:
Palo Alto Networks
3000 Tannery Way
Santa Clara, CA 95054
www.paloaltonetworks.com/company/contact-support
Copyright
Palo Alto Networks, Inc.
www.paloaltonetworks.com
© 2020-2020 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo
Alto Networks. A list of our trademarks can be found at www.paloaltonetworks.com/company/
trademarks.html. All other marks mentioned herein may be trademarks of their respective companies.
Last Revised
December 10, 2020
Configure SD-WAN..........................................................................................15
Install the SD-WAN Plugin.....................................................................................................................17
Install the SD-WAN Plugin When Panorama is Internet-Connected.............................. 17
Install the SD-WAN Plugin When Panorama is not Internet-Connected....................... 17
Set Up Panorama and Firewalls for SD-WAN...................................................................................19
Add Your SD-WAN Firewalls as Managed Devices............................................................ 19
Create an SD-WAN Network Template.................................................................................20
Create the Predefined Zones in Panorama............................................................................21
Create the SD-WAN Device Groups...................................................................................... 23
Create a Link Tag......................................................................................................................................26
Configure an SD-WAN Interface Profile............................................................................................ 27
Configure a Physical Ethernet Interface for SD-WAN.................................................................... 30
Configure a Virtual SD-WAN Interface...............................................................................................32
Create a Default Route to the SD-WAN Interface.......................................................................... 35
Create a Path Quality Profile.................................................................................................................36
Configure SaaS Monitoring.................................................................................................................... 38
Create a SaaS Quality Profile....................................................................................................38
Use Case: Configure SaaS Monitoring for a Branch Firewall............................................ 40
Use Case: Configure a Hub Firewall Failover for SaaS Monitoring from a Branch
Firewall to the Same SaaS Application Destination.............................................................41
Use Case: Configure a Hub Firewall Failover for SaaS Monitoring from a Branch
Firewall to a Different SaaS Application Destination..........................................................44
SD-WAN Traffic Distribution Profiles................................................................................................. 47
Create a Traffic Distribution Profile.....................................................................................................52
Create an Error Correction Profile....................................................................................................... 54
Configure an SD-WAN Policy Rule......................................................................................................57
Allow Direct Internet Access Traffic Failover to MPLS Link..........................................................61
Configure DIA AnyPath...........................................................................................................................62
Distribute Unmatched Sessions............................................................................................................ 67
Add SD-WAN Devices to Panorama................................................................................................... 69
Add an SD-WAN Device............................................................................................................69
Bulk Import Multiple SD-WAN Devices.................................................................................72
Configure HA Devices for SD-WAN................................................................................................... 75
Create a VPN Cluster.............................................................................................................................. 76
Create a Full Mesh VPN Cluster with DDNS Service......................................................................84
Create a Static Route for SD-WAN..................................................................................................... 88
iv TABLE OF CONTENTS
SD-WAN Overview
Learn about SD-WAN and plan your configuration to ensure a successful deployment.
5
6 SD-WAN ADMINISTRATOR’S GUIDE | SD-WAN Overview
© 2020 Palo Alto Networks, Inc.
About SD-WAN
Software-Defined Wide Area Network (SD-WAN) is a technology that allows you to use multiple internet
and private services to create an intelligent and dynamic WAN, which helps lower costs and maximize
® ®
application quality and usability. Beginning with PAN-OS 9.1, Palo Alto Networks offers strong security
with an SD-WAN overlay in a single management system. Instead of using costly and time-consuming MPLS
with components such as routers, firewalls, WAN path controllers, and WAN optimizers to connect your
WAN to the internet, SD-WAN on a Palo Alto Networks firewall allows you to use less expensive internet
services and fewer pieces of equipment. You don’t need to purchase and maintain other WAN components.
• PAN-OS Security with SD-WAN Functionality
• SD-WAN Link and Firewall Support
• Centralized Management
Centralized Management
Panorama™ provides the means to configure and manage SD-WAN, which makes configuring multiple
options on many geographically-dispersed firewalls much faster and easier than configuring firewalls
individually. You can change network configurations from a single location rather than configuring each
firewall individually. Auto VPN configuration allows Panorama to configure branches and hubs with secure
IKE/IPSec connections. A VPN cluster defines the hubs and branches that communicate with each other in
a geographic region. The firewall uses VPN tunnels for path health monitoring between a branch and a hub
to provide subsecond detection of brownout conditions.
The Panorama dashboard provides visibility into your SD-WAN links and performance so that you can
adjust path quality thresholds and other aspects of SD-WAN to improve its performance. Centralized
statistics and reporting include application and link performance statistics, path health measurements and
trend analysis, and focused views of application and link issues.
Begin by understanding your SD-WAN use case, then review the SD-WAN configuration elements, traffic
distribution methods, and plan your SD-WAN configuration. To greatly accelerate the configuration, the
best practice is for you to export an empty SD-WAN device CSV and enter information such as branch
office IP address, the virtual router to use, the firewall site name, zones to which the firewall belongs, and
BGP route information. Panorama uses the CSV file to configure the SD-WAN hubs and branches and to
automatically provision VPN tunnels between hubs and branches. SD-WAN supports dynamic routing
through eBGP and is configured using Panorama’s SD-WAN plugin to allow all branches to communicate
with the hub only or with the hub and other branches.
The goal of an SD-WAN configuration is to control which links your traffic takes by specifying the VPN
tunnels or direct internet access (DIA) that certain applications or services take from a branch to a hub or
from a branch to the internet. You group paths so that if one path deteriorates, the firewall selects a new
best path.
• A Tag name of your choice identifies a link; you apply the Tag to the link (interface) by applying an
Interface Profile to the interface, as the red arrow indicates. A link can have only one Tag. The two
yellow arrows indicate that a Tag is referenced in the Interface Profile and the Traffic Distribution
profile. Tags allow you to control the order that interfaces are used for traffic distribution. Tags allow
Panorama to systematically configure many firewall interfaces with SD-WAN functionality.
• An SD-WAN Interface Profile specifies the Tag that you apply to the physical interface, and also
specifies the type of Link that interface is (ADSL/DSL, cable modem, Ethernet, fiber, LTE/3G/4G/5G,
MPLS, microwave/radio, satellite, WiFi, or other). The Interface Profile is also where you specify the
maximum upload and download speeds (in Mbps) of the ISP’s connection. You can also change whether
the firewall monitors the path frequently or not; the firewall monitors link types appropriately by default.
• A Layer3 Ethernet Interface with an IPv4 address can support SD-WAN functionalities. You apply an
SD-WAN Interface Profile to this interface (red arrow) to indicate the characteristics of the interface.
STEP 1 | Plan the branch and hub locations, link requirements, and IP addresses. From Panorama you
will export an empty SD-WAN device CSV and populate it with branch and hub information.
1. Decide the role of each firewall (branch or hub).
2. Determine which branches will communicate with which hubs; each functional group of branch and
hub firewalls that communicate with each other is a VPN cluster. For example, your VPN clusters
might be organized geographically or by function.
3. Determine the ISP link types that each branch and hub support: ADSL/DSL, cable modem, Ethernet,
fiber, LTE/3G/4G/5G, MPLS, microwave/radio, satellite, and WiFi.
4. Determine the maximum download and upload bandwidth (Mbps) that the link types support and
how you want to apply these speed controls to links, as described in Step 2. Record the ISP link’s
maximum download and upload bandwidth (Mbps). This information will serve as reference egress
maximums if you need to configure QoS to control the application bandwidth.
5. Gather the public IP addresses of branch firewalls, whether they are static or dynamically assigned.
The firewall must have an internet-routable, public IP address so it can initiate and terminate IPSec
tunnels and route application traffic to and from the internet.
The ISP’s customer premise equipment must be directly connected to the Ethernet
interface on the firewall.
If you have a device that performs NAT located between the branch firewall and the
hub, the NAT device can prevent the firewall from bringing up IKE peering and IPSec
tunnels. If the tunnel fails, work with the administrator of the remote NAT device to
resolve the issue.
6. Gather the private network prefixes and serial numbers of branch and hub firewalls.
7. Decide the link type of each firewall interface.
Allocate the same link types on the same Ethernet interfaces across the branch
firewalls to make configuration easier. For example, Ethernet1/1 is always cable
modem.
8. Decide on the naming conventions for your sites and SD-WAN devices.
Do not use the simple hostnames “hub” or “branch” because Auto VPN configuration
uses these keywords to generate various configuration elements.
9. If you already have zones in place before configuring SD-WAN, decide how to map those zones
to the predefined zones that SD-WAN uses for path selection. You will map existing zones to the
predefined zones named zone-internal, zone-to-hub, zone-to-branch, and zone-internet.
Information you will enter into a CSV (so that you can add multiple SD-WAN devices
at once) includes: serial number, type of device (branch or hub), names of zones
to map to predefined zones (pre-existing customers), loopback address, prefixes to
redistribute, AS number, router ID, and virtual router name.
STEP 2 | Plan link bundles and VPN security for private links.
A link bundle lets you combine multiple physical links into one virtual SD-WAN interface for purposes of
path selection and failover protection. By having a bundle of more than one physical link, you maximize
application quality in case a physical link deteriorates. You create a bundle by applying the same link tag
STEP 3 | Identify the applications that will use SD-WAN and QoS optimization.
1. Identify the critical and the latency-sensitive business applications for which you will provide SD-
WAN control and policies. These are applications that require a good user experience, and are likely
to fail under poor link conditions.
Start with the most critical and latency-sensitive applications; you can add applications
after SD-WAN is functioning smoothly.
2. Identify the applications that require QoS policies so you can prioritize bandwidth. These should be
the same applications you identified as critical or latency-sensitive.
Start with the most critical and latency-sensitive applications; you can add applications
after SD-WAN is functioning smoothly.
STEP 4 | Determine when and how you want links to fail over to a different link in the event the original
link degrades or fails.
1. Decide on the path monitoring mode for a link, although the best practice is to retain the default
setting for the link type:
• Aggressive—The firewall sends probe packets to the opposite end of the SD-WAN link at a
constant frequency (five probes per second by default). Aggressive mode is appropriate for links
where monitoring path quality is critical; where you need fast detection and failover for brownout
and blackout conditions. Aggressive mode provides subsecond detection and failover.
• Relaxed—The firewall observes a configurable idle time between sending probe packets for seven
seconds (at the probe frequency you configure), which makes path monitoring less frequent than
aggressive mode. Relaxed mode is appropriate for links that have very low bandwidth, links that
are expensive to operate, such as satellite or LTE, or when fast detection isn’t as important as
preserving cost and bandwidth.
2. Prioritize the order in which the firewall selects the first link for a new session and the order in which
links should be a candidate to replace a link that is failing over, if there is more than one candidate.
For example, if you want an expensive backup LTE link to be the last link used (only when the
inexpensive broadband links are oversubscribed or completely down), then use the Top Down
Priority traffic distribution method and place the tag that is on the LTE link last in the list of tags for
the Traffic Distribution profile.
3. For the applications and services, determine the path health thresholds at which you consider a
path to have degraded enough in quality that you want the firewall to select a new path (fail over).
The quality characteristics are latency (range is 10 to 2,000 ms), jitter (range is 10 to 1,000 ms), and
packet loss percentage.
These thresholds constitute a Path Quality profile, which you reference in an SD-WAN policy rule.
When any single threshold (for packet loss, jitter, or latency) is exceeded (and the remaining rule
criteria are met), the firewall chooses a new preferred path for the matching traffic. For example, you
can create Path Quality profile AAA with latency/jitter/packet loss thresholds of 1000/800/10 to use
in Rule 1 when FTP packets come from source zone XYZ, and create Path Quality profile BBB (with
thresholds of 50/200/5) to use in Rule 2 when FTP packets come from source IP address 10.1.2.3.
Best practice is to start with high thresholds and test how the application tolerates them. If you set
the values too low, the application may switch paths too frequently.
Consider whether the applications and services you are using are especially sensitive to latency, jitter,
or packet loss. For example, a video application might have good buffering that mitigates latency
and jitter, but would be sensitive to packet loss, which impacts the user experience. You can set
STEP 5 | Plan the BGP configurations that Panorama will push to branches and hubs to dynamically
route traffic between them.
1. Plan BGP route information, including a four-byte autonomous system number (ASN). Each firewall
site is in a separate AS and therefore must have a unique ASN. Each firewall must also have a unique
Router ID.
2. If you don’t want to use BGP dynamic routing, plan to use Panorama’s network configuration features
to push out other routing configurations. You can do static routing between the branch and hubs.
Simply omit all of the BGP information in the Panorama plugin and use normal virtual router static
routes to perform static routing.
STEP 6 | Consider the capacities of firewall models for virtual SD-WAN interfaces, SD-WAN policy
rules, log size, IPSec tunnels (including proxy IDs), IKE peers, BGP and static route tables, BGP
routing peers, and performance for your firewall mode (App-ID™, threat, IPSec, decryption).
Ensure the branch and hub firewall models you intend to use support the capacities you
require.
15
16 SD-WAN ADMINISTRATOR’S GUIDE | Configure SD-WAN
© 2020 Palo Alto Networks, Inc.
Install the SD-WAN Plugin
A Panorama™ management server with an SD-WAN plugin is required to configure and manage an SD-
WAN deployment. If your Panorama is internet-connected, you download the SD-WAN plugin directly from
Panorama and install it on the Panorama management server. If your Panorama is not internet-connected,
®
you download the SD-WAN plugin from the Palo Alto Networks Customer Support Portal and install it on
the Panorama management server.
• Install the SD-WAN Plugin When Panorama is Internet-Connected
• Install the SD-WAN Plugin When Panorama is not Internet-Connected
STEP 2 | Select Panorama > Plugins, search for the sd_wan plugin and Check Now for the most recent
version of the plugin.
STEP 4 | After you successfully install the SD-WAN plugin, select Commit and Commit to Panorama.
This step is required before you can commit any configuration changes to Panorama.
STEP 5 | Continue to Set Up Panorama and Firewalls for SD-WAN to begin configuring your SD-WAN
deployment.
STEP 2 | Select Updates > Software Updates, and in the Filter By drop-down select Panorama
Integration Plug In.
STEP 5 | Select Panorama > Plugins and Upload the SD-WAN plugin.
STEP 8 | After you successfully install the SD-WAN plugin, select Commit and Commit to Panorama.
This step is required before you can commit any configuration changes to Panorama.
STEP 9 | Continue to Set Up Panorama and Firewalls for SD-WAN to begin configuring your SD-WAN
deployment.
STEP 2 | Activate your SD-WAN license to enable SD-WAN functionality on the firewall.
Each firewall you intend to use in your SD-WAN deployment requires a unique auth code to activate the
license. For example, if you have 100 firewalls, you must purchase 100 SD-WAN licenses and activate
each SD-WAN license on each firewall using one of the 100 unique auth codes.
For VM-Series firewalls, you apply the SD-WAN auth code against the specific VM-Series
firewall. If you deactivate the VM-Series firewall, the SD-WAN auth code can be activated
on a different VM-Series firewall of the same model.
Ensure that your SD-WAN license remains valid to continue leveraging SD-WAN. If the
SD-WAN license expires, the following occurs:
• A warning displays when you Commit any configuration changes but no commit failure
occurs.
• Your SD-WAN configuration no longer functions but is not deleted.
• Firewalls no longer monitor and gather link health metrics and stop sending monitoring
probes.
• Firewalls no longer send app and link health metrics to Panorama.
• SD-WAN path selection logic is disabled.
• New sessions round robin on the virtual SD-WAN interface.
• Existing sessions remain on the specific link they were on when the license expired.
• If an internet outage occurs, traffic follows using standard routing and ECMP if
configured.
3. (Optional) If you have set up a high availability (HA) pair in Panorama, enter the IP address of the
secondary Panorama in the second field.
4. Verify that you Enable pushing device monitoring data to Panorama.
5. Click OK.
6. Commit your changes.
STEP 7 | Repeat Steps 2 through 5 on each firewall you intend to use in your SD-WAN deployment.
If you don’t create the predefined zones, the SD-WAN plugin will automatically create the
predefined zones on your branch and hub firewall, but you won’t see them in Panorama.
The zone names are case-sensitive and must match the names provided in this procedure.
Your commit fails on the firewall if the zone names don’t match those described in this
procedure.
STEP 2 | Select Network > Zones and in the Template context drop-down, select the network template
you previously created.
Configure identical configurations across your hub firewalls and an identical configuration
across your branch firewalls. This greatly reduces the operational overhead of having to
manage the configurations of multiple SD-WAN hubs and branches, and allows you to
troubleshoot, isolate, update configuration issues much more rapidly.
STEP 5 | Create a Security policy rule to control traffic flows from branch offices to the hub’s internal
zone and from the hub’s internal zone to branch offices.
1. Select Policies > Security and in the Device Group context drop-down, select the SD-WAN_Hub
device group.
2. Add a new policy rule.
3. Enter a Name for the policy rule, such as SD-WAN access--hub DG.
4. Select Source > Source Zone and Add the zone-internal and zone-to-branch.
5. Select Destination > Destination Zone and Add the zone-internal and zone-to-branch.
6. Select Application and Add applications to allow.
STEP 6 | Create a Security policy rule to control traffic originating from the branch offices’ internal zone
to the hub and from the hub to the branch offices’ internal zone.
1. Select Policies > Security and in the Device Group context drop-down, select the SD-WAN_Branch
device group.
2. Add a new policy rule.
3. Enter a Name for the policy rule, such as SD-WAN access--branch DG.
4. Select Source > Source Zone and Add the zone-internal and zone-to-hub.
5. Select Destination > Destination Zone and Add the zone-internal and zone-to-hub.
6. Select Application and Add applications to allow.
There are two commit operations that are automatically performed when you commit
and push the device group and template configuration. View the Tasks to verify that
STEP 2 | Select Objects > Tags and select the appropriate device group from the Device Group context
drop-down.
STEP 4 | Enter a descriptive Name for the tag. For example; Low Cost Paths, Expensive Paths, General
Access, Private HQ, or Backup.
STEP 5 | Enable (check) Shared to make the Link Tag available to all device groups on the Panorama™
management server and to every virtual system (vsys) on any multi-vsys hub or branch that you
push to.
By configuring a Shared Link Tag, Panorama is able to reference the Link Tags in the firewall
configuration validation and successfully commits and pushes the configuration to branches and hubs.
The commit fails if Panorama is unable to reference a Link Tag.
STEP 7 | Enter helpful Comments about the tag. For example, Group two low cost broadband
links and a backup link for general access to the internet.
Group links based on a common criterion. For example, group links by path preference from
most preferred to least preferred, or group links by cost.
STEP 2 | Select Network > Network Profiles > SD-WAN Interface Profile and select the appropriate
template from the Template context drop-down.
STEP 4 | Enter a user-friendly Name for the SD-WAN interface profile, which you’ll see in reporting,
troubleshooting, and statistics.
STEP 5 | Select the vsys Location if you have a multi-vsys Panorama™ management server. By default,
vsys1 is selected.
STEP 6 | Select the Link Tag that this profile will assign to the interface.
STEP 8 | Select the physical Link Type from the predefined list (ADSL/DSL, Cable modem, Ethernet,
Fiber, LTE/3G/4G/5G, MPLS, Microwave/Radio, Satellite, WiFi, or Other). The firewall
can support any CPE device that terminates and hands off as an Ethernet connection to the
firewall; for example, WiFi access points, LTE modems, laser/microwave CPEs all can terminate
with an Ethernet handoff.
Private, point-to-point link types (MPLS, satellite, microwave, and Other) will form tunnels
with only the same link type; for example, MPLS-to-MPLS and satellite-to-satellite.
Tunnels will not be created between an MPLS link and an Ethernet link, for example.
STEP 9 | Specify the Maximum Download (Mbps) speed from the ISP in megabits per second (range is
0 to 100,000; there is no default). You can enter a range using up to three decimal places, for
example, 10.456. Ask your ISP for the link speed or sample the link’s maximum speeds with a
tool such as speedtest.net and take an average of the maximums over a good length of time.
STEP 10 | Specify the Maximum Upload (Mbps) speed to the ISP in megabits per second (range is 0
to 100,000; there is no default). You can enter a range using up to three decimal places, for
example, 10.456. Ask your ISP for the link speed or sample the link’s maximum speeds with a
tool such as speedtest.net and take an average of the maximums over a good length of time.
STEP 11 | Select Eligible for Error Correction Profile interface selection to enable Forward Error
Correction (FEC) or packet duplication for interfaces. You must enable this on both the
STEP 12 | VPN Data Tunnel Support determines whether the branch-to-hub traffic and return traffic
flows through a VPN tunnel for added security (the default method) or flows outside of the
VPN tunnel to avoid encryption overhead.
• Leave VPN Data Tunnel Support enabled for public link types that have direct internet connections
or internet breakout capability, such as cable modem, ADSL, and other internet connections.
• You can disable VPN Data Tunnel Support for private link types such as MPLS, satellite, or
microwave that do not have internet breakout capability. However, you must first ensure the traffic
cannot be intercepted because it will be sent outside of the VPN tunnel.
• The branch may have DIA traffic that needs to fail over to the private MPLS link connecting to the
hub, and reach the internet from the hub. The VPN Data Tunnel Support setting determines whether
the private data flows through the VPN tunnel or flows outside the tunnel, and the failed over traffic
uses the other connection (that the private data flow doesn’t use). The firewall uses zones to segment
DIA failover traffic from private MPLS traffic.
STEP 13 | (PAN-OS 10.0.3 and later 10.0 releases) If you Configure DIA AnyPath, a principal virtual
interface can have multiple hub virtual interfaces, so you must prioritize the order in which
a particular hub is selected for failover. Specify such priority by setting the VPN Failover
Metric for the VPN tunnels bundled in the hub virtual interface where this profile is applied.
The lower the metric, the high the priority of the interface to be selected during failover. If
multiple hub virtual interfaces have the same metric value, SD-WAN sends new session traffic
to them in round-robin fashion.
STEP 14 | (Optional) Select the Path Monitoring mode in which the firewall monitors the interfaces
where you apply this SD-WAN Interface Profile.
The firewall selects what it considers the best monitoring method based on Link Type.
Retain the default setting for the link type unless an interface (where you apply this
profile) has issues that require more aggressive or more relaxed path monitoring.
STEP 15 | Set the Probe Frequency (per second), which is the number of times per second that the
firewall sends a probe packet to the opposite end of the SD-WAN link (range is 1 to 5; default
is 5). The default setting provides subsecond detection of brownout and blackout conditions.
If you change the Probe Frequency for a Panorama template, you should also adjust the
Packet Loss percentage threshold in a Path Quality profile for a Panorama device group.
STEP 16 | If you select Relaxed path monitoring, you can set the Probe Idle Time (seconds) that the
firewall waits between sets of probe packets (range is 1 to 60; default is 60).
STEP 17 | Enter the Failback Hold Time (seconds) that the firewall waits for a recovered link to remain
qualified before the firewall reinstates that link as the preferred link after it has failed over
(range is 20 to 120; default is 120).
STEP 20 | Monitor your application and link path health metrics, and generate reports of your
application and link health performance. For more information, see Monitoring and Reporting.
STEP 2 | Select Network > Interfaces > Ethernet, select the appropriate template from the Template
context drop-down, select a slot number, such as Slot1, and select an interface (for example,
ethernet1/1).
STEP 5 | Assign the Security Zone that is appropriate for the interface you’re configuring.
For example, if you are creating an uplink to an ISP, you must know that the Ethernet interface you
chose is going to an untrusted zone.
If you select DHCP Client, be sure to disable the option Automatically create default
route pointing to default gateway provided by server, which is enabled by default.
STEP 11 | (SD-WAN manual configuration only) Configure a Virtual SD-WAN Interface. Auto VPN
configuration will perform this task if you are using Auto VPN.
In this figure, both links in the SD-WAN interface happen to use the same link tag (Cheap
Broadband), but links in an SD-WAN interface can have different link tags.
In the following figure, SDWAN.2 bundles Ethernet1/1 and Ethernet1/2 links, which are both DIA links
from the branch to the internet:
STEP 2 | Select Network > Interfaces > SD-WAN and select the appropriate template from the
Template context drop-down.
STEP 3 | Add a logical SD-WAN interface by entering a number (in the range 1 to 9,999) after the
sdwan. prefix.
Auto VPN configuration creates SD-WAN interfaces numbered .901, .902, and so on, so
do not use these numbers.
STEP 5 | On the Config tab, assign the SD-WAN interface to a Virtual Router.
STEP 7 | On the Advanced tab, Add Interfaces, which are members that go to the same destination,
by selecting one or more Layer 3 Ethernet interfaces (for DIA) or one more virtual VPN tunnel
The firewall virtual router uses this virtual SD-WAN interface to route SD-WAN traffic to a
DIA or a hub location. During routing, the route table determines which virtual SD-WAN
interface (egress interface) the packet will exit based on the destination IP address in the
packet. Then the SD-WAN path health and Traffic Distribution profiles in the SD-WAN
policy rule that the packet matches determine which path to use (and the order in which to
consider new paths if a path deteriorates.)
STEP 3 | Select Network > Virtual Routers and select a virtual router, such as sd-wan.
STEP 6 | For egress Interface, select one of the logical SD-WAN interfaces you created to bring up the
firewall, such as sdwan.1.
The egress interface you select can be any logical SD-WAN interface except sdwan.901
or sdwan.902.
STEP 8 | For Metric, enter a value greater than 50, so that this default route is not preferred over the
default route that Auto VPN creates with a low metric.
STEP 10 | Select Commit and Commit and Push your configuration changes.
STEP 12 | Repeat this task for other templates on firewalls that use a service route to access
Panorama™.
The predefined Path Quality profiles for a Panorama device group are based on the default
Probe Frequency settings in the SD-WAN Interface profile for a Panorama template. If you
change the default Probe Frequency setting, you must adjust the Packet Loss percentage
threshold in the Path Quality profile for the firewalls in a Device Group that are affected by
the Panorama template where you changed the Interface profile.
The firewall treats the latency, jitter, and packet loss thresholds as OR conditions, meaning if any one of the
thresholds is exceeded, the firewall selects the new best (preferred) path. Any path that has latency, jitter,
and packet loss less than or equal to all three thresholds is considered qualified and the firewall selected the
path based on the associated Traffic Distribution profile.
By default, the firewall measures latency and jitter every 200ms and takes an average of the last three
measurements to measure path quality in a sliding window. You can modify this behavior by selecting
aggressive or relaxed path monitoring when you Configure an SD-WAN Interface Profile.
If a path fails over because it exceeded the configured packet loss threshold, the firewall still sends probing
packets on the failed path and calculates its packet loss percentage as the path recovers. It can take
approximately three minutes for the packet loss percentage on a recovered path to fall below the packet
loss threshold configured in the Path Quality profile. For example, suppose an SD-WAN policy rule for an
application has a Path Quality profile that specifies a packet loss threshold of 1% and a Traffic Distribution
profile that specifies Top Down distribution with tag 1 (applied to tunnel.1) first on the list and tag 2
(applied to tunnel.2) next on the list. When tunnel.1 exceeds 1% packet loss, the data packets fail over
to tunnel.2. After tunnel.1 recovers to 0% packet loss (based on probing packets), it can take up to three
minutes for the monitored packet loss rate for tunnel.1 to drop below 1%, at which time the firewall then
selects tunnel.1 as the best path again.
The sensitivity setting indicates which parameter (latency, jitter, or packet loss) is more important
(preferred) for the applications to which the profile applies. When the firewall evaluates link quality, it
considers a parameter with a high setting first. For example, when the firewall compares two links, suppose
one link has 100ms latency and 20ms jitter; the other link has 300ms latency and 10 ms jitter. If the
sensitivity for latency is high, the firewall chooses the first link. If the sensitivity for jitter is high, the firewall
chooses the second link. If the parameters have the same sensitivity (by default the parameters are set to
medium), the firewall evaluates packet loss first, then latency, and jitter last.
Reference the Path Quality profile in an SD-WAN policy rule to control the threshold at which the firewall
replaces a deteriorating path with a new path for matching application packets.
STEP 3 | Select Objects > SD-WAN Link Management > Path Quality Profile.
STEP 4 | Add a Path Quality profile by Name using a maximum of 31 alphanumeric characters.
STEP 5 | For Latency, double-click the Threshold value and enter the number of milliseconds allowed
for a packet to leave the firewall, arrive at the opposite end of the SD-WAN tunnel, and a
response packet to return to the firewall before the threshold is exceeded (range is 10 to
2,000; default is 100).
STEP 6 | For Latency, select the Sensitivity (low, medium, or high). Default is medium.
Click the arrow at the end of the Threshold column to sort thresholds in ascending or
descending numerical order.
STEP 7 | For Jitter, double-click the Threshold value and enter the number of milliseconds (range is 10
to 1,000; default is 100).
STEP 8 | For Jitter, select the Sensitivity (low, medium, or high). Default is medium.
STEP 9 | For Packet Loss, double-click the Threshold value and enter the percentage of packets lost on
the link before the threshold is exceeded (range is 1 to 100.0; default is 1).
Setting the Sensitivity for Packet Loss has no effect, so leave the default setting.
If you change the Probe Frequency in an SD-WAN Interface profile for a Panorama
template, you should also adjust the Packet Loss threshold for a Panorama device group.
SD-WAN monitoring and reporting data displays the SaaS application and SaaS application
IP, FQDN, or URL as it is currently configured in the SaaS Quality profile associated with
an SD-WAN policy rule regardless of the time filter applied when viewing your SD-WAN
monitoring data.
For example, three days ago you initially configured the IP address of your SaaS application
as 192.168.10.50 in a SaaS Quality profile and had traffic match the SD-WAN policy rule
to which the SaaS Quality profile is associated. Today, you reconfigured this existing SaaS
Quality profile and changed the SaaS application IP address to 192.168.10.20. When you
go review the SD-WAN monitoring data, all existing monitoring data for this SaaS application
display the IP address 192.168.10.20.
STEP 2 | Select Objects > SD-WAN Link Management > SaaS Quality Profile and specify the Device
Group containing your SD-WAN configuration.
STEP 5 | (Optional) Enable (check) Shared to make the SaaS Quality profile shared across all device
groups.
STEP 6 | (Optional) Enable (check) Disable override to disable overriding the SaaS Quality profile
configuration on the local firewall.
Create a SaaS Quality profile per critical SaaS application that you need monitored.
If a SaaS application has multiple IP addresses, configure a SaaS Quality profile with
the multiple static IP addresses for that SaaS application.
SaaS monitoring is resource-intensive and may impact firewall performance if
monitoring a large number of SaaS applications. It is a best practice to only monitor
those business-critical SaaS applications that need good usability.
• Configure the fully qualified domain name (FQDN) for the SaaS application.
1. Configure a FQDN address object for the SaaS application.
2. Select IP Address/Object > FQDN and Add the FQDN.
3. Select the FQDN address object for the SaaS application.
4. Enter the Probe Interval by which the branch firewall probes the SaaS application path for health
information.
5. Click OK to save your configuration changes.
URL monitoring is only supported for traffic over ports 80, 443, 8080, 8081, and 143.
1. Select HTTP/HTTPS.
2. Enter the Monitored URL of the SaaS application.
3. Enter the Probe Interval by which the branch firewall probes the SaaS application path for health
information.
The minimum probe interval supported for a SaaS application HTTP/HTTPS is 3 seconds.
4. Click OK to save your configuration changes.
STEP 8 | Select Commit and Commit and Push your configuration changes.
STEP 2 | Create a Link Tag to group the SaaS application DIA links.
Create multiple Link Tags for your DIA links in order to apply different SD-WAN monitoring settings for
each SaaS application DIA link based on the link type.
Additionally, you can create a single Link Tag for multiple DIA links to group the links into a single link
bundle. Creating a single Link Tag for multiple DIA links allows you to aggregate bandwidth between
bundled links and allow the firewall to distribute sessions between multiple links.
STEP 3 | Configure an SD-WAN Interface profile to define the characteristics of your ISP connection
and specify the speed of the DIA link, how frequently the branch firewall monitors the link, and
select the Link Tag to specify to which link the SD-WAN Interface profile applies.
If you created multiple Link Tags, you must configure an SD-WAN Interface profile for each Link Tag.
If you created a link bundle by assigning multiple DIA links to a single Link Tag, specifying that link tag
applies the SD-WAN Interface profile settings to all DIA links in the bundle.
STEP 4 | Configure a physical Ethernet interface for each SaaS application DIA link.
STEP 5 | Configure a Virtual SD-WAN Interface that groups all physical Ethernet interfaces for the SaaS
application DIA links into a single interface group.
The firewall virtual router uses this virtual SD-WAN interface to route SD-WAN traffic to a DIA location.
The SD-WAN path health and Traffic Distribution profiles in the SD-WAN policy rule then determine
which path to use and the order in which to consider new paths if a path health deteriorates.
STEP 6 | Create a Path Quality profile to configure the latency, jitter, and packet loss thresholds and
sensitivity in order to specify when the branch firewall should swap to the next DIA link.
STEP 7 | Create a SaaS Quality profile to specify your SaaS application and the frequency the DIA link is
monitored.
STEP 8 | Create a Traffic Distribution profile to specify the order the branch firewall swaps to DIA links
in the event of link health degradation.
STEP 9 | Configure an SD-WAN policy rule to specify the SaaS application and link health metrics, and
determine how the firewall selects the preferred link for the critical SaaS application traffic.
In the Application tab, add the SaaS application you are monitoring to the SD-WAN
policy rule to ensure the SaaS monitoring settings are applied only to the desired SaaS
application.
STEP 2 | Create a Link Tag to group the SaaS application DIA links.
Create multiple Link Tags for your DIA links in order to apply different SD-WAN monitoring settings for
each SaaS application DIA link based on the link type.
Additionally, you can create a single Link Tag for multiple DIA links to group the links into a single link
bundle.
STEP 3 | Configure an SD-WAN Interface profile to define the characteristics of your ISP connection
and specify the speed of the DIA link, how frequently the branch firewall monitors the link, and
select the Link Tag to specify to which link the SD-WAN Interface profile applies.
If you created multiple Link Tags, you must configure an SD-WAN Interface profile for each Link Tag.
If you created a link bundle by assigning multiple DIA links to a single Link Tag, specifying that link tag
applies the SD-WAN Interface profile settings to all DIA links in the bundle.
STEP 4 | Configure a physical Ethernet interface for each SaaS application DIA link.
STEP 5 | Configure a Virtual SD-WAN Interface that groups all physical Ethernet interfaces for the SaaS
application DIA links into a single interface group.
The firewall virtual router uses this virtual SD-WAN interface to route SD-WAN traffic to a DIA location.
The SD-WAN path health and Traffic Distribution profiles in the SD-WAN policy rule then determine
which path to use and the order in which to consider new paths if a path health deteriorates.
STEP 6 | Create identically named SaaS quality profiles for both the hub and branch firewalls.
Two identically named SaaS Quality profiles must be configured on the hub and branch firewalls to
successfully leverage the hub firewall as an alternative failover. The easiest way to accomplish this is to
create a single SaaS Quality profile in the Shared device group. Alternatively, you can create two SaaS
Quality profiles with identical names in different device groups and push them to your hub and branch
firewalls.
Create a SaaS Quality profile per SaaS application. If a SaaS application has
multiple IP addresses, configure a SaaS Quality profile with the multiple static IP
addresses for that SaaS application.
URL monitoring is only supported for traffic over ports 80, 443, 8080, 8081, and
143.
1. Select HTTP/HTTPS.
2. Enter the Monitored URL of the SaaS application.
3. Enter the Probe Interval by which the branch firewall probes the SaaS application path for
health information.
4. Click OK to save your configuration changes.
STEP 7 | Create a Traffic Distribution profile to specify the order the branch firewall swaps from DIA
links to VPN links to the hub firewall in the event of link health degradation.
STEP 8 | Configure an SD-WAN policy rule to specify the SaaS application and link health metrics, and
determine how the firewall selects the preferred link for the critical SaaS application traffic.
In the Application tab, add the SaaS application you are monitoring to the SD-WAN
policy rule to ensure the SaaS monitoring settings are applied only to the desired SaaS
application.
STEP 2 | Create a Link Tag to group the SaaS application DIA links.
Create multiple Link Tags for your DIA links in order to apply different SD-WAN monitoring settings for
each SaaS application DIA link based on the link type.
Additionally, you can create a single Link Tag for multiple DIA links to group the links into a single link
bundle.
STEP 3 | Configure an SD-WAN Interface profile to define the characteristics of your ISP connection
and specify the speed of the DIA link, how frequently the branch firewall monitors the link, and
select the Link Tag to specify to which link the SD-WAN Interface profile applies.
If you created multiple Link Tags, you must configure an SD-WAN Interface profile for each Link Tag.
If you created a link bundle by assigning multiple DIA links to a single Link Tag, specifying that link tag
applies the SD-WAN Interface profile settings to all DIA links in the bundle.
STEP 4 | Configure a physical Ethernet interface for each SaaS application DIA link.
STEP 5 | Configure a Virtual SD-WAN Interface that groups all physical Ethernet interfaces for the SaaS
application DIA links into a single interface group.
STEP 6 | Create identically named SaaS quality profiles for both the hub and branch firewalls.
Two identically named SaaS Quality profiles must be configured on the hub and branch firewalls to
successfully leverage the hub firewall as an alternative failover. Create two SaaS Quality profiles with
identical names each pointing to a different SaaS application destination in different device groups and
push them to your hub and branch firewalls.
1. Select Objects > SD-WAN Link Management > SaaS Quality Profile, and select the target device
group containing the branch firewall from the Device Group drop-down.
2. Add a new SaaS Quality profile.
3. Enter a descriptive Name for the SaaS Quality profile.
4. Enable (check) Disable override to disable overriding the SaaS Quality profile configuration on the
local firewall.
5. Configure the SaaS Monitoring Mode using one of the following methods.
• Configure the Static IP address for the SaaS application.
Create a SaaS Quality profile per SaaS application. If a SaaS application has
multiple IP addresses, configure a SaaS Quality profile with the multiple static IP
addresses for that SaaS application.
URL monitoring is only supported for traffic over ports 80, 443, 8080, 8081, and
143.
1. Select HTTP/HTTPS.
2. Enter the Monitored URL of the SaaS application.
3. Enter the Probe Interval by which the branch firewall probes the SaaS application path for
health information.
4. Click OK to save your configuration changes.
6. Select Objects > SD-WAN Link Management > SaaS Quality Profile, and select the target device
group containing the hub firewall from the Device Group drop-down.
7. Repeat Steps 6.2 through 6.5 to create an identically named SaaS Quality profile for a SaaS
application at a different destination.
STEP 7 | Create a Traffic Distribution profile to specify the order the branch firewall swaps from DIA
links to VPN links to the hub firewall in the event of link health degradation.
STEP 8 | Configure an SD-WAN policy rule to specify the SaaS application and link health metrics, and
determine how the firewall selects the preferred link for the critical SaaS application traffic.
In the Application tab, add the SaaS application you are monitoring to the SD-WAN
policy rule to ensure the SaaS monitoring settings are applied only to the desired SaaS
application.
If the link experiences brownout, the firewall doesn’t redirect the matching traffic to a
different link.
In the event of a failing path condition, the traffic distribution method you choose for application(s) in an
SD-WAN policy rule, along with the Link Tags on groups of links, determine if and how the firewall selects a
new path (performs link failover) as follows:
Session on existing path Affected session fails Affected session fails Affected sessions don’t
failed a path health over to better path (if over to better path (if fail over
threshold (brownout) available) available)
Top-Down or Best Affected session fails Affected session Affected sessions don’t
Available Path back to previous path stays on existing path, fail over
doesn’t fail back
Top-Down or Best All sessions fail back to Selective sessions fail Affected sessions don’t
Available Path previous path back to previous path fail over
recovered: existing path until affected existing
fails a health check path recovers
Existing path is down All sessions fail over to All sessions fail over to All sessions fail over
(blackout) next path on list next best path to other tags based on
weight settings
Brownout with no Take best available path Take best available path Take best available path
qualified (better) path
Additionally, the firewall automatically performs session load sharing among interface members of a single
Link Tag. After those interfaces approach their maximum Mbps, new sessions flow over to interfaces having
a different Link Tag (based on the traffic distribution method) if those interfaces have better health metrics.
Multiple links with the Share session load Share session load Share session load
same SD-WAN Tag equally among links based on best path based on % weight
within SD-WAN Tag within SD-WAN Tag assigned to SD-WAN
Tag
Multiple links with Share session load Share session load Share session load
different SD-WAN Tags based on list priority, based on best path based on % weight
load link(s) in first SD- from all SD-WAN Tags assigned to SD-WAN
WAN Tag first. Tags
The following figure illustrates an example of a Traffic Distribution profile that uses the Top-Down Priority
method. The #1, #2, and #3 are the order of Link Tags of links the firewall examines, if necessary, to find a
healthy path to complete an application session failover. For each separate failover event that arises, the
firewall starts at the beginning of the Top-Down list of Link Tags.
STEP 2 | Ensure you already configured the Link Tags in an SD-WAN interface profile and committed
and pushed them. The Link Tags must be pushed to your hubs and branches in order for
Panorama™ to successfully associate the Link Tags you specify in this Traffic Distribution
profile to an SD-WAN interface profile.
3. Select Shared only if you want to use this traffic distribution profile across all Device Groups (both
hubs and branches).
4. Select one traffic distribution method and add a maximum of four Link Tags that use this method for
this profile.
• Best Available Path—Add one or more Link Tags. During the initial packet exchanges, before App-
ID has classified the application in the packet, the firewall uses the path in the tag that has the
best health metrics (based on the order of tags). After the firewall identifies the application, it
compares the health (path quality) of the path it was using to the health of the first path (interface)
in the first Link Tag. If the original path’s health is better, it remains the selected path; otherwise,
the firewall replaces the original path. The firewall repeats this process until it has evaluated all
the paths in the Link Tag. The final path is the path the firewall selects when a packet arrives that
meets the match criteria.
When a link becomes unqualified and must fail over to the next best path, the
firewall can migrate a maximum of 1,000 sessions per minute from the unqualified
link to the next best path. For example, suppose tunnel.901 has 3,000 sessions;
2,000 of those sessions match SD-WAN policy rule A and 1,000 sessions match
SD-WAN policy rule B (both rules have a traffic distribution policy configured with
If multiple physical interfaces have the same tag, the firewall distributes matching
sessions evenly among them. If all paths fail a health (path quality) threshold, the
firewall selects the path that has the best health statistics. If no SD-WAN links are
available (perhaps due to a blackout), the firewall uses static or dynamic routing to
route the matching packets.
If a packet is routed to a virtual SD-WAN interface, but the firewall cannot find a
preferred path for the session based on the SD-WAN policy’s Traffic Distribution
profile, the firewall implicitly uses the Best Available Path method to find the preferred
path. The firewall distributes any application sessions that don’t match an SD-WAN
policy rule based on the firewall’s implicit, final rule, which distributes the sessions
in round-robin order among all available links, regardless of the Traffic Distribution
profile.
If you prefer to control how the firewall distributes unmatched sessions, create a
final catch-all rule to Distribute Unmatched Sessions to specific links in the order you
specify.
5. (Optional) After adding Link Tags, use the Move Up or Move Down arrows to change the order of
tags in the list, so they reflect the order in which you want the firewall to use links for this profile and
for the selected applications in the SD-WAN policy rule.
6. Click OK.
Modern applications that have their own embedded recovery mechanisms may not need
FEC or packet duplication. Apply FEC or packet duplication only to applications that can
really benefit from such a mechanism; otherwise, much additional bandwidth and CPU
overhead are introduced without any benefit. Neither FEC nor packet duplication is helpful if
your SD-WAN problem is congestion.
FEC and packet duplication functionality require Panorama to run PAN-OS 10.0.2 or a later release and SD-
WAN Plugin 2.0 or a later release that is compatible with the PAN-OS release. The encoder and decoder
must both be running PAN-OS 10.0.2 or a later release. If one branch or hub is running an older software
release than what is required, traffic with an FEC or packet duplication header is dropped at that firewall.
SD-WAN must be configured in a hub-spoke topology. Neither FEC nor packet duplication should be used
on DIA links; they are only for VPN tunnel links between a branch and a hub.
To configure FEC or packet duplication on the encoder (the side that initiates FEC or packet duplication),
use Panorama to:
• Create an SD-WAN Interface Profile that specifies Eligible for Error Correction Profile interface
selection and apply the profile to one or more interfaces.
• Create an Error Correction Profile to implement FEC or packet duplication.
• Apply the Error Correction Profile to an SD-WAN policy rule and specify the applications to which the
rule applies.
• Push the configuration to encoders. (The decoder [the receiving side] requires no specific configuration
for FEC or packet duplication; the mechanisms are enabled by default on the decoder as long as the
encoder initiates the error correction.)
FEC and packet duplication support an MTU of 1,340 bytes. A packet larger than that will not
go through the FEC or packet duplication process.
STEP 2 | Configure an SD-WAN Interface Profile, where you select Eligible for Error Correction Profile
interface selection to indicate that the firewall can automatically use the interfaces (where
You can have Eligible for Error Correction Profile interface selection unchecked in a
profile and apply the profile to an expensive 5G LTE link, for example, so that costly error
correction is never performed on that link.
STEP 3 | Configure a Physical Ethernet Interface for SD-WAN and apply the SD-WAN Interface Profile
that you created to an Ethernet interface.
Panorama can reference a Shared Error Correction profile in the firewall configuration
validation and successfully commit and push the configuration to branches and hubs.
The commit fails if Panorama cannot reference an Error Correction profile.
4. Specify the Activate when packet loss exceeds (%) setting—When packet loss exceeds this
percentage, FEC or packet duplication is activated for the configured applications in the SD-WAN
policy rule where this Error Correction profile is applied. Range is 1 to 99; the default is 2.
5. Select Forward Error Correction or Packet Duplication to indicate which error correction method the
firewall uses when an SD-WAN policy rule references this SD-WAN Interface Profile; the default is
Forward Error Correction. If you select Packet Duplication, SD-WAN selects an interface over which
to send duplicate packets. (SD-WAN selects one of the interfaces you configured with Eligible for
Error Correction Profile interface selection in the prior step.)
6. (Forward Error Correction only) Select the Packet Loss Correction Ratio: 10% (20:2), 20% (20:4),
30% (20:6), 40% (20:8), or 50% (20:10)—Ratio of parity bits to data packets; the default is 10% (20:2).
The higher the ratio of parity bits to data packets that the sending firewall (encoder) sends, the higher
the probability that the receiving firewall (decoder) can repair packet loss. However, a higher ratio
requires more redundancy and therefore more bandwidth overhead, which is a tradeoff for achieving
Start by using the default Recovery Duration setting and adjust it if necessary, based
on your testing with normal and intermittent brown-outs.
8. Click OK.
STEP 5 | Configure an SD-WAN Policy Rule, reference the Error Correction Profile you created in the
rule, and specify the critical applications to which the rule applies.
STEP 6 | Commit and Commit and Push your configuration changes to the encoding firewalls (branches
and hubs).
STEP 2 | Select Policies > SD-WAN and select the appropriate device group from the Device Group
context drop-down.
STEP 4 | On the General tab, enter a descriptive Name for the rule.
STEP 5 | On the Source tab, configure the source parameters of the policy rule.
1. Add the Source Zone or select Any source zone
2. Add one or more source addresses, set an external dynamic list (EDL), or select Any Source Address.
3. Add one or more source users or select any Source User.
STEP 6 | On the Destination tab, configure the destination parameters of the policy rule.
1. Add the Destination Zone or select Any destination zone.
2. Add one or more destination addresses, set an EDL, or select Any Destination Address.
STEP 7 | On the Application/Service tab, attach your SD-WAN Link Management profiles and specify
your applications and services.
PAN-OS 10.0.2 supports associating only a SaaS Quality Profile or an Error Correction
but not both. If you associate one of these profiles with an SD-WAN policy rule, you
cannot associate the other.
For example, if you associate a SaaS Quality profile with an SD-WAN policy rule, you are
unable to associate an Error Correction profile with the same SD-WAN policy rule.
Add only business-critical applications and applications that are sensitive to path
conditions for their usability.
If you associate a SaaS Quality profile in Adaptive mode with the SD-WAN policy, add
the specific SaaS applications you want to monitor. Using adaptive monitoring for all
applications that match the SD-WAN policy rule may impact the performance of the
SD-WAN firewall.
If you associate a SaaS Quality profile with a specified SaaS application, add the SaaS
application to the SD-WAN rule to ensure the SaaS monitoring settings are applied
only to the desired SaaS application.
5. Add Services and select one or more services from the list or select Any services. All services you
select are subject to the health thresholds specified in the Path Quality profile you selected. If a
packet matches one of these services and that service exceeds one of the health thresholds in the
Path Quality profile (and the packet matches the remaining rule criteria), the firewall selects a new
preferred path.
Add only business-critical services and services that are sensitive to path conditions
for their usability.
STEP 9 | On the Target tab, use one of the following methods to specify the target firewalls in the
device group to which Panorama pushes the SD-WAN policy rule:
• Select Any (target to all devices) (the default) to push the rule to all devices. Alternatively, select
Devices or Tags to specify the devices to which Panorama pushes the SD-WAN policy rule.
• On the Devices tab, select one or more filters to restrict the selections that appear in the Name field;
then select one or more devices to which Panorama pushes the rule, as in this example:
• On the Tags tab, Add one or more Tags and select the tag(s) to specify that Panorama push the rule
to devices that are tagged with the selected tags, as in this example:
STEP 12 | (Best Practice) Create a catch-all SD-WAN policy rule to Distribute Unmatched Sessions so
that you can control which links any unmatched sessions use and view unmatched sessions in
logging and reports in the SD-WAN plugin.
If you don’t create a catch-all rule to distribute unmatched sessions, the firewall distributes
them in round-robin order among all available links because there is no traffic distribution
profile for unmatched sessions. Round-robin distribution of unmatched sessions can
increase your costs unexpectedly and result in loss of application visibility.
STEP 13 | After configuring your SD-WAN policy rules, Create a Security Policy Rule to allow traffic (for
example, bgp as an Application) from branches to the internet, from branches to hubs, and
from hubs to branches.
If the SD-WAN applications need guaranteed bandwidth capacities or if you do not want
other applications taking bandwidth from critical business applications, create QoS rules
to control the bandwidth properly.
STEP 15 | To automatically set up BGP routing between VPN cluster members, in the SD-WAN plugin,
Configure BGP routing between branches and hubs to dynamically route traffic that will be
subject to the SD-WAN failover and load sharing.
Alternatively, if you want to manually configure BGP routing on each firewall or use a separate
Panorama template to configure BGP routing (for more control), leave the BGP information in the plugin
blank. Instead, configure BGP routing.
STEP 1 | Create an MPLS link between your branch and hub. When you create the SD-WAN Interface
profile, the link type must be MPLS for both the hub and branch.
STEP 2 | If you want the private traffic to go through the VPN tunnel, enable VPN Data Tunnel Support
in the SD-WAN Interface profile. If you disable VPN Data Tunnel Support, the private data will
go outside of the VPN tunnel.
STEP 3 | Configure an SD-WAN Policy Rule for specific applications, Create a Path Quality Profile, and
Create a Traffic Distribution Profile that specifies the Top Down Priority method. The Traffic
Distribution profile must also specify an MPLS link as one of the failover options (identified
by a tag). Verify that the applications in the SD-WAN policy rule reference the correct Path
Quality and Traffic Distribution profiles, and that the Traffic Distribution profile specifies Top
Down Priority.
After the VPN Data Tunnel Support is enabled on both the hub and branch and the MPLS link is
operational, the firewall automatically uses the MPLS connection to fail over DIA traffic when necessary.
STEP 4 | In the hub configuration, ensure the hub has a path to the internet and routing is properly set
up for the hub traffic to reach the internet.
The firewall uses the DIA virtual interface and the VPN virtual interface to ensure that the public
internet traffic is kept separate from your private traffic in the same path; that is, the internet traffic and
private traffic do not go through the same VPN tunnel. Full segmentation with proper zoning is in full
effect.
The following topology example shows Branch1 with two ISP connections and an MPLS link. Branch1 also
has a Hub1 virtual interface with three VPN tunnels connecting to Hub1, and a Hub2 virtual interface
of three VPN tunnels connecting to Hub2. Branch1 also has a branch2 virtual interface with three VPN
tunnels connecting to Branch2 and a branch3 virtual interface with three VPN tunnels connecting to
Branch3. The goal of DIA AnyPath is to configure the order in which DIA can fail over to VPN tunnels to
reach the internet directly or indirectly and thus maintain business continuity.
STEP 2 | Specify the failover priority for a VPN tunnel bundled in a hub virtual interface or branch
virtual interface.
1. Select or Configure an SD-WAN Interface Profile.
2. You must enable VPN Data Tunnel Support.
3. Specify the VPN Failover Metric for a VPN tunnel; range is 1 to 65,535; default is 10. The lower the
metric value, the higher the priority of VPN tunnel (link) where you apply this profile.
4. Click OK.
STEP 3 | Configure a Physical Ethernet Interface for SD-WAN and on the SD-WAN tab, apply the SD-
WAN Interface Profile you created in the prior step.
STEP 4 | Repeat Steps 2 and 3 to configure additional SD-WAN Interface Profiles with a different VPN
failover metric and apply the profiles to different Ethernet interfaces to determine the order in
which failover occurs to the links.
STEP 6 | Add the Link Tag to a hub that you want to participate in DIA AnyPath.
1. In Panorama > SD-WAN > Devices, Add an SD-WAN Device to add a hub to be managed by
Panorama.
2. Select the hub.
3. Select the Link Tag that you created in the prior step, which Auto VPN applies to the whole
hub virtual interface, not an individual link. Thus, you can reference this Link Tag in the Traffic
Distribution Profile to indicate the hub virtual interface for the failover order for DIA AnyPath. On
the branch device, Auto VPN uses this tag to populate the Link Tag field on the SD-WAN virtual
interface that terminates on the hub device.
STEP 7 | Repeat Steps 5 and 6 to create a Link Tag for each hub virtual interface and add the tag to each
hub that will participate in DIA AnyPath. Do the same for any branch virtual interface.
STEP 9 | Create identically named SaaS Quality profiles for both the hub and branch firewalls.
Two identically named SaaS Quality profiles must be configured on the hub and branch firewalls to
successfully leverage the hub firewall as an alternative failover.
The easiest way to configure failover to a hub firewall with the same SaaS application destination is to
create a single SaaS Quality profile in the Shared device group. Alternatively, you can create two SaaS
Quality profiles with identical names in different device groups and push them to your hub and branch
firewalls.
To failover to a hub firewall with different SaaS application destinations, create two SaaS Quality profiles
with identical names each pointing to a different SaaS application destination in different device groups
and push them to your hub and branch firewalls.
You must also create an SD-WAN policy rule that references this SaaS Quality profile in
order to allow the hub to advertise link quality statistics for the SaaS Quality profile to the
branch. Doing so will provide end-to-end SaaS monitoring through the hub. Without this
SD-WAN policy rule, you would have only the link measurements from the branch to the
hub, but not from the hub to the SaaS application.
STEP 11 | Create an SD-WAN policy rule for specific application(s) to use DIA AnyPath.
1. Configure an SD-WAN Policy Rule.
2. On the Application/Service tab, specify the applications and services for which you want to
implement DIA AnyPath.
3. Associate the SaaS Quality Profile you created in the previous step.
If you are configuring a SaaS Quality profile with different SaaS application destination, you must
associate the SaaS Quality profile with the SD-WAN policy rule in each branch and hub device group.
4. On the Path Selection tab, select the Traffic Distribution Profile you created for the applications.
STEP 12 | Route new sessions that don’t match any SD-WAN policy rule and sessions that arrive during
a Panorama or firewall configuration change.
1. Create an appropriate Path Quality profile and Traffic Distribution profile to handle such sessions.
2. Configure an SD-WAN Policy Rule that is a catch-all rule for these sessions.
3. Place the rule last in the list.
STEP 14 | Create a Security Policy Rule to allow DIA traffic to the Destination Zones named zone-
internet and zone-to-hub and specify the Applications subject to the rule. Commit and
push to the branches.
STEP 2 | Create a Path Quality Profile that sets very high latency, jitter, and packet loss thresholds that
will never be exceeded. For example, 2,000ms latency, 1,000ms jitter, and 99% packet loss.
STEP 3 | Create a Traffic Distribution Profile that specifies the SD-WAN link tags you want to use, in
the order in which you want the links associated with those link tags to be used by unmatched
sessions.
If you don’t want unmatched applications to use a specific path (physical interface) at all,
omit the tag that includes that link from the list of link tags in the traffic distribution profile.
For example, if you don’t want an unmatched application such as movie streaming to use
the expensive LTE link, omit the link tag for the LTE link from the list of link tags in the
traffic distribution profile.
STEP 6 | On the Path Selection tab, select the Traffic Distribution Profile you created.
STEP 7 | Move the rule down to the last position in the list of SD-WAN policy rules.
If you want to have Active/Passive HA running on two branch firewalls or two hub firewalls,
do not add those firewalls as SD-WAN devices at this time. You will add them as HA peers
separately when you Configure HA Devices for SD-WAN.
If you are using BGP routing, you must add a security policy rule to allow BGP from the
internal zone to the hub zone and from the hub zone to the internal zone. If you want to use
4-byte ASNs, you must first enable 4-byte ASNs for the virtual router.
STEP 2 | Select Panorama > SD-WAN > Devices and Add a new SD-WAN firewall.
STEP 3 | Select the managed firewall Name to add as an SD-WAN device. You must add your SD-WAN
firewalls as managed devices before you can add them as an SD-WAN device.
STEP 5 | Select the Virtual Router Name to use for routing between the SD-WAN hub and branches.
By default, an sdwan-default virtual router is created and enables Panorama to automatically
push router configurations.
STEP 6 | Enter the SD-WAN Site name to identify the geographical location or purpose of the device.
STEP 7 | (PAN-OS 10.0.3 and later 10.0 releases) Select the Link Tag you created for the hub virtual
interface (or branch virtual interface), which Auto VPN will assign to the virtual interface. You
will use this Link Tag in a Traffic Distribution profile to allow the hub (or branch) to participate
in DIA AnyPath.
STEP 8 | If you are adding a hub that is behind a device performing NAT for the hub, you must specify
the IP address or FQDN of the public-facing interface on that upstream NAT-performing
device, so that Auto VPN Configuration can use that address as the tunnel endpoint of the hub.
It is the IP address that the branch office’s IKE and IPSec flows must be able to reach. (You
must have already configured a physical Ethernet interface for SD-WAN.)
1. On the Upstream NAT tab, enable Upstream NAT.
2. Add an SD-WAN interface; select an interface you already configured for SD-WAN.
3. Select IP Address or FQDN and enter the IPv4 address without a subnet mask (for example,
192.168.3.4) or the FQDN of the upstream device, respectively.
4. Click OK.
Additionally, on the upstream device that is performing NAT you must set up the
inbound Destination NAT with a one-to-one NAT policy, and you must not configure
port translation to the IKE or IPSec traffic flows.
If the IP address on the upstream device changes, you must configure the new IP
address and push it to the VPN cluster. You must use the CLI commands clear
ipsec, clear ike-sa, and clear session all on both the branch and hub.
You must also clear session all on the virtual router where you configured the
NAT policy for the IP addresses.
STEP 9 | (PAN-OS 10.0.3 and later 10.0 releases) If you are adding a branch that is behind a device
performing NAT for the branch, you must specify the IP address or FQDN of the public-facing
interface on that upstream NAT-performing device, or select DDNS to indicate that the IP
address for the interface on the NAT device is obtained from the Palo Alto Networks DDNS
service. Thus, Auto VPN Configuration uses that public IP address as the tunnel endpoint for
the branch. It is the IP address that the branch office’s IKE and IPSec flows must be able to
reach. (You must have already configured a physical Ethernet interface for SD-WAN.)
1. On the Upstream NAT tab, enable Upstream NAT.
2. Add an SD-WAN interface; select an interface you already configured for SD-WAN.
3. If you select the NAT IP Address Type to be Static IP, select IP Address or FQDN and enter the IPv4
address without a subnet mask (for example, 192.168.3.4) or the FQDN of the upstream device,
respectively.
4. Alternatively, select the NAT IP Address Type to be DDNS.
5. Click OK.
Additionally, on the upstream device that is performing NAT you must set up the
inbound Destination NAT with a one-to-one NAT policy, and you must not configure
port translation to the IKE or IPSec traffic flows.
If the IP address on the upstream device changes, you must configure the new IP
address and push it to the VPN cluster. You must use the CLI commands clear
There is a second location in the UI where you can configure Upstream NAT for
a branch, but the following location is not preferred and you should not configure
Upstream NAT for a branch in both places. The secondary, non-preferred location to
configure Upstream NAT is on Panorama at Network > Interfaces > Ethernet, select
a template in the Template field, select an Ethernet interface, and select the SD-
WAN tab. At this point you can Enable Upstream NAT, and select a NAT IP Address
Type. This second method takes precedence. If Upstream NAT is first configured for
the Ethernet interface on Panorama through the template stack, then the SD-WAN
plugin will not change the settings, even if you use different settings on the plugin
device configuration page. Only if there is no Upstream NAT configured on Panorama
through the template stack, then the plugin configuration for Upstream NAT takes
effect.
STEP 10 | (Required for pre-existing customers) Map your pre-existing zones to predefined zones used for
SD-WAN.
When you map your existing zones to an SD-WAN zone, you must modify your security
policy rules and add the SD-WAN zones to the correct Source and Destination zones.
1. Select Zone Internet and Add the pre-existing zones that will egress SD-WAN traffic to the internet.
2. Select Zone to Hub and Add the pre-existing zones that will egress SD-WAN traffic to the hub.
3. Select Zone to Branch and Add the pre-existing zones that will egress SD-WAN traffic to the branch.
4. Select Zone Internal and Add the pre-existing zones that will egress SD-WAN traffic to an internal
zone.
STEP 13 | Select Group HA Peers at the bottom of the screen to display branches (or hubs) that are HA
peers together.
STEP 15 | Select Push to Devices to push your configuration changes to your managed firewalls.
If you want to have Active/Passive HA running on two branch firewalls or two hub firewalls,
do not add those firewalls as SD-WAN devices in your CSV file. You will add them as HA
peers separately when you Configure HA Devices for SD-WAN.
If you have pre-existing zones for your Palo Alto Networks firewalls, you will be mapping them to the
predefined zones used in SD-WAN.
STEP 2 | Select Panorama > SD-WAN > Devices > Device CSV and Export an empty SD-WAN device
CSV. The CSV allows you to import multiple branch and hub devices at once, rather than
adding each device manually.
STEP 3 | Populate the SD-WAN device CSV with the branch and hub information and save the CSV.
All fields are required unless noted otherwise. You must enter the following for each hub and
branch:
• device-serial—The serial number of the branch or hub firewall.
• type—Specify whether the device is a branch or a hub.
• site—Enter the SD-WAN device site name to help you identify the geographical location or purpose
of the device.
The SD-WAN Site name supports all upper-case and lower-case alphanumerical and
special characters. Spaces are not supported in the Site name and result in monitoring
(Panorama > SD-WAN > Monitoring) data for that site not to be displayed.
• (Required for pre-existing customers) Map your pre-existing zones to predefined zones used for SD-
WAN.
When you map your existing zones to an SD-WAN zone, you must modify your
security policy rules and add the SD-WAN zones to the correct Source and Destination
zones.
• zone-internet—Enter the names of pre-existing zones that SD-WAN traffic will egress to reach
the internet.
• zone-to-branch —Enter the names of pre-existing zones that SD-WAN traffic will egress to reach
a branch.
• zone-to-hub—Enter the names of pre-existing zones that SD-WAN traffic will egress to reach a
hub.
• zone-internal—Enter the names of pre-existing zones that SD-WAN traffic will egress to reach an
internal zone.
Palo Alto Networks does not redistribute the branch office default route(s) learned
from the ISP.
• (Optional) as-number—Enter the ASN of the private AS to which the virtual router on the hub or
branch belongs. The SD-WAN plugin supports only private autonomous systems. The ASN must
be unique for every hub and branch. The 4-byte ASN range is 4,200,000,000 to 4,294,967,294 or
64512.64512 to 65535.65534. The 2-byte ASN range is 64512 to 65534.
• (Optional) router-id—Specify the BGP router ID, which must be unique among all virtual routers.
• vr-name—Enter the name of the virtual router to use for routing between the SD-WAN hub and
branches. By default, Panorama creates an sdwan-default virtual router and can automatically
push router configurations.
STEP 7 | Select Push to Devices to push your configuration changes to your managed firewalls.
Read through the following procedure before you begin so you don’t Commit after adding
your HA peers as SD-WAN devices.
STEP 1 | Before you enable SD-WAN on your HA peers, configure Active/Passive HA on two firewall
models that support SD-WAN.
STEP 2 | Add the HA peers as SD-WAN devices, but don’t perform the last step to Commit.
STEP 4 | At the bottom of the screen, select Group HA Peers. Confirm that under the Status display, the
HA Status column includes the two firewalls, one Active and one Passive. Panorama is aware
of the HA status and will push the same SD-WAN configuration to the two HA peers when you
commit.
SD-WAN full mesh VPN topology is supported in PAN-OS 10.0.3 and later 10.0 releases.
The first time you Configure a Virtual SD-WAN Interface with direct internet access (DIA) links for
an SD-WAN hub or branch firewall, a VPN cluster called autogen_hubs_cluster is automatically
created and the SD-WAN firewall is automatically added to the VPN cluster. This allows the Panorama™
management server to Monitor SD-WAN Application and Link Performance for devices that are protected
by the SD-WAN firewall and accessing resources outside of your corporate network. Additionally,
any SD-WAN firewall with DIA links that you configure in the future are automatically added to the
autogen_hubs_cluster VPN cluster containing all hubs and branches with DIA links to allow Panorama
to monitor application and link performance. The autogen_hubs_cluster is purely for monitoring
application and link health, and not to create VPN tunnels between the hubs and branches with DIA links. If
you need to connect hubs and branches with VPN tunnels, you must create a new VPN cluster and add all
the required hubs and branches to that cluster.
A strong, random IKE preshared key is created for all hubs and branches in the VPN cluster to secure the
VPN tunnels, and each firewall has a master key that encrypts the preshared key. The system secures the
preshared key, even from the administrator. You can refresh the IKE preshared key, which Panorama sends
to all members of the cluster.
Refresh the preshared key when cluster members are not busy.
STEP 1 | Plan your branch and hub VPN topology to determine which branches communicate with each
of your hubs. For more information, see Plan Your SD-WAN Configuration.
STEP 3 | Specify IP address ranges for the IPSec VPN tunnels that Auto VPN configuration creates.
Auto VPN configuration creates a VPN tunnel between a hub and branches and assigns
IP addresses to the tunnel endpoints. Enter subnet ranges that you want Auto VPN to use
as VPN tunnel addresses.You can enter up to 20 IP prefix/netmask ranges. Auto VPN
draws from that pool for VPN tunnel addresses, drawing from the largest range first (and
the drawing from the next largest range when necessary). You must configure at least
one range for the pool. If you don’t perform this step before pushing the configuration to a
hub or branch, the Commit and Push will fail.
3. Add one or more (up to 20) Member IP address and netmask ranges, for example, 192.168.0.0/16.
4. Click OK.
STEP 4 | Configure the VPN cluster. Repeat this step to create VPN clusters as needed.
1. Select Panorama > SD-WAN > VPN Clusters and Add a VPN cluster.
2. Enter a descriptive name for the VPN cluster.
Underscores and spaces are not supported in the VPN cluster name and result
in monitoring (Panorama > SD-WAN > Monitoring) data for the cluster not to be
displayed. Choose the name of the VPN cluster carefully so you do not need to
change the name in the future. SD-WAN monitoring data is generated based on the
old cluster name and cannot be reconciled to a new cluster name, and will cause
issues with the number of reported clusters when monitoring your VPN clusters or
generating reports.
3. Select the VPN cluster Type.
Only Hub-Spoke VPN cluster type is supported in PAN-OS 10.0.2 and earlier 10.0
releases. Beginning with PAN-OS 10.0.3, you can Create a Full Mesh VPN Cluster
with DDNS Service.
4. Add one or more branch devices that you determined need to communicate with each other.
• Select Group HA Peers to display the branch devices that are HA peers together.
MPLS and satellite link types will form tunnels with only the same link type; for
example, MPLS-to-MPLS and satellite-to-satellite. Tunnels will not be created between
an MPLS link and an Ethernet link, for example.
• Select Group HA Peers to display the hub devices that are HA peers together.
• Select the hubs to add to the cluster and click OK.
• For any new or previously existing VPN cluster that has more than one hub, you must prioritize
the hubs to determine a) that traffic be sent to a particular hub, and b) the subsequent hub
failover order. The hub failover priority range is 1 to 4. If you upgrade, the default priority is set
to 4. The plugin internally translates the hub failover priority to a BGP local preference number
as shown in the following table. The lower the priority value, the higher the priority and local
preference. A cluster supports a maximum of four hubs. An active/passive HA pair counts as one
1 250
2 200
3 150
4 100
If multiple hubs have the same priority, Panorama enables ECMP in two places on
each branch firewall to determine how branches select the path. ECMP is enabled
for the virtual router (Network > Virtual Routers > ECMP) and ECMP Multiple AS
Support is enabled for BGP (Network > Virtual Routers > BGP > Advanced).If all
hubs in the cluster have a unique priority, ECMP is disabled on the branches. If a
hub priority configuration changes, Panorama reevaluates whether to enable or
disable ECMP.
• If you selected Group HA Peers, select the pair and click in the Hub Failover Priority field;
enter a single Priority (range is 1 to 4), which applies to both hubs in the HA pair, and click OK.
The Hub Failover Priority for HA Peers window appears only for configured HA
pairs. If you add a new HA pair, you must configure the Hub Failover Priority for
each of the two new peers independently.
You will get an error message if you assign different priorities to hubs that are
ungrouped HA peers and then you select Group HA Peers and Submit.
The firewall automatically redistributes (advertises) all non-public, connected routes from
the branch to the hub. You can also redistribute any additional prefixes from the branch
to the hub. The Prefix(es) to Redistribute field accepts a list of prefixes, rather than just a
single prefix.
1. Select Panorama > SD-WAN > Devices and select a branch firewall.
2. Select BGP and Add one or more IP addresses with netmask to Prefix(es) to Redistribute.
3. Click OK.
STEP 7 | (SD-WAN Plugin 2.0.1 and later 2.0 releases) If your hub firewalls in a hub-spoke VPN cluster have
DHCP or PPPoE interfaces, you must use DDNS. Select Network > Interfaces > Ethernet and
in the Template field, select Template-stack for a hub.
STEP 8 | (SD-WAN Plugin 2.0.1 and later 2.0 releases) Select the interfaces whose IP address indicates
Dynamic-DHCP Client or PPPOE, click Override on the bottom of the screen, and click OK to
close.
STEP 9 | (SD-WAN Plugin 2.0.1 and later 2.0 releases) Verify on Panorama that the DDNS settings were
configured.
1. Select Network > Interfaces > Ethernet and select the same interface again.
2. Select Advanced > DDNS.
3. See that the DDNS settings were automatically configured with a Hostname and the Vendor set to
Palo Alto Networks DDNS.
4. Click OK.
STEP 10 | (SD-WAN Plugin 2.0.1 and later 2.0 releases) Commit and Commit to Panorama.
STEP 12 | Push the configuration to the branch(es) by repeating the prior step, but selecting your branch
Device Group.
If you need to change the current IKE key that is used to secure the IPSec connections
between VPN cluster devices, perform this step to randomly generate a new key for the
cluster.
1. Select Panorama > SD-WAN > VPN Clusters and select a cluster.
2. At the bottom of the screen, select Refresh IKE Key.
For the CPE device or upstream routing device using source NAT, you are responsible for
creating the one-to-one destination NAT rule (with no port translation) on that device to
translate the external IP address back to the private IP address assigned to the firewall’s
interface. This translation allows the IKE and IPSec protocols to come back into the firewall.
(Palo Alto Networks doesn’t have access rights to the upstream CPE or upstream router that
is performing source NAT.)
6. Select ZTP Service Status and confirm that the firewall Serial Number is listed.
STEP 3 | If you haven’t already done so, install the SD-WAN Plugin 2.0.1 or a later 2.0 release.
STEP 6 | Create the VPN Address Pool as shown in Create a VPN Cluster.
STEP 9 | Select Network > Interfaces > Ethernet and in the Template field, select Template-stack for a
particular branch.
STEP 10 | Select the interface whose IP address indicates Dynamic-DHCP Client or PPPOE, click
Override on the bottom of the screen, and click OK to close.
4. Click OK.
STEP 12 | If the VPN cluster includes any hubs that have a DHCP or PPPoE interface, repeat Steps 9
through 11, but in the Template field, select Template-stack for a particular hub.
Even if your hub is not in a full mesh cluster, but is in a hub-spoke cluster, if the hub uses
DHCP or PPPOE to get its IP address for an SD-WAN interface, you must perform the
Override steps to enable DDNS.
STEP 14 | Verify on the branch firewall that the branch is configured with DDNS.
STEP 15 | On another branch in the cluster, view that the Peer Address of the interface is a system-
generated FQDN for the DDNS registration.
1. Log onto another branch and select Network > Network Profiles > IKE Gateways.
2. See that the Peer Address is a secure name, not easily referenced and showing no company
information; for example
0101.8ced8460fcc5177cd3665ce41b6345323a15a612b8e52ec1d9ec057a582cb4.t13855f6c9a92d62777b5793
STEP 16 | View FQDNs of branches and hubs and update DDNS information.
1. Access the CLI.
2. View FQDNs (generated by DDNS) for other branches and hubs: show dns-proxy fqdn all
3. Update the DDNS addresses: request system fqdn refresh
STEP 2 | Configure a Template or Template Stack Variable and enter the variable Name in
the following format: $peerhostname_clustername.customname. For example,
$branchsanjose_clusterca.10 or $DIA_cluster2.location3. After the dollar sign ($), the elements
in the variable are:
• peerhostname—Hostname of the destination hub or branch to which the static route goes. For a
static route to the internet, the peerhostname must be DIA. An alternative to the peer’s hostname is
to use the peer’s serial number. If the peer is part of an HA pair, you can use the hostname or serial
number of either one of the two HA firewalls.
• clustername—Name of the VPN cluster to which the destination hub or branch belongs.
• customname—Text string of your choice; you cannot use a period (.) in the customname.
You can have more than one static route going to the same peer, which means the variables will
have the same peerhostname and clustername; you differentiate the variables by using a different
customname.
STEP 3 | Select the variable Type to be IP Netmask and enter the destination IP address with a slash
and netmask length, such as 192.168.2.1/24.
STEP 5 | Select Network > Virtual Routers and select a virtual router.
STEP 6 | Select Static Routes > IPv4 and Add a Name for the static route.
STEP 8 | For Interface, select from the dropdown list, which includes only interfaces from the template;
for example, Ethernet1/1, Tunnel.x, or sdwan.xx.
STEP 9 | For Next Hop, select IP Address and enter the IP address of the next hop for the static route
(the hub or branch to which the static route goes).
In order for Panorama to gather SD-WAN monitoring data, you must push the
SD-WAN configuration from Panorama to your SD-WAN firewalls. If no SD-
WAN monitoring data is displayed, verify that you successfully pushed the SD-
WAN configuration.
91
92 SD-WAN ADMINISTRATOR’S GUIDE | Monitoring and Reporting
© 2020 Palo Alto Networks, Inc.
Monitor SD-WAN Tasks
Monitor commits, pushes, and other SD-WAN tasks executed from the Panorama™ management server to
gain insight and detailed information regarding the specific task.
If a task succeeds with warnings or fails, you can view detailed warnings and description to better
understand how to resolve the misconfiguration. Additionally, you can view the last push state details to
review detailed information as to what caused the task warnings or errors.
STEP 2 | After editing the SD-WAN configuration, Commit your changes to view the job status.
The job status window displays the operation performed, the result, and any details and warnings related
to the job status.
STEP 3 | View the last push details for jobs that succeed with warnings or failed.
1. Click Tasks ( ) at the bottom of the web interface to open the Task Manager.
2. Click the job Type for the SD-WAN task.
3. Click the job Status to view the last push state details for the task.
4. Review the last push state details to identify and resolve the configuration issues.
SD-WAN hubs display Error Correction Initiated only if traffic originated from the
SD-WAN hub to the SD-WAN branch and matched an SD-WAN policy rule with an error
correction profile attached.
From the landing dashboard, narrow the view to impacted applications or links that have the Error or
Warning status. Then select an affected site to view site-level details. From the site, view application-level
or link-level details.
STEP 2 | Select Panorama > SD-WAN > Monitoring to view at-a-glance health status summaries of your
VPN clusters, hubs, and branches.
STEP 4 | Click a site that displays Warning or Error to see one VPN cluster. The site data display App
Performance and Link Performance, including the impacted applications. Additionally, use the
Sites filter to view VPN clusters based on link notifications, latency deviations, jitter deviations,
packet loss deviations, or impacted applications.
For SaaS applications over a Direct Internet Access (DIA) link, the SaaS Monitoring column indicates
whether the app is created in a SaaS Quality profile and associated with one or more SD-WAN policy
rules.
STEP 5 | Click the branch or hub that has an application that needs attention.
STEP 2 | Select Panorama > SD-WAN > Reports and Add a new report.
101
102 SD-WAN ADMINISTRATOR’S GUIDE | Troubleshooting
© 2020 Palo Alto Networks, Inc.
Use CLI Commands for SD-WAN Tasks
Use the following CLI commands to view and clear SD-WAN information and view SD-WAN global
counters. You can also view VPN tunnel information, BGP information, and SD-WAN interface information.
STEP 2 | Select Panorama > SD-WAN > Monitoring and view the Impacted VPN clusters.
STEP 3 | Filter the VPN clusters based on your preferred metric from the Site drop-down and select
time frame. In this example, we are viewing All Sites containing impacted VPN clusters in the
last 12 hours.
STEP 4 | In the Sites column, select the impacted hub or branch firewall to view the impacted apps and
the corresponding link performance.
STEP 6 | Investigate which health metric caused the app to swap links.
2. In the Traffic Characteristics tab, select another link to view the Link Characteristics for secondary
app link to better understand what caused the VPN cluster to become impacted.
STEP 2 | Select Panorama > SD-WAN > Monitoring and view the Impacted VPN clusters.
STEP 3 | Filter the VPN clusters based on your preferred metric from the Site drop-down and select
time frame. In the Sites column, select the impacted hub or branch firewall to view the
impacted apps and the corresponding link performance.
In this example, we are viewing All Sites containing impacted VPN clusters in the last 24 hours.
STEP 4 | In the Sites column, select the impacted hub or branch firewall to view the impacted apps and
the corresponding link performance.
STEP 6 | Investigate which health metric caused the app to swap links.
2. In the Traffic Characteristics tab, select another link to view the Link Characteristics. In this
example, we are viewing ethernet 1/4 and can see that after the app traffic failed over, ethernet 1/4
experienced jitter for the app that exceeded the configured threshold. This forced the app traffic to
fail over back to ethernet 1/1.
Since both links had health metrics that were exceeded, the app traffic had no healthy link to fail over
to resulting in the VPN cluster becoming impacted.
You must upgrade your hub firewalls from PAN-OS 10.0.0 to PAN-OS 10.0.1 or later
release before you upgrade your branch firewalls. Upgrading branch firewalls before hub
firewalls may result in incorrect monitoring data (Panorama > SD-WAN > Monitoring) and
for SD-WAN links to erroneously display as down.
STEP 3 | Upgrade the SD-WAN plugin version on your hub and branch firewalls.
1. Select Panorama > Device Deployment > Plugins and Check Now for the latest sd_wan plugin
version.
2. Download the latest version of the SD-WAN plugin.
3. Install the SD-WAN plugin and select your hub and branch firewalls from the list of Devices.
4. Click OK to install the new SD-WAN plugin version on the selected hub and branch firewalls.
STEP 2 | Remove any security policy rules that allow BGP to run between your SD-WAN hubs and
branches.
1. Select Panorama > SD-WAN > Devices > BGP Policy and Remove the security policy rules.
2. Click OK to save your configuration changes.
STEP 3 | Select Panorama > Plugins and select Remove Config for the SD-WAN plugin.
STEP 4 | Select Commit and Commit and Push your configuration changes to your managed firewalls.