Post

Palo Alto SD-WAN with Panorama

Posted
By Sena Perdiana 2 min read

Palo Alto SD-WAN enables secure, intelligent branch connectivity by dynamically selecting the best path for traffic across multiple WAN links. Palo Alto SD-WAN must be configured and managed through Panorama, which acts as the central controller for all settings and policies.

x


Preparing Environments

First off we install the SD-WAN plugin

x


Here we have 3 Firewalls managed by our Panorama, one is for Hub and two are for Branches

x


Next on the Objects, we create 2 shared tags to tag our 2 WAN links

x


Basic Network Configuration

HUB

Then on the Network Template, here we configure SD-WAN Interface Profile based on the 2 tags created

x


Next on the Network Interface, configure the Primary WAN Interface with IP Address & Next Hop with SD-WAN enabled

x


Then select the SD-WAN Interface Profile

x


Do the same for the Secondary link, and add the Non SD-WAN LAN interface as well

x


Next create the default inside and outside zones

x


Then create a Virtual Router configured to pass traffic to both WAN gateways

x


Enabel BGP, give it Router ID and AS Number

x


Branches

Do the same for the JKT & MKW Branches

x

x


At this point its a good practice to make sure that all nodes have full mesh connectivity through their WAN links

x


Policies

Next we tackle the policies, we will use a shared policy of “any-any” for the sake of simplicity

x


Then create a Traffic Distribution Profile for link distribution algorithm, enter the 2 link tags created earlier

x


Then create a SD-WAN Policy, we also use “any-any” to ease up the deployment, and refer the TDP here

x


SD-WAN

Now we configure the actual SD-WAN configurations, first off we add the HUB to the SD-WAN Devices

x


To the same for the branches

x


Next on the VPN Clusters, create an VPN Address Pool, this pool will be used dynamically to form up underlay links between hub and spokes

x


And finally we can create the VPN Cluster with Hub and Spoke type, add all the devices following their roles and hit commit & push

x


SD-WAN Validation

Here’s the topology after the configuration is pushed

x


The first thing to see is the plugin automatically creates loopback interface used for overlay routing

x


Tunnel interfaces are created based on the number of links and spokes in the cluster

x


SD-WAN Virtual Interfaces are also created mapped to their respective tunnel interfaces and zones

x

x


On CLI, we can validate the SD-WAN connectivity with “show sdwan connection all”

x


Routing Validation

On the vRouter, we can see routing tables to reach the branches with next-hop to the loopback of each firewall advertised through BGP

x

x


On the client side, connectivity tests are working, thus validating the SD-WAN deployment

x


Security, Palo Alto
Palo Alto
This post is licensed under CC BY 4.0 by the author.