👾
ReverseThrottle's Blog
  • ReverseThrottle: Blog Post
  • Palo Alto Networks
    • GlobalProtect Deployment
      • GlobalProtect Client Certificate Authentication
    • SD-WAN Basic Bare-Bone Configuration
  • 🌀Malware Analysis
    • Practical Malware Analysis Labs
      • PMA - CH 7-1
      • PMA - CH 7-2
      • PMA - CH 7-3
      • PMA - CH 9-1
      • PMA - CH 9-2
      • PMA - CH 9-3
      • PMA - CH 11-1
      • PMA - CH 11-2
    • Zero2Auto Custom Sample
      • Custom Sample
  • 🦠Exploit Development
    • Windows Buffer Overflow Primer
    • DoStackBufferOverflowGood
  • 👹Projects
    • Malscan
Powered by GitBook
On this page
  • Intro
  • Requirements for PAN-OS SD-WAN:
  • Topology of Environment
  • SD-WAN Configuration
  • Link Tags >
  • SDWAN Interface Profiles >
  • Attach SDWAN Profile & Configure Physical Interfaces >
  • Create Traffic Distribution Profiles & Assign SDWAN Interfaces >
  • Create Security & SDWAN Policy Rules >
  • Configure SDWAN Plugin: Add Devices & Configure VPN Clusters >
  • Reviewing What the SD-WAN Plug-in Created
  • Closing Thoughts
  1. Palo Alto Networks

SD-WAN Basic Bare-Bone Configuration

This article describes the minimum configuration required to setup SDWAN on your Palo NGFW

PreviousGlobalProtect Client Certificate AuthenticationNextPractical Malware Analysis Labs

Last updated 4 months ago

Intro

What is SD-WAN? (Software Defined Wide Area Network) - a networking technology that uses software to improve the performance and scalability of wide-area networks.

SD-WAN has been a well-known concept for quite some time and is nothing new however over the years there have been improvements and changes. For example, at Palo Alto Networks we have two different SD-WAN solutions. Albeit through acquisitions created the two separate solutions, there is quite a lot of overlap between the solutions. Today I'll focus on our PAN-OS SD-WAN solution, an add-on subscription on our NGFWs.

Requirements for PAN-OS SD-WAN:

  • NGFW with SD-WAN subscription

  • Panorama (managing NGFWs)

    • SD-WAN Plugin - This creates the SD-WAN overlay between your sites and does it in an automatic fashion based on the information you supply.

Before we get into the topology of my environment I want to discuss a few important concepts and terminology that we use which should help when it comes to actually configuring SD-WAN on our firewalls. If you want to dive deep into this you should read our very dry read but has good information on how our SD-WAN solution works on our NGFWs.

Link Tags - This is a unique tag that will be assigned to SD-WAN interface profiles and will be used for Traffic Distribution Profiles to determine which paths to take. Link tags are used to identify physical links. When creating Link tags consider the purpose of the links. Is the link for business-critical applications or is it for non-critical, is it a private MPLS link or consumer internet?

SD-WAN Interface Profile - Define characteristics such as max upload/download, VPN tunnel, & FEC (Forward Error Correction) for a physical interface. You must also apply a Link Tag to your SD-WAN Interface profiles.

You can apply the same link tag on multiple links, this will group the physical links into a bundle.

SD-WAN Virtual Interface (VIF) - Logical grouping of interfaces that go to the same destination. Like branch to HUB or branch to internet.

Path Quality Profile - Define the monitoring thresholds for applications Jitter, Latency, & Loss.

Traffic Distribution Profile - Define the paths that will be selected.

SD-WAN Predefined Zones - There are four predefined zones that SD-WAN creates:

  • zone-internal - This zone is attached to a loopback address on the firewall and is used for BGP communication between hubs and branches.

  • zone-to-hub - Zones are applied to SD-WAN tunnels going to the hub.

  • zone-to-branch - Zones applied to SD-WAN tunnels going to a branch.

Auto VPN - Based on the information you enter within the SD-WAN plug-in it will automatically create the SD-WAN overlay and manage the IPSec tunnels between your sites.

Now that we have some important terminology down let's move on to the topology for this example.

Topology of Environment

For this example, we have a super basic configuration with one central hub location and one branch location. Both sites have two internet links the type of cable modem and ethernet. Later we will define the characters of each physical link (cable modem and ethernet).

SD-WAN Configuration

Link Tags >

Link Tags identify one or more physical links that you want applications and services to use in a specific order during SD-WAN traffic distribution.

Grouping multiple physical links allows you to maximize the application and service quality if the physical link health deteriorates. When planning how to group your links, consider the use or purpose of the links and group them accordingly.

Make sure your Links Tags are Shared and applied to both your Hub and Branch device groups within Panorama

Based on our environment I created two different Link Tags:

  • Primary Internet - Ethernet

  • Secondary Internet - Cable Modem

SDWAN Interface Profiles >

An SD-WAN interface profile defines the characteristics of ISP connections or MPLS connections. It specifies the speed of links, how frequently the firewall monitors them, and a Link Tag for each link. When you specify the same Link Tag on multiple links, you are grouping (bundling) those physical links into a link bundle or fat pipe.

In our environment, I created two separate SDWAN Interfaces Profiles:

  • Primary Internet

    • Link Tage - Primary Internet

    • Link Type - Ethernet

    • Max Upload - 200 Mbps

    • Max Download - 200 Mbps

  • Secondary Internet

    • Link Tag - Secondary Internet

    • Link Type - Cable modem

    • Max Upload - 50 Mbps

    • Max Download - 50 Mbps

Attach SDWAN Profile & Configure Physical Interfaces >

Next, we need to reconfigure our physical interfaces for SD-WAN. First off we need to Check the box to enable SD-WAN this will then show a next hop gateway, so enter the next hop for your physical link. We then need to define an SD-WAN Interface Profile that we defined previously.

Create Traffic Distribution Profiles & Assign SDWAN Interfaces >

Our Traffic Distribution Profiles (TDP) allow us to define our paths and the priority of those paths. We can create multiple TDPs with single paths or multiple paths.

We can select from 3 different path selection algorithms:

  • Best Available

  • Top-Down Priority

  • Weighted Session Distribution

Create Security & SDWAN Policy Rules >

It's important to understand the life of a packet on the firewall. The firewall will first check Session lookup and session setup (NAT policy lookup, security policy lookup) before coming to forwarding and egress which is where SD-WAN logic is applied and how we can manipulate our traffic.

With the above in mind, we need to ensure we have Security policy rules that allow the specific application we want SDWAN to apply its policy lookup and logic.

An SDWAN policy rule is very similar to a security policy rule. You define source and destination criteria, applications & services. Then you configure your Traffic Distribution Profile, Path Quality Profile, and SaaS Quality Profile.

Configure SDWAN Plugin: Add Devices & Configure VPN Clusters >

We first need to add our devices to the SD-WAN plug-in:

Navigate to Panorama > SD-WAN > Devices > Add.

You'll be presented with a wizard where you can enter details such as device name, router name, link tags, and BGP parameters.

Once all your devices have been added we can create a VPN Cluster.

A VPN Cluster is a logical grouping of central-site devices (hubs) and remote-site devices (branches). The SDWAN plugin uses VPN clusters as the top level for SD-WAN monitoring and reporting. The SD-WAN plugin supports two types of VPN clusters: hub-and-spoke and mesh.

Hub-and-Spoke - In a hub-and-spoke VPN cluster, the SD-WAN plugin builds a set of VPN overlay tunnels from each remote site to each of the hub sites. The SD-WAN plugin does not build any VPN overlay tunnels directly between remote sites or from hub-to-hub. You must include at least one hub device in a hub-and-spoke VPN cluster.

Full Mesh - In a mesh VPN cluster, the SD-WAN plugin builds a set of VPN overlay tunnels from each remote site to each of the hub sites. The SD-WAN plugin also builds a set of VPN overlay tunnels from each remote site in the cluster to every other remote-site in the cluster. The SD-WAN plugin does not build any VPN overlay tunnels from hub-to-hub. Unlike a hub-and-spoke VPN cluster, you do not need to include any hub devices in a mesh VPN cluster.

It is important to understand the tasks performed by the SD-WAN plug-in:

  • Creates predefined zones and required interfaces if BGP is enabled also creates a loopback address to use as the router-id

  • Creates VIF (SD-WAN Virtual Interfaces) and configures tunnels

  • Configures BGP or static routes and uses prefix distribution

Reviewing What the SD-WAN Plug-in Created

The first thing it created was a loopback interface and assigned it to zone-internal this is because of our BGP configuration when we added the device.

Secondly, we'll see 4 tunnels were created with either zone-to-branch or zone-to-hub based on the device type (hub or branch).

We then see SD-WAN virtual interfaces (VIF) The first interface will contain our physical DIA links the second are the tunnels previously mentioned and allow communication between your sites.

Let's validate all of this and pull up the CLI of our two devices. Enter the following command into each device:

show sdwan connection all

Looking at our DC or Hub site firstCommentWe see the SD-WAN VIF.901 contains our physical DIA links and does not contain any tunnel information. We also see VIF.903 which contains our tunnels back to the branch location.

Looking at our Branch site it should look very similar:

Updated Topology with SD-WAN overlay configured

The last thing to check is our routing table to verify BGP peers are configured correctly. We can see that the plug-in has added our interfaces, tunnels, and loopback interfaces to our router.

Checking the routing table we can see the plug-in created a new default route for DIA-bound traffic and the next hop interface is our virtual SD-WAN interface.901.

Finally, we can see that we have our BGP peer successfully peered and we can validate that each site is distributing its route information.

Closing Thoughts

I hope this blog has equipped you with the knowledge and confidence to harness the power of SD-WAN for your network infrastructure. Stay tuned for more insightful content, and may your SD-WAN endeavors be seamless, secure, and successful.

You can follow a detailed walkthrough of configuring SD-WAN on our . However, I'll show you the bare minimum configuration to get SD-WAN up and running.

I am not going to explain the differences between each in detail but you can read more

TechDocs
here
SD-WAN reference architecture
In this figure, both links in the SD-WAN interface happen to use the same link tag (Cheap Broadband), but links in an SD-WAN virtual interface can have different link tags.
Enabling SD-WAN and defing next hop gateway
Assigning SD-WAN Interface Profile to phyiscal interface
TDP defining best avilable path and using both primary and secondary internet links
Packet Flow on NGFW
Device configuration for SD-WAN plug-in
VPN Cluster named Demo-Cluster with 1 branch device and 1 hub device
Next hop to SD-WAN VIF 901
BGP Peer established