SD-WAN Basic Bare-Bone Configuration
This article describes the minimum configuration required to setup SDWAN on your Palo NGFW
Last updated
This article describes the minimum configuration required to setup SDWAN on your Palo NGFW
Last updated
What is SD-WAN? (Software Defined Wide Area Network) - a networking technology that uses software to improve the performance and scalability of wide-area networks.
SD-WAN has been a well-known concept for quite some time and is nothing new however over the years there have been improvements and changes. For example, at Palo Alto Networks we have two different SD-WAN solutions. Albeit through acquisitions created the two separate solutions, there is quite a lot of overlap between the solutions. Today I'll focus on our PAN-OS SD-WAN solution, an add-on subscription on our NGFWs.
NGFW with SD-WAN subscription
Panorama (managing NGFWs)
SD-WAN Plugin - This creates the SD-WAN overlay between your sites and does it in an automatic fashion based on the information you supply.
Before we get into the topology of my environment I want to discuss a few important concepts and terminology that we use which should help when it comes to actually configuring SD-WAN on our firewalls. If you want to dive deep into this you should read our SD-WAN reference architecture very dry read but has good information on how our SD-WAN solution works on our NGFWs.
Link Tags - This is a unique tag that will be assigned to SD-WAN interface profiles and will be used for Traffic Distribution Profiles to determine which paths to take. Link tags are used to identify physical links. When creating Link tags consider the purpose of the links. Is the link for business-critical applications or is it for non-critical, is it a private MPLS link or consumer internet?
SD-WAN Interface Profile - Define characteristics such as max upload/download, VPN tunnel, & FEC (Forward Error Correction) for a physical interface. You must also apply a Link Tag to your SD-WAN Interface profiles.
SD-WAN Virtual Interface (VIF) - Logical grouping of interfaces that go to the same destination. Like branch to HUB or branch to internet.
Path Quality Profile - Define the monitoring thresholds for applications Jitter, Latency, & Loss.
Traffic Distribution Profile - Define the paths that will be selected.
SD-WAN Predefined Zones - There are four predefined zones that SD-WAN creates:
zone-internal - This zone is attached to a loopback address on the firewall and is used for BGP communication between hubs and branches.
zone-to-hub - Zones are applied to SD-WAN tunnels going to the hub.
zone-to-branch - Zones applied to SD-WAN tunnels going to a branch.
Auto VPN - Based on the information you enter within the SD-WAN plug-in it will automatically create the SD-WAN overlay and manage the IPSec tunnels between your sites.
Now that we have some important terminology down let's move on to the topology for this example.
For this example, we have a super basic configuration with one central hub location and one branch location. Both sites have two internet links the type of cable modem and ethernet. Later we will define the characters of each physical link (cable modem and ethernet).
You can follow a detailed walkthrough of configuring SD-WAN on our TechDocs. However, I'll show you the bare minimum configuration to get SD-WAN up and running.
Link Tags identify one or more physical links that you want applications and services to use in a specific order during SD-WAN traffic distribution.
Grouping multiple physical links allows you to maximize the application and service quality if the physical link health deteriorates. When planning how to group your links, consider the use or purpose of the links and group them accordingly.
Based on our environment I created two different Link Tags:
Primary Internet - Ethernet
Secondary Internet - Cable Modem
An SD-WAN interface profile defines the characteristics of ISP connections or MPLS connections. It specifies the speed of links, how frequently the firewall monitors them, and a Link Tag for each link. When you specify the same Link Tag on multiple links, you are grouping (bundling) those physical links into a link bundle or fat pipe.
In our environment, I created two separate SDWAN Interfaces Profiles:
Primary Internet
Link Tage - Primary Internet
Link Type - Ethernet
Max Upload - 200 Mbps
Max Download - 200 Mbps
Secondary Internet
Link Tag - Secondary Internet
Link Type - Cable modem
Max Upload - 50 Mbps
Max Download - 50 Mbps
Next, we need to reconfigure our physical interfaces for SD-WAN. First off we need to Check the box to enable SD-WAN this will then show a next hop gateway, so enter the next hop for your physical link. We then need to define an SD-WAN Interface Profile that we defined previously.
Our Traffic Distribution Profiles (TDP) allow us to define our paths and the priority of those paths. We can create multiple TDPs with single paths or multiple paths.
We can select from 3 different path selection algorithms:
Best Available
Top-Down Priority
Weighted Session Distribution
I am not going to explain the differences between each in detail but you can read more here
It's important to understand the life of a packet on the firewall. The firewall will first check Session lookup and session setup (NAT policy lookup, security policy lookup) before coming to forwarding and egress which is where SD-WAN logic is applied and how we can manipulate our traffic.
With the above in mind, we need to ensure we have Security policy rules that allow the specific application we want SDWAN to apply its policy lookup and logic.
An SDWAN policy rule is very similar to a security policy rule. You define source and destination criteria, applications & services. Then you configure your Traffic Distribution Profile, Path Quality Profile, and SaaS Quality Profile.
We first need to add our devices to the SD-WAN plug-in:
Navigate to Panorama > SD-WAN > Devices > Add.
You'll be presented with a wizard where you can enter details such as device name, router name, link tags, and BGP parameters.
Once all your devices have been added we can create a VPN Cluster.
A VPN Cluster is a logical grouping of central-site devices (hubs) and remote-site devices (branches). The SDWAN plugin uses VPN clusters as the top level for SD-WAN monitoring and reporting. The SD-WAN plugin supports two types of VPN clusters: hub-and-spoke and mesh.
Hub-and-Spoke - In a hub-and-spoke VPN cluster, the SD-WAN plugin builds a set of VPN overlay tunnels from each remote site to each of the hub sites. The SD-WAN plugin does not build any VPN overlay tunnels directly between remote sites or from hub-to-hub. You must include at least one hub device in a hub-and-spoke VPN cluster.
Full Mesh - In a mesh VPN cluster, the SD-WAN plugin builds a set of VPN overlay tunnels from each remote site to each of the hub sites. The SD-WAN plugin also builds a set of VPN overlay tunnels from each remote site in the cluster to every other remote-site in the cluster. The SD-WAN plugin does not build any VPN overlay tunnels from hub-to-hub. Unlike a hub-and-spoke VPN cluster, you do not need to include any hub devices in a mesh VPN cluster.
It is important to understand the tasks performed by the SD-WAN plug-in:
Creates predefined zones and required interfaces if BGP is enabled also creates a loopback address to use as the router-id
Creates VIF (SD-WAN Virtual Interfaces) and configures tunnels
Configures BGP or static routes and uses prefix distribution
The first thing it created was a loopback interface and assigned it to zone-internal this is because of our BGP configuration when we added the device.
Secondly, we'll see 4 tunnels were created with either zone-to-branch or zone-to-hub based on the device type (hub or branch).
We then see SD-WAN virtual interfaces (VIF) The first interface will contain our physical DIA links the second are the tunnels previously mentioned and allow communication between your sites.
Let's validate all of this and pull up the CLI of our two devices. Enter the following command into each device:
Looking at our DC or Hub site firstCommentWe see the SD-WAN VIF.901 contains our physical DIA links and does not contain any tunnel information. We also see VIF.903 which contains our tunnels back to the branch location.
Looking at our Branch site it should look very similar:
The last thing to check is our routing table to verify BGP peers are configured correctly. We can see that the plug-in has added our interfaces, tunnels, and loopback interfaces to our router.
Checking the routing table we can see the plug-in created a new default route for DIA-bound traffic and the next hop interface is our virtual SD-WAN interface.901.
Finally, we can see that we have our BGP peer successfully peered and we can validate that each site is distributing its route information.
I hope this blog has equipped you with the knowledge and confidence to harness the power of SD-WAN for your network infrastructure. Stay tuned for more insightful content, and may your SD-WAN endeavors be seamless, secure, and successful.
