This was a great and concise explanation of Strata SD-WAN and its initial setup and requirements. Thanks for the vid, I think you've earned another subscriber!
Thank you for your video. I have a bunch of branches and one hub. These branches are currently connected to the hub by IPSec tunnels, one for each branch. The tunnels are also part of the internal zone; therefore, we have L3-Trust (the internal network and tunnels) and L3-Untrust. If I want to use SD-WAN, should I define a third zone for tunnels? How should I map the zones?
There's no one way to do it. You can use autovpn or manual SD-WAN. Also routing can be static or dynamic using bgp. But I prefer not to mix. If your wan topology is simple you can go for manual / static.
BGP configured using sdwan plugin auto configures virtual router. connected routes for branches are advertised using bgp. subnets added under hub "prefixes to redistribute" are reachable from branches through bgp routes as well. if you wish to use static routes, it will be another story to tell may be on my next video!
@@Cyberbulb got it I had issues with the loopback interface after fixing that the BGP was established I still have 1 more problem. Internet from zone-private to zone-internet does not work I do not see any hit counts on the nat policy which i have configured.
if you have mapped the zones use the original zones in the policy like from trust to untrust as an example also check static default route that sdwan automatically create on the firewall with metric 5 @@gouthamm.n2644
@@Cyberbulb that is absolutely right. Lemme put my query in different way, what is the difference between the PANW's dedicated SDWAN (CloudGenix) methodology vs the PA-NGFW PANOS integrated SDWAN.
Most everything you do with multiple PAN firewalls will use Panorama as the central point. Whether you HAVE to or not (which I honestly think you do), it's going to be a lot less of a migraine if you have at least a PA-VM on your network.
If it is a green field it is better to create the following zones on panorama and use them zone-internet, zone-internal, zone-to-hub, and zone-to-branch
This was a great and concise explanation of Strata SD-WAN and its initial setup and requirements. Thanks for the vid, I think you've earned another subscriber!
Fantastic explanation and demo. Bravo!
Can we have Branch to Hub and also branch to branch ? also can we route an application through specific link ?
Yes, you can. Branch to branch is through hub or may be direct if you choose mesh instead of hub and spokes in vpn cluster config
Thank you for your video.
I have a bunch of branches and one hub. These branches are currently connected to the hub by IPSec tunnels, one for each branch. The tunnels are also part of the internal zone; therefore, we have L3-Trust (the internal network and tunnels) and L3-Untrust. If I want to use SD-WAN, should I define a third zone for tunnels? How should I map the zones?
create zone-to-hub and zone-to-branch and map L3-Trust with internal and L3-Untrust with internet
Nice video and good explaination.
Why do we have the sdwan.1 manual VIF since the Auto-VPN is creating sdwan.902? Can't it cause a conflict.
There's no one way to do it. You can use autovpn or manual SD-WAN. Also routing can be static or dynamic using bgp. But I prefer not to mix. If your wan topology is simple you can go for manual / static.
Could you also show the virtual router configurations?
BGP configured using sdwan plugin auto configures virtual router. connected routes for branches are advertised using bgp. subnets added under hub "prefixes to redistribute" are reachable from branches through bgp routes as well. if you wish to use static routes, it will be another story to tell may be on my next video!
@@Cyberbulb got it I had issues with the loopback interface after fixing that the BGP was established I still have 1 more problem.
Internet from zone-private to zone-internet does not work I do not see any hit counts on the nat policy which i have configured.
if you have mapped the zones use the original zones in the policy like from trust to untrust as an example also check static default route that sdwan automatically create on the firewall with metric 5 @@gouthamm.n2644
Much appreciated, May I know the difference between the above configuration and the CloudGenix ION device configurations from Prisma-SDWAN portal.
This is the sdwan integrated feature in paloalto ngfw. Cloudgenix is a dedicated sdwan solution.
@@Cyberbulb that is absolutely right. Lemme put my query in different way, what is the difference between the PANW's dedicated SDWAN (CloudGenix) methodology vs the PA-NGFW PANOS integrated SDWAN.
Hello, Panorama is not necessary in order to implement SD-WAN, right?
it should work without panorama as its role is the automation of VPN tunnels configurations and better monitoring
Most everything you do with multiple PAN firewalls will use Panorama as the central point. Whether you HAVE to or not (which I honestly think you do), it's going to be a lot less of a migraine if you have at least a PA-VM on your network.
Can you show me the Zones on the Panorama ?
If it is a green field it is better to create the following zones on panorama and use them zone-internet, zone-internal, zone-to-hub, and zone-to-branch
Creat the following zones on panorama: zone-internal zone-internet zone-to-hub zone-to-branch
Thanks for sharing the video.
Awesome! thanks
Good job 👍
Amazing!
good
Please help with pcnse certification