Prisma SD-WAN Administrator’s

Guide

docs.paloaltonetworks.com
Contact Information
Corporate Headquarters:
Palo Alto Networks
3000 Tannery Way
Santa Clara, CA 95054
www.paloaltonetworks.com/company/contact-support

About the Documentation

• For the most recent version of this guide or for access to related documentation, visit the Technical
Documentation portal docs.paloaltonetworks.com.
• To search for a specific topic, go to our search page docs.paloaltonetworks.com/search.html.
• Have feedback or questions for us? Leave a comment on any page in the portal, or write to us at
documentation@paloaltonetworks.com.

Copyright
Palo Alto Networks, Inc.
www.paloaltonetworks.com

© 2020-2024 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo
Alto Networks. A list of our trademarks can be found at www.paloaltonetworks.com/company/
trademarks.html. All other marks mentioned herein may be trademarks of their respective companies.

Last Revised
July 2, 2024

Prisma SD-WAN Administrator’s Guide 2 ©2024 Palo Alto Networks, Inc.

Table of Contents
Get Started with Prisma SD-WAN..............................................................11
Prisma SD-WAN Key Elements............................................................................................. 12
Activate and Launch Prisma SD-WAN................................................................................ 14
Prisma SD-WAN Summary..................................................................................................... 21
Prisma SD-WAN Application Insights.................................................................................. 26
Device Activity Charts............................................................................................................. 28
Site Summary Dashboard........................................................................................................29
Prisma SD-WAN Predictive Analytics Dashboard............................................................ 36
Prisma SD-WAN Link Quality Dashboard...........................................................................40
Prisma SD-WAN Subscription Usage...................................................................................42

Prisma SD-WAN Sites and Devices............................................................ 45

Set Up Sites................................................................................................................................ 46
Add a Branch.................................................................................................................. 46
Add a Data Center........................................................................................................ 47
Add a Branch Gateway................................................................................................ 48
Configure Circuits.......................................................................................................... 53
Configure Internet Circuit Underlay Link Aggregation.........................................54
Configure Private WAN Underlay Link Quality Aggregation.............................. 55
Configure Circuit Categories.......................................................................................56
Configure Device Initiated Connections for Circuits............................................ 58
Add Public IP LAN Address to Enterprise Prefixes............................................... 59
Site Configuration Template....................................................................................... 60
Manage Data Center Clusters.................................................................................... 70
Configure a Site Prefix................................................................................................. 73
Configure a DHCP Server........................................................................................... 74
Configure NTP for Prisma SD-WAN........................................................................ 80
Enable IoT Device Visibility in Prisma SD-WAN....................................................83
View Flows Tab..............................................................................................................91
Set Up Devices.......................................................................................................................... 96
Connect the ION Device............................................................................................. 96
Claim the ION Device.................................................................................................. 97
Assign the ION Device.................................................................................................98
Configure Device Access One-Time Password...................................................... 99
Configure the ION Device at a Branch Site.....................................................................102
Configure the ION Device at a Data Center................................................................... 104
Switch a Site to Control Mode............................................................................................107
Allow IP Addresses in Firewall Configuration..................................................................108

Prisma SD-WAN Administrator’s Guide 3 ©2024 Palo Alto Networks, Inc.

Table of Contents

Configure Layer 2 Switch Ports.......................................................................................... 115

Add a VLAN or Switch Virtual Interface (SVI)......................................................116
Configure VLAN on Switch Ports........................................................................... 118
Edit Switch Configurations....................................................................................... 121
Monitor Switch Activity and Statistics...................................................................122
Switch Layer 2/Layer 3 Change Mode.................................................................. 130
Prisma SD-WAN Ports and Interfaces.............................................................................. 133
Configure a Controller Port...................................................................................... 133
Configure Internet Ports........................................................................................... 135
Configure WAN/LAN Ports......................................................................................136
Configure Cellular Interfaces....................................................................................137
Configure a Loopback Interface.............................................................................. 165
Virtual Interface........................................................................................................... 167
Prisma SD-WAN Standard VPN.............................................................................. 172
Bypass Pair....................................................................................................................181
Configure a PoE Port................................................................................................. 186
Configure and Monitor LLDP Activity and Status...............................................188
Configure a PPPoE Interface....................................................................................190
Configure a Layer 3 LAN Interface.........................................................................191
Configure Application Reachability Probes...........................................................193
Configure a Secondary IP Address......................................................................... 194
Configure a Static ARP.............................................................................................. 196
Configure a DHCP Relay...........................................................................................197
Configure IP Directed Broadcast.............................................................................199
VPN Keep-Alives......................................................................................................... 200
Use External Services for Monitoring................................................................................203
Configure Prisma SD-WAN IPFIX...........................................................................203
Configure IPFIX Profiles and Templates................................................................205
Configure and Attach a Collector Context to a Device Interface in IPFIX.....210
Configure and Attach a Filter Context to a Device Interface in IPFIX............213
Configure Global and Local IPFIX Prefixes........................................................... 215
Flow Information Elements.......................................................................................216
Options Information Elements................................................................................. 225
Configure the DNS Service on the Prisma SD-WAN Interface........................231
Prisma SD-WAN DNS Use Cases........................................................................... 236
Syslog Server Support in Prisma SD-WAN...........................................................239
Configure SNMP..........................................................................................................247
Returned Merchandise Authorization (RMA)...................................................................250
RMA Wizard................................................................................................................. 251
Replace a Prisma SD-WAN ION Device............................................................... 252
Return the ION Device to Prisma SD-WAN........................................................ 253

Prisma SD-WAN Administrator’s Guide 4 ©2024 Palo Alto Networks, Inc.

Table of Contents

Upgrade ION Device Software........................................................................................... 255

Schedule Software Upgrade..................................................................................... 256
View Device Software Upgrade Status................................................................. 257
Bulk Upgrade ION Device Image Software.......................................................... 258

Prisma SD-WAN Administrator Authorization and

Authentication................................................................................................261
Role Based Access Control.................................................................................................. 262
System Roles................................................................................................................ 262
Custom Roles................................................................................................................267
Assign System or Custom Role................................................................................268
Single Sign On Access using SAML....................................................................................270
Request SAML Access............................................................................................... 271
Configure SAML Users and Groups....................................................................... 272
Map Roles and Permissions......................................................................................273
Enable SAML Access to End Users.........................................................................274
Client Authentication using 802.1x/MAC........................................................................ 276
Add the RADIUS Server............................................................................................ 276
Supported RADIUS Attribute Value Pairs (AVPs)................................................279
Audit Logs.................................................................................................................................280
Work with Audit Logs................................................................................................280

Prisma SD-WAN Branch and Data Center Routing.............................. 283

Prisma SD-WAN Branch Routing....................................................................................... 284
Prisma SD-WAN Data Center Routing............................................................................. 286
Configure a Static Route.......................................................................................................288
Configure NextHop Reachability Probe................................................................ 290
Configure Dynamic Routing................................................................................................. 291
Configure an OSPF in Prisma SD-WAN................................................................ 292
Enable BGP for Private WAN and LAN.................................................................296
Configure BGP Global Parameters..........................................................................297
Global or Local Scope for BGP Peers.................................................................... 301
Configure a BGP Peer................................................................................................302
Configure a Route Map............................................................................................. 305
Configure a Prefix List............................................................................................... 308
Configure an AS Path List.........................................................................................308
Configure an IP Community List............................................................................. 309
View Routing Status and Statistics......................................................................... 309
Prisma SD-WAN Multicast Routing................................................................................... 311
Configure Multicast.................................................................................................... 314
Create a WAN Multicast Configuration Profile................................................... 316

Prisma SD-WAN Administrator’s Guide 5 ©2024 Palo Alto Networks, Inc.

Table of Contents

Assign WAN Multicast Configuration Profiles to Branch Sites........................317

Configure a Multicast Source at a Branch Site.................................................... 317
Configure Global Multicast Parameters.................................................................317
Configure a Multicast Static Rendezvous Point (RP).......................................... 323
Learn Rendezvous Points (RPs) Dynamically........................................................324
View LAN Statistics for Multicast........................................................................... 325
View WAN Statistics for Multicast.........................................................................329
View IGMP Membership........................................................................................... 330
View the Multicast Route Table..............................................................................330
View Multicast Flow Statistics.................................................................................333
View Routing Statistics.............................................................................................. 334
Prisma SD-WAN VRF............................................................................................................ 337
Configure a VRF Profile in Prisma SD-WAN........................................................338

Prisma SD-WAN Stacked Policies............................................................ 341

Migrate Original Policy Sets to Stacked Policy Sets...................................................... 342
Simple Path and QoS Stacks................................................................................................344
Add Simple Path or QoS Stacks.............................................................................. 344
Advanced Path and QoS Stacks..........................................................................................346
Add Advanced Path or QoS Stacks........................................................................ 346
Add QoS Policy Sets.................................................................................................. 347
Add QoS Policy Rules................................................................................................ 348
Add a Path Policy Set............................................................................................................350
Add a Path Policy Rule..........................................................................................................351
Configure User-ID based Policy Rules................................................................... 353
L3 Failure Paths........................................................................................................... 356
Minimize Metered LTE Usage..................................................................................356
Configure Default Path Policy Rule for IPv6........................................................359
Bind Path or QoS Stacks to Sites....................................................................................... 362
Custom Applications and System Application Overrides..............................................363
Configure Custom Applications............................................................................... 363
Configure System Application Overrides.............................................................. 367
Service and Data Center Groups........................................................................................ 369
Add a Standard VPN Endpoint................................................................................ 369
Add Groups...................................................................................................................370
Add Domains................................................................................................................ 371
Bind Domain to Sites................................................................................................. 371
Use Prisma SD-WAN Data Center Endpoints......................................................372
Use Service Endpoint Groups in Policies.............................................................. 372
Configure Network Contexts...............................................................................................374
Attach Network Contexts to LANs.........................................................................374

Prisma SD-WAN Administrator’s Guide 6 ©2024 Palo Alto Networks, Inc.

Table of Contents

Configure Circuit Capacities.................................................................................................376

Configure DSCP...................................................................................................................... 378
Prefixes...................................................................................................................................... 379
Configure Global Prefixes......................................................................................... 379
Configure Local Prefixes............................................................................................380
Configure Syslog Profiles......................................................................................................381

Prisma SD-WAN Stacked Security Policies............................................ 385

Add a Security Policy Stack................................................................................................. 386
Add Stacked Security Policy Sets....................................................................................... 387
Add a Stacked Security Policy Rule................................................................................... 388
Add a Security Policy Set to a Security Stack................................................................. 391
Bind Security Stacks to Sites............................................................................................... 392
Add Security Zones for Stacked Security Policies.......................................................... 393
Bind Security Zones to Sites and Devices........................................................................394
Bind Security Zones to Sites.................................................................................... 394
Bind Security Zones to Interfaces...........................................................................395
Configure Security Prefixes..................................................................................................397
Attach Local Security Prefixes to Sites..................................................................398
Monitor Security Policy Rules............................................................................................. 399
Security Policy Migration......................................................................................................401

Prisma SD-WAN Performance Policy...................................................... 403

Performance Policy Default Behavior............................................................................... 408
Add Performance Policy Stack............................................................................................ 411
Add Performance Policy Set................................................................................................ 413
Add Performance Policy Rules............................................................................................ 414
Add Performance Policy SLA...............................................................................................420
Configure Probes.................................................................................................................... 424
Monitor Probes............................................................................................................ 427
Best Practices and Recommendations...............................................................................429
Performance Policy Use Cases............................................................................................434
Use Case 1 - Protect a Business Critical SaaS Application................................434
Use Case 2 - Protect a Business Critical Enterprise Application......................437
Use Case 3 - Protect Physical Security on LEO Satellite and 5G.....................440
Use Case 4 - Protect An Enterprise Voice Application......................................442

Prisma SD-WAN Security Policies............................................................ 445

Prisma SD-WAN Security Architecture.............................................................................446
Prisma SD-WAN ZBFW........................................................................................................ 447
ZBFW Contructs..................................................................................................................... 448
ZBFW Application....................................................................................................... 448

Prisma SD-WAN Administrator’s Guide 7 ©2024 Palo Alto Networks, Inc.

Table of Contents

ZBFW Prefix Filters.................................................................................................... 448

ZBFW Zones.................................................................................................................449
Security Policy Sets.................................................................................................... 449
Security Policy Rules.................................................................................................. 450
Actions............................................................................................................................450
Configure Security Policies...................................................................................................451
Create Zones................................................................................................................ 451
Bind Zones to Sites and Devices............................................................................ 451
Create Prefix Filters....................................................................................................453
Create a Security Policy Set..................................................................................... 454
Create Security Policy Rules.....................................................................................455
Bind a Security Policy Set to a Site........................................................................ 456
Modify and Delete Policy Rules and Sets.........................................................................457
Change Security Rule Order.....................................................................................457
Manage Existing Security Policy Rules.................................................................. 457
Edit a Security Policy Set.......................................................................................... 458
Clone a Security Policy Set.......................................................................................458
Delete a Security Policy Set..................................................................................... 458

Prisma SD-WAN NAT Policies...................................................................459

Add a NAT Stack.................................................................................................................... 460
Add NAT Policy Sets............................................................................................................. 461
Add a NAT Policy Rule..........................................................................................................462
Add a NAT Policy Set to a NAT Stack.............................................................................. 465
Bind NAT Stacks to Sites......................................................................................................466
Configure NAT Zones............................................................................................................467
Bind NAT Zones to Interfaces.............................................................................................468
Configure NAT Pools............................................................................................................. 469
Bind NAT Pools to Interfaces..............................................................................................470
Configure NAT Prefixes........................................................................................................ 471
Use Cases..................................................................................................................................472
Default Source NAT................................................................................................... 472
Destination NAT..........................................................................................................473
Static NAT..................................................................................................................... 475
ALG Disable.................................................................................................................. 478

Prisma SD-WAN Incident Policies............................................................ 481

Prisma SD-WAN Branch High Availability..............................................483
Prisma SD-WAN Branch HA Key Concepts.................................................................... 484
Configure Branch HA.............................................................................................................486
Configure HA Groups............................................................................................................ 487

Prisma SD-WAN Administrator’s Guide 8 ©2024 Palo Alto Networks, Inc.

Table of Contents

Configure a High Availability (HA) Interface for HA Deployment.............................. 488

Configure a Switch Virtual Interface (SVI) for HA Connectivity...................... 489
Configure a Sub-interface for HA Connectivity.................................................. 491
Configure a Main Interface for HA Connectivity................................................ 493
Add ION Devices to HA Groups........................................................................................ 495
View Device Configuration of HA Groups....................................................................... 497
Edit HA Groups and Group Membership......................................................................... 498
Branch HA Topologies...........................................................................................................499
Configure Branch HA with Gen-1 Platforms (2000, 3000, 7000, and
9000)...............................................................................................................................499
Configure Branch HA with Gen-2 Platforms (3200, 5200, and 9200)............501
Configure Branch HA with Gen-2 Embedded Switch Platforms (1200-S or
3200-L2)........................................................................................................................ 503
Configure Branch HA for Devices with Software Cellular Bypass (1200-S-
C-5G)...............................................................................................................................505
Configure Branch HA for Platforms without Bypass Pairs................................508

Prisma SD-WAN Clarity Reports...............................................................511

Prisma SD-WAN SASE Easy Onboarding................................................541
Connect a Single Prisma SD-WAN Site to Prisma Access............................................ 543
Disconnect from Prisma Access.............................................................................. 546
Connect Multiple Prisma SD-WAN Sites to Prisma Access......................................... 547
Edit Application Policy Network Rules..............................................................................548
Understand Service and Data Center Groups................................................................. 550
Verify Standard VPN Endpoints..........................................................................................552
Configure Standard Groups..................................................................................................553
Assign Domains to Sites....................................................................................................... 555

Prisma SD-WAN Incidents and Alerts..................................................... 557

Prisma SD-WAN Device and Tenant Management..............................559
Multi-Tenancy.......................................................................................................................... 560
Prisma SD-WAN MSP Dashboard.......................................................................... 560
Monitor Tenant Devices............................................................................................561
Monitor Tenant Branches......................................................................................... 562
Monitor Tenant Alarms..............................................................................................563
Access Child Tenants................................................................................................. 563
Device Lifecycle...........................................................................................................564
Tenant Types................................................................................................................564
MSP Account Roles and Permissions................................................................................ 566
Add a User Role in the Child Tenant..................................................................... 567

Prisma SD-WAN Administrator’s Guide 9 ©2024 Palo Alto Networks, Inc.

Table of Contents

Manage Devices for Client Tenants...................................................................................568

Allocate a Device........................................................................................................ 568
Return a Device........................................................................................................... 569
Re-allocate a Device...................................................................................................569
Revoke the Device......................................................................................................570
Manage System Administration in the MSP Portal........................................................ 572

Prisma SD-WAN Administrator’s Guide 10 ©2024 Palo Alto Networks, Inc.

Get Started with Prisma SD-WAN
Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Prisma SD-WAN is a core component in delivering Secure Access Service Edge (SASE) for the
modern enterprise. At the core of the system is the application performance engine. Prisma SD-
WAN provides a software-defined, wide area network (SD-WAN) solution that transforms legacy
wide area networks (WANs) into a radically simplified, secure, application fabric (AppFabric),
virtualizing heterogeneous underlying transports into a unified hybrid WAN.
Prisma SD-WAN controls network application performance based on application-performance
service level agreements (SLAs) and business priorities.

We recommend using Google Chrome as your preferred web browser.

Through Instant-On Network (ION) devices, Prisma SD-WAN simplifies how WANs are designed,
built, and managed, securely extending data center-class security to the network edge. Prisma
SD-WAN leverages the x86 platform with a centralized controller-based model, enabling simple
deployments at remote offices and data centers. You can view granular application-driven
analytics, build a robust policy, and performance-based traffic management of the WAN.
You can deploy Prisma SD-WAN in one of the three modes—Analytics, Control, or Disabled.
• In the Analytics mode, the branch ION device sits in-path, between a branch router and a LAN
switch. It monitors traffic but does not apply policies or make path selection decisions for
applications. You don’t require a data center site in this mode. When the branch is in Analytics
mode, there won't be any VPN connections to the data center site.
• In the Control mode, the branch ION device sits in-path between a branch router and a LAN
switch or replaces the router at a branch. It forwards traffic, selects the best path available, and
applies security and Quality of Service (QoS) policies. You require an ION 3000, ION 7000 or
ION 9000 in the data center if the intent is to enable a native Prisma SD-WAN virtual private
network (VPN) between a branch and a data center.
• In the Disabled mode, the branch ION device sits in-path and acts as a link between a branch
router and a LAN switch. It does not monitor traffic, no policies are applied, and no path
selection decisions for applications are applicable.
Read on to get started with Prisma SD-WAN:
• Prisma SD-WAN Key Elements
• Activate and Launch Prisma SD-WAN
• Device Activity Charts
• Prisma SD-WAN Subscription Usage

11
Get Started with Prisma SD-WAN

Prisma SD-WAN Key Elements

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

The Prisma SD-WAN solution includes two key elements.

Prisma SD-WAN Controller

Access the SD-WAN controller through an intuitive graphical user interface that helps you
manage your network. The SD-WAN web interface enables you to perform the following tasks:
• Centralize routing and build a network of private and public WAN paths.
• Provide a single source of truth for configuration of ION devices at branch and data center
sites.
• Utilize a centralized point of administration for a security policy rules as well as application and
network analytics.
• Enable secure automated virtual private network (VPN) tunnels using a zero-touch
configuration process.

This is only required to establish initial communication with the controller. Once a device
is claimed, the controller will overwrite any further configuration changes done locally on
the ION via the console or device toolkit.

ION Devices
ION devices enable you to combine disparate WAN networks, such as; MPLS, LTE, and internet
links, into a single, high-performance, hybrid wide area network (WAN).
ION 1000, ION 1200, ION 2000, ION 3000 and ION 3200
Physical or virtual devices that serve as a forwarding x86 commodity-based element at a branch.
• The Analytics mode provides detailed information on network and application traffic.
• The Control mode makes path selections, security decisions, and prioritizes applications. It also
manages congestion based on controller-programmed policies, reports application and network
performance statistics to the controller.
ION 3000, ION 3200, ION 5200, ION 7000, ION 9000 and ION 9200
Physical or virtual devices serve as a forwarding x86 commodity-based element at a branch or
a data center. At a data center, you can connect an ION 3000, ION 3200, ION 5200, ION 7000,
ION 9000 or an ION 9200 to perform the following tasks:
• Connect to the data center core and WAN edge routers.
• Inject Prisma SD-WAN branch routes into the core router to become the preferred next hop to
guarantee path symmetry.

Prisma SD-WAN Administrator’s Guide 12 ©2024 Palo Alto Networks, Inc.

Get Started with Prisma SD-WAN

• Identify traffic sourced from or destined to Prisma SD-WAN branches, which ensures
seamless, non-disruptive integration between SD-WAN and non-SD-WAN branches.

Prisma SD-WAN Administrator’s Guide 13 ©2024 Palo Alto Networks, Inc.

Get Started with Prisma SD-WAN

Activate and Launch Prisma SD-WAN

Activate and launch the Prisma SD-WAN web interface based on your license. Prisma SD-WAN
activation varies depending on the status of your transition to the Prisma™ SASE Platform. See
the table to learn your status and how to proceed.

Table 1: Activation flow for Prisma SD-WAN Users

Prisma SD-WAN User Activation Flow Access to Prisma SD-WAN

First time activation After you purchase your Access Prisma SD-WAN from
Prisma SD-WAN licenses, the Prisma SASE platform.
Are you brand new to Prisma
you’ll receive an activation
SD-WAN (You activated
email. The email includes a
Prisma SD-WAN after August
link that launches a guided
2022)?
activation.
You're already on the Prisma
Select Get Started with
SASE Platform and your
Prisma SASE and begin the
tenant is Tenant Service
activation process .
Group (TSG) migrated.

Transitioned to Prisma SASE You will need to create and Access Prisma SD-WAN from
(TSG Migrated) activate your account on the the Prisma SASE platform.
Prisma SASE platform.
Was your Prisma SD-WAN
tenant recently transitioned
to the Prisma SASE Platform?
How to locate your TSG ID:
1. Log in to Prisma SASE.
2. Select Tenants and
Services.
3. Select Tenant
Management.
4. Select the tenant that
you intend to configure
and select the licensed
product you want to use.
The Tenant Service Group
ID (tsg_id) of your tenant is
listed here.

Pre-transition Not applicable Use your direct link to access

Prisma SD-WAN.
(Not yet TSG Migrated,
license purchased before
March 2021)

Prisma SD-WAN Administrator’s Guide 14 ©2024 Palo Alto Networks, Inc.

Get Started with Prisma SD-WAN

Prisma SD-WAN User Activation Flow Access to Prisma SD-WAN

If you have purchased your
Prisma SD-WAN license and
ION devices before March
2021, and your tenant is not
TSG migrated.

Pre-transition Your order fulfillment email Access Prisma SD-WAN from

includes a magic link. This the hub.
(Not yet TSG Migrated,
magic link enables you
license purchased after
to activate your license
March 2021)
from a tile on the Palo Alto
If you have purchased your Networks hub.
Prisma SD-WAN license and
ION devices after March
2021, and your tenant is not
TSG migrated.

Launch Prisma SD-WAN

If you have purchased your Prisma SD-WAN license and ION devices before March 2021,
and your tenant is not TSG, you have a direct link to launch the Prisma SD-WAN. Starting
September 2021, you will be associated with a Customer Support Portal (CSP) account in

Prisma SD-WAN Administrator’s Guide 15 ©2024 Palo Alto Networks, Inc.

Get Started with Prisma SD-WAN

the Palo Alto Networks Hub. You can now launch Prisma SD-WAN through the Palo Alto
Networks hub also.
However, you must have the CSP sign-in credentials to sign in to the Palo Alto Networks Hub.
1. Contact your Sales Engineer for the sign-in credentials for the Customer Support Portal
(CSP).
2. After you obtain the Username and Password, sign in to the hub using the provided
credentials.
3. Click the Prisma SD-WAN tile to launch the Prisma SD-WAN web interface. There is no
activation required.
4. Read and agree to the End User License Agreement to launch the Prisma SD-WAN web
interface.

Prisma SD-WAN Administrator’s Guide 16 ©2024 Palo Alto Networks, Inc.

Get Started with Prisma SD-WAN

• When you sign in to your Customer Support Portal account, click Members >
Manage Users to edit the user roles of the users from Edit User.
• If you have the Super User role, then you can click Members > Create New User
to add a new user in the CSP account. We recommend only one Super User role in
the CSP account. With a Super User role in the CSP account, you have a Tenant
Super role in the Prisma SD-WAN application. You can optionally create a new user
in the CSP account as a Standard User who has view-only permissions in the CSP
account. However, the new Standard User created in the CSP account can then be
changed to IAM Administrator, Network Administrator, Security Administrator,
or View-only User in the Prisma SD-WAN application as per the previously existing
user roles for that user in Prisma SD-WAN.

• The existing users in the Prisma SD-WAN application are not migrated to the CSP
account and the existing user roles and privileges continue to remain unchanged.
You can create a new user in the CSP account as a Standard User, who can then
launch Prisma SD-WAN from the Hub. A new user created in the CSP account has a
corresponding new user created in the Prisma SD-WAN application also. Thus, you
may find duplicate user roles in the Prisma SD-WAN application if the existing user
roles in Prisma SD-WAN are created by the same name in the CSP account also.
• The user roles seen in the Prisma SD-WAN application and the CSP account may
not map to each other with similar user roles. Thus, any change made to the user
role in the Prisma SD-WAN application will not reflect in the CSP account user role
for the same user.
• If you delete a user in the Prisma SD-WAN application, you must manually delete
the same user from the CSP account.

Prisma SD-WAN Administrator’s Guide 17 ©2024 Palo Alto Networks, Inc.

Get Started with Prisma SD-WAN

Activate and Launch Prisma SD-WAN.

If you have purchased your Prisma SD-WAN license and ION devices after March 2021,
and your tenant is not TSG, your order fulfillment email includes a magic link. This magic link
enables you to activate your license from a tile on the Palo Alto Networks hub.

1. Activate Prisma SD-WAN.

1. Click the magic link.
2. Select Prisma SD-WAN.
3. Click Start Activation to activate the product.
2. Select a customer support account for Prisma SD-WAN.
1. To assign a customer support account, select a Customer Support Account.
2. Click Next.
3. Set up selections.
1. Select a Region.
2. Select a value for the Total Number of Anticipated Devices.
Verify that the hardware device count matches your order.
3. Agree to the terms and conditions.
4. Confirm Selections.
The progress bar indicates the activation status of your product.

If the activation fails, create an Admin case for assistance. Ensure to take a
screen capture of the error. Include the URL and error code in the support
ticket or the link from the order fulfillment email, which you used to start
the activation process. The URL and error code helps the support engineer
troubleshoot the issue.

Prisma SD-WAN Administrator’s Guide 18 ©2024 Palo Alto Networks, Inc.

Get Started with Prisma SD-WAN

4. Launch Prisma SD-WAN.

Click Launch Prisma SD-WAN to access the Prisma SD-WAN web interface.
Click the Prisma SD-WAN tile on the hub to launch the application in future.

After activation of the Prisma SD-WAN application, you can manage user roles in the Prisma
SD-WAN application. If you have a Super User role in the Customer Support Portal, then the
first time you access the Prisma SD-WAN application through the Palo Alto Networks hub,
you will have the Super Administrator role in the Prisma SD-WAN application. If you are not
assigned a Super User role in the CSP, you will have a View-only User role in the Prisma SD-
WAN application.
This role can be changed by another user with Super or IAM privileges to any other role
defined in the Prisma SD-WAN application. When you next log in to the Prisma SD-WAN
application from the hub, you will have privileges in Prisma SD-WAN as defined by your user
role.

Prisma SD-WAN Administrator’s Guide 19 ©2024 Palo Alto Networks, Inc.

Get Started with Prisma SD-WAN

Create and activate your Prisma SASE account .

When your Prisma SD-WAN tenant is migrated to a Tenant Service Group (TSG), you will see
this notification when you log in to the Prisma SD-WAN web interface.

Use the activation link in your email to activate your account.

1. Click the Activate Account button in your email.

2. Set your password and then click Create My Account.

3. Set up multi-factor authentication and then click Finish.
4. Log in to Prisma SASE.
Your view of tabs and widgets will be based on your license.

Prisma SD-WAN Administrator’s Guide 20 ©2024 Palo Alto Networks, Inc.

Get Started with Prisma SD-WAN

Prisma SD-WAN Summary

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

The Prisma SD-WAN Dashboard provides a high-level summary and graphical view of the Prisma
SD-WAN Controller connectivity status of your branch and data center devices and network
insights of the branch sites across tenants. The dashboard displays the link quality metrics across
your sites and app utilization for the ingress and egress traffic. The dashboard also shows the
alarms generated and the status of Autonomous DEM.
Prisma SD-WAN allows administrators to create policies by enabling dynamic path selection
using the highest-performing network and providing visibility into applications and systems'
availability and performance. The ION devices deployed in line with the WAN edge in a network
automatically detect the application and measure application performance for each application
flow.

This is the default screen when you first access the Prisma SD-WAN. The data is refreshed
every five (5) minutes.

The Dashboard displays the following charts:

Device To Controller Connectivity

The Device To Controller Connectivity widget depicts the number of Online and Offline ION
devices connected to the Prisma SD-WAN controller for a Branch and Data Center. Using
this interactive graph, you can view the online or offline status for a claimed device for the
corresponding branch and data center.

Application Utilization
The Application Utilization widget displays information about the application utilization at the site
during the period. The total application ingress and egress traffic for the selected time range is
displayed along with the top 10 applications. The total bandwidth utilization, ingress, egress, and
percentage of total traffic are based on the bandwidth utilization for each application. You can
view flow information or time series utilization data can be viewed by clicking the ellipses.

Prisma SD-WAN Administrator’s Guide 21 ©2024 Palo Alto Networks, Inc.

Get Started with Prisma SD-WAN

Network Insights from Past Week

The Network Insights from Past Week widget displays network insights or reports for the past
week. This widget displays insights for all branch sites across a tenant. You can view insights for
a branch site on the Circuit Metrics widget on the Site Summary dashboard. For more intelligent
insights, subscribe to AIOps.

Top Sites By Alarms

The Top Sites By Alarms widget enables you to group your top branch and data center sites with
the number of alarms generated for the corresponding site. You can click a branch or data center
site to see all the alarms generated under the Faults (Alarms) and Alerts.

Autonomous DEM Status

The Autonomous Digital Experience Management (ADEM) monitoring for Remote Networks
agent is delivered from the Prisma SD-WAN device software. The ADEM for Remote Networks
agent provides visibility into cloud infrastructure performance, application performance, and user
traffic monitoring. This feature is available if ADEM is enabled for a site.

Link Quality Details

Based on thelink quality metrics chosen, filter the data based on Interval, Start Time, Aggregation,
and Direction. The interactive dashboard allows you to change the metric to any other link quality
metrics to view the corresponding graphs. The last distribution range of the bar graphs up to the
90th percent of the available data.

Prisma SD-WAN Administrator’s Guide 22 ©2024 Palo Alto Networks, Inc.

Get Started with Prisma SD-WAN

The active Links table lets you view all secure fabric links between two sites and Circuit and WAN
information. You can also view the link quality metrics and Link Type for each link. You can sort
the table information based on a particular link quality metric displaying the corresponding worst
value on top. Expand the site detail to view the link quality metrics for ingress and egress flows.
It enables you to view the link quality chart per site and active path. The chosen site and path are
the pre-selected filter criteria for the Activity chart that displays the corresponding information.

Bandwidth Utilization
The Bandwidth Utilization chart displays the amount of bandwidth utilized on a trail in a network.
Use the chart to identify WAN congestion in a network that may hinder application performance.
It is a visual representation of bandwidth spike, total bandwidth consumed by a particular site, and
the application; if the upload is in ingress or egress direction.
Move your cursor in the Bandwidth Utilization chart to get a more granular view of the bandwidth
utilization with an application or time-stamp. Typically, the apps are listed in order of their
bandwidth utilization.
The chart displays the bandwidth consumed over time. The 1H view provides granular per minute
data, and the 1D picture shows data every 5 minutes. The 1D chart data averages above 5
minutes for each sample. If utilization sustains above 5 minutes, you can see the corresponding
peak utilization in both charts.
Select Circuits to view and narrow down the traffic by a circuit path such as the Internet and
Private WAN.

The broken line indicates the configured bandwidth for the selected circuit.

Transactional Stats
The Transaction Stats chart provides transaction statistics on TCP flows, including initiation/
transaction successes and failures for a specific application or all applications, a particular path or
all paths, and all health events.
It measures the performance and availability of networks and applications that run on network
paths. For each request on a given path, Prisma SD-WAN monitors, in real-time, the transaction
error rates for initiation and data transfer transactions. You can view the list of Apps by their
bandwidth utilization or by path. You can filter out successful transactions to get a granular view
of transaction failure stats.
The chart displays the count of successful or failed transactions for the following categories:
• Init Sucessful—Successful completion of the three-way handshake.

Prisma SD-WAN Administrator’s Guide 23 ©2024 Palo Alto Networks, Inc.

Get Started with Prisma SD-WAN

• TXNs Sucessful—Successful transfer of data after the completion of the three-way handshake.
• Init Failure—Failure to complete the three-way handshake. Reasons for failure may include
a misconfiguration firewall, an application server issue, a misconfiguration network access
control list, or a WAN network provider issue.
• TXNs Failure—Unsuccessful transfer of data after the completion of the three-way handshake.
Reasons for failure can include a mis-configured firewall, an application server issue, a mis-
configured network access control list, or a WAN network provider issue.

New Flows
The New Flows chart displays new TCP and UDP flows for an application, a specific set of
applications, or all applications for a given period. A TCP flow is considered a new flow when it
sees the first SYN packet. A UDP flow is considered a new flow when it sees the first UDP packet
in either direction. A flow is a sequence of packets in both directions identified by the source and
destination IP, source and destination port, and the protocol.
The New Flows charts are used to:
• Analyze a site in terms of connections per second.
• Monitor any unlikely increase in the number of flows for a particular application, such as DNS
or any critical application, which could be a sign of malicious activity.

Concurrent Flows
The Concurrent Flow chart helps to understand how many connections are active on your
network by application. The chart provides a granular view by TCP and UDP flows for an
application, a specific set of applications, or all applications. Concurrent flows are the currently
active flows, including all new flows and mature flows in the system.
The Concurrent Flows charts are used to:
• Analyze a site in terms of connections per second.
• Monitor any unlikely increase in the number of flows for a particular application, such as DNS
or any critical application, which could be a sign of malicious activity.

Prisma SD-WAN Administrator’s Guide 24 ©2024 Palo Alto Networks, Inc.

Get Started with Prisma SD-WAN

Prisma SD-WAN Administrator’s Guide 25 ©2024 Palo Alto Networks, Inc.

Get Started with Prisma SD-WAN

Prisma SD-WAN Application Insights

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Identifies the top applications which are not performing well. The Applications widget displays
the determined health score of all poor applications, lists poor applications for a tenant based
on health score, and plots the average health score of poor applications for the last 3 hours in 5
minutes intervals.
Select Monitor > Applications to view the Applications screen.
• Application Health Distribution—The distribution of Good, Fair, and Poor Applications for a
given tenant.
• Application Health Distribution Over Time—The Time series graph of Application Health
Distribution Over Time displays the Good, Fair, and Poor Applications for a given tenant. The
time-series graph should be computed and refreshed based on the selected duration. For
example, supported durations are 1 hour, 3 hours, one day, seven days, 30 days, and 90 days
and the interval is 1 minute, 5 minutes, 1 hour, and one day, respectively.
• Applications—The Applications list/table list all the Applications details such as Name,
Application Profile, Health Score, Impacted Sites, Traffic Volume, Init/Failure, and Transaction/
Failure. When you click the Application Name, you can see the individual App Details on a new
page.

You can view TCP Application Health Distribution Over Time and Application Health
Distribution only with WCR license.

You can click on the Time Series chart to see the details of those applications in the TCP Apps
tab. Then, when drilling down on the chart, click on the Reset icon (on the top right corner of the
TCP Application Health Distribution Over Time chart). You can always return to the original view
per global filters by clicking on the reset icon. In addition, the screen shows the message at which
date and time you are viewing the details.
The application's health score is assessed per path, focusing on metrics such as application RTT
and packet loss. Among these metrics, RTT is predominant in determining the health score.
Additionally, packet loss within the path can impact the application's performance, enhancing the
accuracy of our health evaluation.

Prisma SD-WAN Administrator’s Guide 26 ©2024 Palo Alto Networks, Inc.

Get Started with Prisma SD-WAN

Click on the number under the Paths column from the application details to see path-level
information, which leads to the Path Detail page. The Path Detail page includes information
for Application Health Score for Application and Site and Statistics Data aggregated at the
Application and Site level.
You can view detailed information by clicking on App Details and Links Details links, which will
lead you to the Activity chart in a new browser tab.

Prisma SD-WAN Administrator’s Guide 27 ©2024 Palo Alto Networks, Inc.

Get Started with Prisma SD-WAN

Device Activity Charts

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Prisma SD-WAN provides system-related information like CPU Utilization, Free Memory, Free
Disk space, Interface Bandwidth Utilization, Interface Dropped Packets, and Interface Errors for
both branch and data center ION devices.
To view the Device Activity Dashboard, navigate to Monitor > ION Devices > Device Activity
Dashboard.
The Interfaces filter is used to view and narrow down the traffic by an interface. You can view the
interfaces list based on different Top Interface filters such as Bytes (RX and TX), Errors (RX and
TX), Packets (RX and TX), and Dropped packets (RX and TX). The Top 10 interfaces matching the
filter are listed.

You will be able to view IPv6 statistics only after your tenant has been migrated to the
new data lake infrastructure. If you cannot view statistics, contact the Palo Alto Networks
Accounts Team.

Prisma SD-WAN Administrator’s Guide 28 ©2024 Palo Alto Networks, Inc.

Get Started with Prisma SD-WAN

Site Summary Dashboard

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Starting with release 5.6.1 the site summary dashboard provides an information-rich display of
branch-related metrics. These include new metrics such as network health as well as existing
network, device and application metrics.

• Select Monitor > Sites and then select a site to view the Site Summary widget.
• The default time range to view the metrics is 3 hours but can be adjusted to shorter or
longer periods of time depending on the desired scope of information.
• For time ranges longer than 7 days a Network DVR license is required. For more
information contact your Palo Alto Networks Account Team.

Site Health Overview

The Site Health Overview widget contains the Current Best Health Score and the Overall Site
Consumed Bandwidth. Each of these metrics has a time series view that is displayed upon
clicking.
The Current Best Health Score metric is determined by the Secure Fabric Link with the current
highest score. In the time series chart the score is determined in any given time sample by the
healthiest Secure Fabric Link at the site. This value will fluctuate as the health of the underlying
network connectivity changes.

• The Health Score metrics are available to customers with an active WAN Clarity or
AIOps license. For unlicensed customers a trial preview is provided in the Prisma SD-
WAN Release 5.6.1. For more information see, https://docs.paloaltonetworks.com/
content/dam/techdocs/en_US/pdf/autonomous-dem/autonomous-dem.pdf.
• The Autonomous Digital Experience Monitoring (ADEM) for Remote Networks agent is
delivered natively from the Prisma SD-WAN device software. The ADEM for Remote
Networks agent provides visibility into cloud infrastructure performance, application
performance and user traffic monitoring. This feature is available if ADEM is enabled
for a site.

Current Overall Consumed Bandwidth

The Current Overall Consumed Bandwidth metric displays current total bandwidth consumption,
ingress and egress bandwidth consumption as a raw value and as a percentage of the total

Prisma SD-WAN Administrator’s Guide 29 ©2024 Palo Alto Networks, Inc.

Get Started with Prisma SD-WAN

available. Upon clicking the tab a time series chart of the ingress and egress consumed bandwidth
are displayed in reference to the total configured bandwidth at the site.
The Circuit Connectivity and Health widget displays the name of the circuit, its physical
connectivity, its tunnel connectivity, tunnel health, a time-series graph indicating the best-
performing tunnel's health score over a period of time, and current consumed bandwidth both in
egress/ingress direction.
Upon clicking a circuit there are several widgets displayed including Circuit Metrics, Insights, and
Secure Fabric Connectivity and Health.
The Circuit Metrics widget displays the time-series graphs for the health score of the best
performing tunnel and the circuit bandwidth utilization between the configured ingress/egress
and the actual ingress/egress over time.
Insights are determined by the system using a suite of machine learning algorithms. These insights
identify conditions such as:
• Excessive Packet Loss Detected
• Excessive Latency Detected
• Bandwidth Upgrade Recommended
• Configured vs Consumed Bandwidth Mismatch Detected
• Low Circuit Throughput Detected

Insights are available to customers with an active WAN Clarity or AIOps license.

Secure Fabric Connectivity And Health

The Secure Fabric Connectivity And Health widget displays each of the Branch to DC Secure
Fabric Links along with their respective Connectivity status, Health chart, and associated current
link metrics Packet Loss, Jitter, Latency, and Link MOS.
Upon clicking a Secure Fabric Link a comprehensive view of link metrics is displayed in a time
series chart. Along with the time range, the selected Secure Fabric can be changed as well as the
Direction.

Circuit Health
The Circuit Health widget displays the list of tunnels with their name, connectivity details, and
health score. It also displays the packet loss, jitter, latency, and MOS for the ingress or egress
connections. You can also see the capacity prediction details at the circuit level.
The circuit's health score is calculated on a per-path basis, factoring in various elements such as
ingress packet loss, egress packet loss, and round-trip time (RTT). The scoring mechanism takes
into consideration both the circuit's load and its baseline, resulting in a more precise assessment
of its health. To illustrate, consider a 100Mbps circuit: when it operates without any load but
experiences 1% packet loss, its score will noticeably differ from the same circuit running at 100%
load with 2% packet loss. This discrepancy in scores reflects our evaluation of circuit performance
expectations during increased capacity utilization.

Prisma SD-WAN Administrator’s Guide 30 ©2024 Palo Alto Networks, Inc.

Get Started with Prisma SD-WAN

Consumed Bandwidth
The Consumed Bandwidth widget displays the circuit bandwidth utilization and the anomaly
between the configured ingress/egress and the actual ingress/egress over time.

Devices
The Devices widget displays the device's name, status, software version installed, whether the
Admin interface is up, its routing peers, the HA status, consumed CPU, and consumed memory
data.

Additional controller connectivity status for Config and Events, Analytics, and Flows is available
when you hover over or click the status icon.
Possible Device Connection States are:
• Online: All three connections - Config and Events, Analytics, and Flows are online.
• Partially online: Config and Events online and Analytics, and/or Flows may be offline.
• Offline: All three connections - Config and Events, Analytics, and Flows are offline.

Prisma SD-WAN Administrator’s Guide 31 ©2024 Palo Alto Networks, Inc.

Get Started with Prisma SD-WAN

Top Events by Priority

The Top Events by Priority widget displays the list of the top events by priority. All events in the
selected time range are displayed regardless of status including the Resolved and Acknowledged
events are also displayed in the list. To view all current standing alarms select View All Site Alarms
and Alerts. This will display the standing alarms regardless of time range.

Application Utilization
The Application Utilization widget displays information about the application utilization at the site
during the selected time range. The total application ingress and egress traffic for the time range
is displayed. The top 10 applications by traffic volume are displayed along with the other traffic.
For each application the total bandwidth utilization, ingress, egress, and percentage of total traffic
based on the bandwidth utilization. By clicking the ellipses flow information or the time series
utilization data can be viewed.

The Recent Site Audit Logs widget displays the recent configuration changes made to the site
within the selected time range. To see the full list of changes select View All Site Audit Logs.

Prisma SD-WAN Administrator’s Guide 32 ©2024 Palo Alto Networks, Inc.

Get Started with Prisma SD-WAN

TCP Connection Stats

The TCP Connection Stats displays the data related to the TCP connection metrics in the selected
time range and includes four (4) metrics:
• Init Success - A successful TCP connection was established
• Transaction Success - After a successful TCP connection, a successful data transaction was
observed.
• Init Failure - A failed attempt to establish a TCP connection
• Transaction Failure - After a successful TCP connection, a failed data transaction was
observed.
The metrics for all TCP applications are initially displayed but, any one of the top 10 TCP
applications can be selected to more narrowly focus on a specific top application.

Top Media Audio Performance

The Top Media Audio Performance widget displays statistical information about the observed
Mean Opinion Score for audio traffic at the site. The top audio application by traffic volume is
automatically selected but, other top 10 media audio applications can also be selected as needed.
The MOS score is measured in both the ingress and egress directions. The median value for the
selected time range is displayed along with a trend indicator to display any observed performance
changes from the previous time period. The box plot displays the low, 25th percentile, median,
75th percentile, and high observed MOS scores. Upon hovering over the bar chart the numeric
values are displayed. Recent flows for the media traffic can be viewed by selecting View Flows.
The see detailed time series media performance metrics select View Media Activity.

App Health
App Health tracks each instance or service associated with a given application on all allowed
paths. Statistics are always sent for an app/path pair as long as there is active traffic for that pair.
In case of prolonged inactivity, records for app/path are not sent after 10 minutes of inactivity. A
refresh record sent every 50 minutes shows the last known state of the app/path based on the
previously known application health. No metrics are reported in the 50 minutes refresh records as
there are no new flows.
The App Health chart reports are on a per-app basis. Select a site and an app to display data
on your charts. Select at least one app to view the App Health by Path table. The health of the
selected paths is indicated by color. The Health Events by Prefix table, associated with each

Prisma SD-WAN Administrator’s Guide 33 ©2024 Palo Alto Networks, Inc.

Get Started with Prisma SD-WAN

application instance or service, displays all the transaction or init failures. Refer to the table to
understand descriptions of the different health states.

Legend Description

Good Application is reachable on all paths. Indicates all prefixes on all

paths are reachable.

Partially Good One or more instances or services associated with an

application instance are not reachable on one or more paths.
Indicates either some paths or some prefixes on a path are
unreachable. A partially good path is not a cause for concern.
Multi-origin applications such as Office 365 may display as
partially good, but still be functioning well.

Unreachable All instances or services associated with an application are

unreachable. Indicates all used paths and prefixes on all paths
are unreachable.

No Data No application data is available as the application does not

use this path or is not allowed to use this path by its policy.
Indicates that the application is not in use.

App Response Time

Prisma SD-WAN uses application response time to determine the path a flow may take and
confirms that the path adheres to the application SLA. Application response time is a combination
of Network Transfer Time (NTT), Round Trip Time (RTT), and Server Response Time SRT) metrics
and calculated for a flow on each path before a decision is taken to send a flow on that path.
These metrics reflect in the App Response Time chart.
The chart displays detailed information on the application transaction time for each prefix within
an application. It determines network and server performance for a specific application, including
information from the moment the client generates a request to the time the server receives
the response in the cloud or the data center. It also takes into account L1 – L3 and L4 – L7
characteristics of an application, including end-to-end performance rather than just latency, jitter,
and packet drops for an application.
App Response Time chart reports on a per-app basis. Select at least one app to view the App
Response Time by Path table. The health of the selected paths are indicated by color. You can
view specific Health Events table associated with each application instance or service with
transaction or init failures. Refer to the above App Health to understand descriptions on the
different health states.
Using NTTn, RTT, SRT, and UDP-TRT metrics, this chart provides information on the source of an
under performing application.
• Network Transfer Time (NTTn)—The measure of network congestion. The amount of time it
takes to transfer incoming data from an external server to a local client.
• Round Trip Time (RTT)—The measure of network latency. RTT is measured only for TCP flows
and defined as the time taken between a forward and return related protocol exchange; TCP

Prisma SD-WAN Administrator’s Guide 34 ©2024 Palo Alto Networks, Inc.

Get Started with Prisma SD-WAN

SYN to SYN-ACK for outbound flows, TCP SYN-ACK to ACK for inbound flows and the time
between a data sequence and ACK of that data sequence.
Thus, RTT is measured throughout the life of a flow and not just at the TCP establishment.
Measuring RTT throughout the flows life allows the system to account for TCP proxy devices
like WAN optimization in the path, providing a more accurate measurement of RTT.
• Server Response Time—The amount of time it takes for the server to start transmitting data
after it has acknowledged the client’s request. SRT measured for TCP flows only from the time
request is received to the time the server sends the first response packet.
• UDP Response Time (UDP-TRT)—The amount of time it takes for the server to respond to the
UDP transaction request from the time the request is received. Currently, UDP-TRT provides
information on UDP DNS traffic only.

Prisma SD-WAN Administrator’s Guide 35 ©2024 Palo Alto Networks, Inc.

Get Started with Prisma SD-WAN

Prisma SD-WAN Predictive Analytics Dashboard

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Active WAN Clarity license

Prisma SD-WAN Predictive Analytics provides deep observability into the health of sites and
applications and proactive monitoring to identify critical issues and troubleshoot them faster, thus
enhancing service levels.
• Select Monitor > Predictive Analytics to view the Predictive Analytics dashboard.
Observability identifies critical Sites, Links, and Applications and categorizes them as Good,
Fair, and Poor at the tenant level, based on AI/ML health scores.
• Prediction includes predicting capacity utilization at the site level based on the previous three
to six months of information.
• The default time range to view the metrics is three hours; however, you can adjust it to shorter
or longer periods depending on the desired scope of information.
• Gain insights into the top 10 sites whose bandwidth utilization increased in the previous
28 days ; it will show seven days prediction whenever 28 days prediction is unavailable and
predict the future branch capacity utilization.
• For time ranges longer than seven days, a Network DVR license is required. For more
information, contact your Palo Alto Networks Account Team.

Observability and Prediction are available to you with an active WAN Clarity. Predictive
Analytics in the preview mode is available only to select customers (migrated to the new
data lake infrastructure) and will be made available to other customers in the future. For
more information, contact the Palo Alto Networks Accounts Team.

Sites
The active branch sites are categorized as Good, Fair, and Poor, and inactive sites are classified as
N/A.
The Sites widget displays the sites that are doing poorly across the tenant. For example, a site is
considered poor when greater than 10% of the site health score samples are poor. Let us say in
a three hour duration, there can be 36 samples (5-minute intervals equate to 12 samples in one
hour and 36 samples in three hours) of site health score. If three samples scored less than 30, the
site is counted as poor. Poor site count is derived based on the number of unique sites that are
poor for any interval of the entire duration.

Rating Score Range Comments

Good >=70 90% or more samples having health score greater than
or equal to 70 for the selected duration.

Prisma SD-WAN Administrator’s Guide 36 ©2024 Palo Alto Networks, Inc.

Get Started with Prisma SD-WAN

Rating Score Range Comments

Fair 30-69 Samples having score between 30 - 69.

Poor <30 10% or more samples have health score less than 30 for
the selected duration.

Click Monitor Sites to view Sites.

Alternatively, select Monitor > Sites > List View to view Sites. This widget shows you how many
sites were active during the Time Range selected. A poor site's average score is the average of all
the poor samples of sites identified as poor.
• Site Health Distribution—The distribution of Good, Fair, and Poor sites graph for a given
tenant.
• Site Health Distribution Over Time—The Time series graph of Site Health Distribution Over
Time for a given tenant.
The time-series graph is computed and refreshed based on the selected duration. For example,
supported durations are one hour, three hours, 24 hours, seven days, 30 days, and 90 days and
the interval is one minute, five minutes, one hour, and one day, respectively.

Applications
The Applications widget displays the identified health score of all poor applications and lists poor
applications for a tenant based on the health score, and plots the average health score of poor
applications for the last three hours in five minutes interval.

Prisma SD-WAN Administrator’s Guide 37 ©2024 Palo Alto Networks, Inc.

Get Started with Prisma SD-WAN

Click Monitor Applications to view the Applications detail widget. This widget shows the list of
Applications, Health Score numbers, and other details related to that particular application.

Links
The Links widget displays the identified count of poor links for a tenant based on the health score
for the given period.

Click Monitor Links to view the Link Quality screen. The links list view captures:
• Link Performance—The distribution of Good, Fair, and Poor links graph for a given tenant.
• Link Performance Distribution Over Time—The Time series graph of Link Performance
Distribution Over Time for a given tenant.
The time-series graph is computed and refreshed based on the selected duration. For example,
supported durations are one hour, three hours, 24 hours, seven days, 30 days, and 90 days and
the interval is one minute, five minutes, one hour, and one day, respectively.

Network Insights
Insights are determined by the system using a suite of machine learning algorithms.
These insights identify conditions such as:
• Excessive Packet Loss Detected
• Excessive Latency Detected
• Bandwidth Upgrade Recommended
• Configured vs Consumed Bandwidth Mismatch Detected
• Low Circuit Throughput Detected

Prisma SD-WAN Administrator’s Guide 38 ©2024 Palo Alto Networks, Inc.

Get Started with Prisma SD-WAN

Top Sites with BW Utilization Growth in Past 30 days

The Top Sites with BW Utilization Growth in Past 30 days widget displays the top 10 Sites
that have only increased their utilization in the last 30 days. Ingress and Egress Trend depicts
information for the previous 30 days.

Site Capacity Prediction and Anomaly

The Site Capacity Prediction and Anomaly widget displays the number of sites that will reach high
capacity utilization threshold within the next 28 days. If 28 days prediction is unavailable, it will
show the seven days prediction for the branch site capacity utilization, the bandwidth anomaly for
the specified time range filter, and the bandwidth forecast for the next seven days.
Click the branch to view the sites that are attaining high capacity bandwidth utilization.

Click on the number under the Branch column to view the Site List View screen. You can see the
sites that are approaching capacity listed in the table. For the anomalous occurrence branch, you
can further drill down into the site list section to see the bandwidth anomaly occurrences for each
site. Alternatively, you can select either Approaching Capacity, Anomaly or All to view the site
results.

Prisma SD-WAN Administrator’s Guide 39 ©2024 Palo Alto Networks, Inc.

Get Started with Prisma SD-WAN

Prisma SD-WAN Link Quality Dashboard

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Prisma SD-WAN allows network administrators to meet their application Service Level
Agreements (SLAs) with its Path, QoS, and Security policies. Through the Prisma SD-WAN path
policy, you can define rules to express business intent for which paths are allowed per application.
The ION devices evaluate each application session against the defined path policy and select
the WAN path that meets the application-specific SLA. One of the many mechanisms used to
determine if a path will meet an application’s SLA is monitoring the Link Quality.
The Dashboard > Overall Link Quality on the Prisma SD-WAN web interface provides the
aggregate link quality metrics of all branch and data center sites at a glance. It includes
information on the MOS, packet loss, jitter, and latency of the links. View data in the last available
5 minutes' time frames and the last available 1 hour of any metric.
Prisma SD-WAN determines link quality by actively probing the Secure Fabric VPN paths over
public and private transports and the private WAN underlay paths. The probes provide a constant
measurement of network performance metrics, such as jitter, latency, and packet loss. These
metrics, along with application-specific performance metrics and Layer 1 – Layer 7 reachability
inform traffic forwarding decisions for new and existing application flows.
By default, Link Quality metrics influence path selection for all real-time voice and video
applications. If a link is considered acceptable, the real-time application will stay on the initially
selected path. Still, when the link is degraded or considered inadequate, the ION device will
seamlessly move all existing and subsequent real-time application flows to a suitable alternate
path as allowed by policy, if available.
Based on the link quality metrics chosen, you can filter the information based on Interval, Start
Time, and Direction. Using the interactive dashboard, you can change the metric to any other link
quality metrics to view the corresponding graphs. The last distribution range of the bar graph up
to the 90th percentile of the available data.
The Link Quality Metrics provides a snapshot of the current state of the links you are monitoring.
You gain insight into the dashboard's Link Performance, Link Packet Loss, Link Jitter, and Link
Latency. Links are displayed by default for all your sites and for the most recent time period (last
available 5 minutes or last available hour). The interactive dashboard provides filters to change the
scope of information displayed; it allows you to analyze information you want to view in greater
detail in the Link Quality Details tab.
Click View Details to see the detailed view of the links table. The table enables you to view all
secure fabric links between two sites along with Circuit and WAN information. You can also view
the link quality metrics and link type for each link. You can sort the table information based on
a particular link quality metric displaying the corresponding worst value on top. Expand the site
detail to view the link quality metrics for ingress and egress flows. It enables you to view the link
quality chart per site and path. The chosen site and active path are the pre-selected filter criteria
for the Activity chart that displays the corresponding information.

Prisma SD-WAN Administrator’s Guide 40 ©2024 Palo Alto Networks, Inc.

Get Started with Prisma SD-WAN

Prisma SD-WAN Administrator’s Guide 41 ©2024 Palo Alto Networks, Inc.

Get Started with Prisma SD-WAN

Prisma SD-WAN Subscription Usage

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

The Prisma SD-WAN license Usage feature offers users access to comprehensive reports on both
site and tenant bandwidth consumption. This capability allows users to effectively monitor their
bandwidth usage and facilitate the tracking and trending of monthly bandwidth utilization across
all branch sites to ensure compliance with licensing agreements.
Go to Strata Cloud Manager > Monitor > license Usage to view a graphical representation of the
yearly bandwidth utilization (rolling), measured by maximum bandwidth (Mbps) consumed per
month across All Branch Sites. The feature allows you to view the bandwidth consumption for a
current month up until the previous month.

View the license usage of the Top 5 Branch Sites for each month. Select the site name or hover
over the chart to view the consolidated license usage of the sites for any month. Download .CSV
files to view detailed license usage for all branch sites for a tenant and the summary license yearly
usage for consolidated insights.

Prisma SD-WAN Administrator’s Guide 42 ©2024 Palo Alto Networks, Inc.

Get Started with Prisma SD-WAN

Prisma SD-WAN Administrator’s Guide 43 ©2024 Palo Alto Networks, Inc.

Get Started with Prisma SD-WAN

Prisma SD-WAN Administrator’s Guide 44 ©2024 Palo Alto Networks, Inc.

Prisma SD-WAN Sites and Devices
Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Prisma SD-WAN Sites include branch offices and data centers that you wish to have in your wide
area network. You can set up users and services in a branch. You can host enterprise applications
and services in a data center.
The Prisma SD-WAN branch ION device is typically the branch's gateway. You can connect the
Prisma SD-WAN to a Layer 2 or Layer 3 switch for LAN connectivity.
The Prisma SD-WAN solution provides a complete separation of the control and data planes. If
a branch device loses connectivity with the controller, the ION device can continue to function
independently. If the ION device loses connectivity with the controller, it still maintains the Prisma
SD-WAN secure VPNs and rotates the unique session keys for each VPN every hour for up to 72
hours.
ION devices are available in both hardware and software form factors that meet the needs of any
location and any deployment scenario. You can deploy Prisma SD-WAN ION devices in Analytics
Mode and Control Mode.
To deploy Prisma SD-WAN, set up your branch, data center sites and claim, assign, and configure
the ION devices for your sites.
Read on to know more about the setup of your branch and data center sites, configure ports and
interfaces, use of external services for monitoring, how to return a faulty ION device by following
the Returned Merchandise Authorization (RMA) wizard, and how to upgrade the ION device
software:
• Set Up Sites
• Set Up Devices
• Switch a Site to Control Mode
• Prisma SD-WAN Ports and Interfaces
• Use External Services for Monitoring
• Returned Merchandise Authorization (RMA)
• Upgrade ION Device Software

45
Prisma SD-WAN Sites and Devices

Set Up Sites
Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Within your wide area network, your sites can comprise of branch offices and data centers. You
have the flexibility to create sites either before or after the ION devices arrive at a given site.
Once you create a site, the site icon will be displayed on the map, but the site will be turned off by
default. An enterprise can have one or more branches or data centers within its network.

Before you assign the ION devices to your site, configure the circuit with the required
circuit categories that enable you to assign circuit labels to the ports on the ION devices.

Once you have assigned ION devices to a branch or a data center, you can set up a branch to
monitor your network and application traffic. Alternatively, you can activate a branch and a data
center to route and forward the traffic.
To begin with, add sites and designate them as either a branch or a data center. You can create
just a branch, just a data center, or both. However, you will need at least one branch site and one
ION device to start.
During the initial site setup, you must define circuits and circuit categories. However, you can
edit or change them at any time. You can configure one or more clusters to determine which data
center communicates with which branch sites and creates a secure connection (VPN) between the
data center and branch devices.
• Add a Branch
• Add a Data Center

Add a Branch
An enterprise can have one or more branches within a network. When you create a branch,
you can select a default domain and set of policy rules and configure WAN networks, circuit
categories, circuit labels, and circuit specifications.
STEP 1 | Select Workflows > Sites > Add Site.
1. Enter basic information for the site and click Next.

STEP 2 | Configure the Type of site.

1. Select Branch to configure a branch site and click Next.
2. Select a Domain from the drop-down.
By default, a preset domain is displayed for a branch site.
3. Click Associate Branch With Default Data Center Cluster to associate the newly created
branch with the default cluster. It will be checked (by default) and unchecked to choose a
different cluster from the list.

Prisma SD-WAN Administrator’s Guide 46 ©2024 Palo Alto Networks, Inc.

Prisma SD-WAN Sites and Devices

STEP 3 | Click Next.

STEP 4 | Configure Policies.

Ensure that the default Path Policy Set Stack, QoS Policy Set Stack, and NAT Policy Set Stack
are selected.

STEP 5 | Configure circuits for the site and click Next.

Circuit categories are used in policy rules to identify paths allowed for an application. By
default, there are a few pre-defined circuit categories in the system that you may use when
you configure the site. You can edit these labels or rename any of the remaining categories
through Circuit Categories under Stacked Policies or Network Policies (Original).

STEP 6 | Click Save & Exit.

The Summary of the newly added branch will display for your review.

Add a Data Center

An enterprise may have one or more branches within a network. As part of creating a data center,
you can select a default domain and policy set, set up WAN networks, circuit categories, circuit
labels, and circuit specifications.
STEP 1 | Select Workflows > Data Centers > Add Site.
1. Enter basic information for the site and click Next.

STEP 2 | Configure the Type of site.

1. Select Data Center to configure a branch site and click Next.
2. Select Configure Data Center Groups After Creation.

STEP 3 | Click Next.

STEP 4 | Click Next to proceed to configure circuits for the site.

Policies apply to branch site only. Circuit categories are used in policy rules to identify paths
allowed for an application. By default, there are a few pre-defined circuit categories in the
system that you may use when you configure the site. You can edit these labels or rename
any of the remaining categories through Circuit Categories under Stacked Policies or Network
Policies (Original).

Prisma SD-WAN Administrator’s Guide 47 ©2024 Palo Alto Networks, Inc.

Prisma SD-WAN Sites and Devices

STEP 5 | Click Next and verify the details of the newly added data center and then Save & Exit.
You can view the summary of the newly added data center.
You do not need to activate your data center at this time. Activate your data center only when
you deploy Prisma SD-WAN in the Control mode. When both the branch and the data center
are activated, VPN tunnels will be created automatically between the branch and the data
center.

You can use an ION 3000 and ION 9000 device at the data center.

Add a Branch Gateway

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Physical and virtual ION devices running
software versions 6.4.1 or higher

Geographically distributed organizations often have smaller regional datacenters colocated with
users, manufacturing, and other business operations presenting both configuration and operations
challenges. The single-click capability to create Regional Branch Gateways simplifies the adoption
of this use case by automatically creating VPN topologies and instantiating Hub (Policy Transit,
LQM Server, etc ) & Branch (App visibility, path selection, etc) services to simplify Day 1 and Day
2 operations for all traffic types and vectors.
You can enable the branch gateway functionality with a single click of the site level configuration
setting. Upon enabling the branch gateway mode, VPN tunnels will automatically form between
the branch gateway site and corresponding branch sites in the domain.

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license.

Physical and virtual ION devices running
software versions 6.4.1 or higher.

Prisma SD-WAN supports branch gateway sites on the following platforms:

Prisma SD-WAN Administrator’s Guide 48 ©2024 Palo Alto Networks, Inc.

Prisma SD-WAN Sites and Devices

• ION 3200
• ION 5200
• ION 9200
• ION 3000
• ION 7000
• ION 9000
All virtual ION models also support a branch gateway site.
The ION device assigned to a branch gateway site supports the following interfaces:
• Port
• Bypass Pair
• Subinterfaces
• Virtual Interfaces
• Standard VPN
Interfaces in the branch gateway site support IPv4 & IPv6 static and DHCP addresses as well as
secondary addresses.
You can create a new site as a branch gateway site or can convert an existing branch site to a
branch gateway site after completing the site configuration.
You can:
• Create a new branch gateway site.
• Convert an existing branch site to a branch gateway site.
• Edit branch gateway site settings.
• Create VPNs between branch gateways or to a branch site.

Create a new branch gateway site.

1. Select Workflows > Branch Sites > Add Site.
2. Add a Site Name and optionally enter description and tags.
3. Enable Configure as a Branch Gateway Site.

4. Add the other details to set up a site and click Save & Exit.

Assign a device to the created branch gateway site, enable L3 Direct Private WAN
Forwarding and L3 LAN Forwarding for the device and then configure the interfaces.

Prisma SD-WAN Administrator’s Guide 49 ©2024 Palo Alto Networks, Inc.

Prisma SD-WAN Sites and Devices

Convert an existing branch site to a branch gateway site.

You can convert an existing branch site to a branch gateway site.
Ensure that:
• The site is in Control mode.
• You have enabled L3 Direct Private WAN Forwarding.
• You have enabled L3 LAN Forwarding.
• There are no any existing branch-to-branch VPN tunnels. If any tunnels exist, Prisma SD-
WAN deletes them during the conversion process.
1. Select Workflows > Branch Sites and click the ellipsis menu for the site.
2. Select Switch to Branch Gateway Site.

Switching a branch site to a branch gateway site causes the ION device to
reboot.

Alternatively, you can select Branch Sites, then select a site and then enable Branch
Gateway.

Prisma SD-WAN Administrator’s Guide 50 ©2024 Palo Alto Networks, Inc.

Prisma SD-WAN Sites and Devices

Edit branch gateway site settings.

(Optional) After you create a branch gateway site, you can optionally edit the branch gateway
site settings.

Select Prefer LAN Default over WAN in case your topology needs to take the LAN interface
(with a default gateway) as the default route. This will mimic the path selection behavior of a
data center site where the device forwards all incoming WAN traffic to the LAN peer.

For example, if the traffic flow is — Branch ↔Branch Gateway ↔ LAN (Firewall → Internet).
Typically, the ION device will have a default route (0.0.0.0/0) on the internet (WAN) interfaces
(with the next hop as the default gateway configured on the wan interface or from DHCP).
This is to steer packets to the internet (for DIA or otherwise) if no other specific route exists.
In this particular scenario, the branch gateway site needs to take the LAN interface. The LAN
interface has a default gateway configured either statically or via DHCP as a default route as
against an internet interface, which would generally have a default route. You can achieve
this by adding a default route with a lower admin cost on the LAN interface than the WAN
interface when you select Prefer LAN Default over WAN.
Maximum Branch Site Count Info indicates the maximum number of branch sites that you can
associate with a branch gateway site. If you exceed this number, Prisma SD-WAN generates
an incident. However, it will still be possible to associate branches to the branch gateway by
joining the domain or through the establishment of manual tunnels.

Prisma SD-WAN Administrator’s Guide 51 ©2024 Palo Alto Networks, Inc.

Prisma SD-WAN Sites and Devices

Create VPNs between branch gateway sites or branch sites.

Prisma SD-WAN establishes VPN tunnels as follows:

• Branch -> Branch Gateway (Same Domain) — Prisma SD-WANautomatically builds Fabric
VPN tunnels.
• Branch -> Branch Gateway (Different Domain) — You need to manually configure Fabric
VPN Tunnels.
• Branch Gateway -> DC — Prisma SD-WAN automatically builds VPN tunnels.
• Branch Gateway -> Branch Gateway — You need to manually configure Fabric VPN
Tunnels.
1. (Optional) Changing the domain of a branch gateway site.
1. Select a branch gateway site.
2. Click the ellipsis menu and select Change Site Domain.
3. Choose the required domain and click Submit.
To establish an automatic VPN tunnel between a branch site and a branch gateway site,
ensure that both are in the same domain.
2. (Optional) Create a manual VPN tunnel between two branch gateway sites.
1. Select Workflows > Sites and select a branch gateway site.
2. Select Overlay Connections > Branch Gateway — Branch Gateway > Add Link.
3. Select a circuit and select the site for VPN establishment on the Add Secure Fabric
Link pop-up.

Prefix Advertisement
The branch gateway site performs prefix advertisement and distribution in a variety of
topologies.

Table 2: Prefix Advertisement

Learned Via Advertised To

Fabric Tunnel LAN BGP Peer

Standard VPN BGP Peer

Standard VPN Tunnel BGP Peer Fabric (to branch)

LAN BGP Peer

LAN BGP Peer Fabric → yes

LAN BGP Peer → yes

Prisma SD-WAN Administrator’s Guide 52 ©2024 Palo Alto Networks, Inc.

Prisma SD-WAN Sites and Devices

Learned Via Advertised To

Private WAN BGP Peer → yes

Private WAN BGP Peer LAN BGP Peer → yes

LAN Static Route Fabric → yes

LAN BGP Peer → yes
Private WAN BGP Peer → yes

Default Route in WAN BGP Peer.

Prisma SD-WAN has enhanced the existing BGP Global configuration to allow an option to
choose the default route as part of the prefix advertisement to WAN.
For a BGP peer, select Advertise Default Route to Peer to distribute the default route to the
peer, instead of explicitly configuring a prefix via route-maps.

Configure Circuits
Where Can I Use This? What Do I Need?

• Prisma SD-WAN Prisma SD-WAN license

Circuits consist of circuit categories which are used in policy rules to identify paths allowed for an
application. By default, there are a few pre-defined circuit categories in the system that you can
use when configuring circuits.
When configuring circuits, use the optimum parameters for the circuit based on the circuit
category. For example, when using metered circuit categories in circuits, ensure that you minimize
metered LTE usage.
To add or edit internet or Private WAN circuits, perform the following steps:
STEP 1 | Select Workflows > Sites/Data Centers > Configuration > Internet Circuits/Private WAN
Circuits > Add Circuits/Change Circuits.

STEP 2 | Select a circuit and the internet service provider from the drop-down to Edit.

STEP 3 | Add a name and (optional) description for the circuit.

STEP 4 | Enter the LINK DOWN and LINK UP speed.

STEP 5 | For Bandwidth (BW) Configuration, leave the default as manual.

Prisma SD-WAN Administrator’s Guide 53 ©2024 Palo Alto Networks, Inc.

Prisma SD-WAN Sites and Devices

STEP 6 | (Optional) Enable BW Monitoring if you would like ongoing measurement of link capacity.
BW Monitoring is enabled by default.

STEP 7 | (Optional) Select Yes for QoS to enable shaping and queuing of traffic as defined in your
application policy rules.

STEP 8 | (Optional) Select the setting for Use for Application Reachability Probes.

STEP 9 | (Optional) Enable LQ Monitoring if you would like ongoing measurement of link quality, such
as latency, loss, and jitter.
LQM is enabled by default on branch to data center paths.

STEP 10 | For Bidirectional Forwarding Detection (BFD) Mode, select Aggressive or Non-aggressive
and for devices on version 5.4.1 and later set the VPN Keep Alive Failure Count and VPN
Keep Alive timeout Interval.
• Aggressive—Choose aggressive for fast failure detection of links. This mode is the default
mode and is recommended by Prisma SD-WAN.
• Non-aggressive—Choose non-aggressive when you want to reduce the amount of probe
traffic, or for links that are subjected to high loss or poor quality.

STEP 11 | (Optional) Configure L3 reachability probes under Probe Configuration.

You can select previously created profiles, probe configurations, and endpoints for Profile
Name, Probe Configs and Select Probe Endpoints. Select Use Element Default to use the
default system probe configuration.

STEP 12 | Retain the default cost and click Done.

By default, the Cost for a circuit is 128; a value lower than 128 indicates a lower circuit cost,
making the circuit a preferred choice.

STEP 13 | Add and edit any new circuits and Save.

Configure Internet Circuit Underlay Link Aggregation

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Prisma SD-WAN Administrator’s Guide 54 ©2024 Palo Alto Networks, Inc.

Prisma SD-WAN Sites and Devices

Prisma SD-WAN supports Link Quality Monitoring (LQM) based path selection for all path types,
including underlay, VPN, and Standard VPN; from ION device release 5.6.1. The ION device
aggregates the overlay LQM values between branches and at least one or more data centers to
compute the final LQM value for the internet underlay circuit or other required paths. By default,
Use LQM for Non Hub Paths is disabled but can be enabled at the circuit or circuit category. To
enable at the circuit level:
STEP 1 | On the Prisma SD-WAN web interface, go to Manage > Sites, and select a site from the list
of sites.

STEP 2 | For a site, click Configurations > Internet Circuits > Change Circuits.

STEP 3 | Click Edit to view circuit information.

STEP 4 | In the LQM Configurations:

• To enable LQ Monitoring for ongoing links quality measurements, such as latency, loss, and
jitter select Yes. LQM is enabled by default on branch to data center paths.
• Select one or more Data Centers to be the basis for Link Quality metrics for the internet
underlay.

If nothing is selected, by default, all data centers are chosen.

• Select Yes from the Use LQM for Non Hub Paths for Link Quality metrics for the internet
underlay.
• From the Aggregation list, choose Minimum (lowest value of selected data centers), or
Maximum (highest value of selected data centers), or Average (average value of selected
data centers). By default, minimum will be selected.
The Summary in Link Quality charts display minimum, maximum, or average link-level metrics
based on selecting data centers and the aggregation method. The details are also displayed on
the main Dashboard tab.

The Aggregation list does not display if you select a single data center.

STEP 5 | Optionally, the setting is also controlled at the Circuit Category level (recommended). Please
see for instructions on editing a circuit category.

Configure Private WAN Underlay Link Quality Aggregation

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Configure private WAN underlay Link Quality aggregation for multiple data centers.
STEP 1 | Select Workflows > Sites or Data Centers, and select a site from the list of sites.

STEP 2 | For a site, click Configurations > Private WAN Circuits > Change Circuits.

Prisma SD-WAN Administrator’s Guide 55 ©2024 Palo Alto Networks, Inc.

Prisma SD-WAN Sites and Devices

STEP 3 | Click Edit to view circuit information.

STEP 4 | From the Data Center drop-down.

• Ensure LQ Monitoring is enabled.
• Select one or more data centers to be the basis for Link Quality metrics for the private
WAN underlay.
• From the Aggregation drop-down, choose Minimum (lowest value of selected data centers),
Maximum (highest value of selected data centers), or Average (average value of selected
data centers).
The Summary in Link Quality charts will display minimum, maximum, or average link-level
metrics based on selecting data centers and the aggregation method. In addition, use the
aggregate metric to determine the link quality of the private WAN underlay path used in the
dynamic path selection algorithm.

The Aggregation drop-down won’t display if you select a single data center.

Configure Circuit Categories

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Circuit categories are a logical grouping of various kinds of circuits and connectivity that may be
present in the network. This grouping allows for simplified and reusable network policy rules for
the entire network. For example, internet cable broadband, metered internet LTE links, satellite
internet links, internet DSL, or private MPLS.
In an effort to reduce data usage on a metered LTE link, you can choose to exclude a circuit
category from connecting to the controller for device related services.
Circuit categories are defined during initial site setup, but may be edited or changed at any time
from the Policies tab. To edit circuit categories, select Policies and then select Circuit Categories.
Working with circuit categories include defining circuit categories, defining circuit categories in
application policies, assigning a circuit category to a site WAN network and site WAN interface,
and assigning a circuit category to the ION interfaces.
STEP 1 | Select Manage > Resources > Circuit Categories.

STEP 2 | Edit a public or private circuit category.

A total of 64 circuit categories are available; a maximum of 32 public circuits and 32 private
circuits are allowed for each category.

STEP 3 | You can choose to enter a name for the circuit category instead of the default public or
private category name.
Pre-defined categories are pre-loaded in the system for you to edit and use as needed.

STEP 4 | (Optional) Enter Description and Tags if needed.

Prisma SD-WAN Administrator’s Guide 56 ©2024 Palo Alto Networks, Inc.

Prisma SD-WAN Sites and Devices

STEP 5 | Select the Use For Controller Connections check box to connect this circuit category to the
controller for device related services.
Deselect this check box to exclude this circuit category from connecting to the controller for
device related services. For example, deselect for metered LTE circuits.

Settings configured at the Circuits level take higher precedence over the settings
configured at the Circuit Category level.

STEP 6 | Select the Use for Application Reachability Probes check box to connect this circuit category
to check the reachability of an application on a given path.
Deselect this check box to exclude this circuit category from checking for reachability of an
application on a given path. For example, deselect for metered LTE circuits.

Settings configured at the Circuits level take higher precedence over the settings
configured at the Circuit Category level.

STEP 7 | Select the QoS if you would like to enable shaping and queuing of traffic as defined in your
application policy rules.

STEP 8 | In the LQM Configurations:

• To enable LQ Monitoring for ongoing links quality measurements, such as latency, loss, and
jitter select Yes. LQM is enabled by default on branch to data center paths.
• Select Yes from the Use LQM for Non Hub Paths for Link Quality metrics for the internet
underlay.

STEP 9 | (Optional) Configure L3 reachability probes under Probe Config ID.

You can select previously created probe configurations for ProfileConfig ID. Select Use
Element Default to use the default system probe configuration.

STEP 10 | In VPN Configurations, for Keep-Alive Failure Count, enter a value between 3 and 30 and
for Keep-Alive Interval, enter a value between 100 ms and 600000 ms.

• The Keep-Alive Failure Count indicates the number of consecutive missed keep-alive
packets before a link is declared as down. The default value is 3.
• The Keep-Alive Interval indicates the time interval in milliseconds between two VPN Keep-
alive packets. The default value is 1000 ms.

Prisma SD-WAN Administrator’s Guide 57 ©2024 Palo Alto Networks, Inc.

Prisma SD-WAN Sites and Devices

Configure Device Initiated Connections for Circuits

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Prisma SD-WAN ION devices initiate multiple connections to the controller for various services
such as Message Routing Layer (MRL) service, statistics, flows, logs, and remote access of device
toolkit. For services connecting to the controller using random paths or interfaces, you can
exclude certain interfaces or paths from being used for these services. For example, an expensive
metered LTE circuit is used as a last resort interface to maintain connectivity to the controller.
In addition, ION devices generate application reachability probes when an application or prefix
is unreachable for a particular path. However, if a particular circuit is to be used as a path of last
resort only, then the amount of non end-user traffic going over that specific circuit should be
minimized. You can exclude certain circuits and circuit categories from being used for device
initiated connections by using the Use for controller connections and Use for application probes
options.
You can prioritize ION device interfaces use for device initiated connections in the order of first
controller port interface, LAN port, any interface which does not have a label attached, but has
an IP address, and then interfaces with circuit labels attached. The order of preference is based
on the cost of a circuit. A circuit with a higher cost has a lower preference for device to controller
connections.
STEP 1 | Select Workflows > Sites/Data Centers > Configuration.

STEP 2 | Click Change Circuits for either Internet Circuits or Private WAN Circuits.

STEP 3 | Click Edit below the circuit name.

STEP 4 | On the Circuit Information screen, select Yes for Controller Connections, only if using the
circuit for connecting to the controller for device related services.
Select No, if this circuit is to be excluded from connecting to the controller for device related
services such as metered LTE circuits.
Select Use Circuit Category Setting for selecting the configuration from the Circuit Category.

STEP 5 | Select Yes for App Reachability Probes, only if using the circuit for checking the reachability
of an application for a given path.
Select No, if this circuit is to be excluded from checking the reachability of an application for a
given path such as metered LTE circuits. Select Use Circuit Category Setting for selecting the
configuration from the Circuit Category.

Prisma SD-WAN Administrator’s Guide 58 ©2024 Palo Alto Networks, Inc.

Prisma SD-WAN Sites and Devices

STEP 6 | Click Done.

A DEVICESW_INITIATED_CONNECTION_ON_EXCLUDED_PATH alarm is generated when

a device initiated controller connection is established using an excluded interface or path.
The lack of an available interface or path has forced the connection on an excluded path or
interface as a last resort.

Add Public IP LAN Address to Enterprise Prefixes

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Add a new public Internet Protocol range of LAN addresses to the enterprise prefixes so that any
traffic from other sites can choose the enterprise default path policy.
STEP 1 | Navigate to Manage > System > Enterprise Prefixes.

STEP 2 | Add IP Prefix range, for example, 182.98.0.0/16.

IPv4 and IPv6 addresses are supported.
A red Internet Protocol prefix text box indicates an incorrect IP address and you won't be able
to save the prefix. A blue Internet Protocol Prefix text box indicates the correct IP address.

Prisma SD-WAN Administrator’s Guide 59 ©2024 Palo Alto Networks, Inc.

Prisma SD-WAN Sites and Devices

STEP 3 | Save the enterprise Internet Protocol prefixes.

Site Configuration Template

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Site configuration template helps you to create tailored site templates that cater to your
deployment requirements, allowing you to efficiently deploy branches and data centers at
scale with ease. This section will guide you through the process of creating a site template and
showcase a streamlined approach to deploying multiple sites with ease and consistency at scale.
A site configuration template is a predefined blueprint containing a list of variables that
encompass all the necessary configurations for creating fully operational sites and devices. Using
this template, you can deploy multiple sites. You can use an existing template, edit an existing one
or create a new template to deploy multiple sites.

The current release of site configuration templates provides day-one deployments

and does not encompass support for FIPS mode and CloudBlades. However, these
functionalities are planned to be included in an upcoming release.
This feature is compatible with ION device version 5.6.x and later.

The configuration components needed to deploy sites at scale are:

• Site Template: A site template is a predefined blueprint containing a comprehensive list of
variables covering all essential configurations required to establish fully operational sites and
devices.
• Site Variables: A CSV file containing variables generated from the template and their original
values.
• Site Data: A CSV template containing site configuration data linked to the respective variables
used in the deployment of each site.
The workflow to create a site template is as follows:
1. Create a Site Template
2. Edit Variables
3. Download the Site Variables
4. Upload CSV Data File
5. Deploy Sites

Create a Site Template

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Prisma SD-WAN Administrator’s Guide 60 ©2024 Palo Alto Networks, Inc.

Prisma SD-WAN Sites and Devices

Create a site template using an existing site template.

STEP 1 | Navigate to Manage > Resources > Site Templates > Add Site template.

STEP 2 | You can use an existing site as a template (recommended) or Import a Site template.

The recommended best practice is to initially creating a site with all essential
configurations and validating its functionality. After the site is operational, this site
can serve as a foundation for a site template. Importing a site template involves
downloading previously utilized templates, adjusting them as per your requirements,
and then re-importing the updated versions.

• To use an existing template, click Use an existing site as a template.

• Alternatively, Import a site template by uploading a Jinja template and the corresponding
csv file.

To import, select a Jinja template and the corresponding csv file from your local system
and then Save. Ensure your CSV file contains at least one row of data, as the system will
validate to ensure the output is correct.
After you import the template, you cannot edit the template. To modify the template,
download the template, edit and then re-upload the template.
When uploading a template, Jinja supports conditional statements to boost flexibility in
deployments. This includes IF statements, comparisons, and replacements. If you encounter
an error during upload, ensure your Jinja formatting is correct, as the system validates
the uploaded CSV content against a successful YAML file format. Few examples of the
conditional statements are provided below:

{%- if dhcp2.upper() == "DHCP" %}

- address_family: ipv6
broadcast_address:
custom_options:

Prisma SD-WAN Administrator’s Guide 61 ©2024 Palo Alto Networks, Inc.

Prisma SD-WAN Sites and Devices

default_lease_time: 43200
{%- if dhcp2_description and dhcp2_description|length != 0 %}
description: {{ dhcp2_description }}
{%- else %}
description:
{%- endif %}
disabled: false
dns_servers:
- 2001:db8:a0b:12f0::1
domain_name:
gateway:
ip_ranges:
- end_ip: 2001:db8:a0b:12f0::220
start_ip: 2001:db8:a0b:12f0::3
max_lease_time: 86400
network_context_id:
static_mappings:
subnet: 2001:db8:a0b:12f0::/64
tags:
vrf_context_id: Global
{%- endif %}

STEP 3 | Enter a Site Template Name and Description.

The site name must be unique, duplicate entries will throw an error.

STEP 4 | Select Site Type, whether branch or DC.

STEP 5 | Select the Branch Site that you want to clone.

STEP 6 | Click Next.

The template includes a set of attribute keys and its associated values. It comprises a
predefined set of variables to facilitate deployment, encompassing essential information
like site name, address, serial numbers, software version, and SNMP authentication strings,
among others. The objective is to identify any additional variables necessary for unique site
configuration within your site deployment. Prisma SD-WAN greatly simplifies site templates
by utilizing integrated policy abstraction for items such as Path, QoS, NAT, and Security, along

Prisma SD-WAN Administrator’s Guide 62 ©2024 Palo Alto Networks, Inc.

Prisma SD-WAN Sites and Devices

with objects. This minimizes the requirement for creating variables, only necessitating them for
distinct items at a branch, such as LAN/WAN IP addresses or circuit settings.

For every site template, the following variables are mandatory:

• Site Name: site_name
• Software Version: ion_sw_version
• Serial Number: ion_serial_number_1. For HA deployments, the templates includes
variable ion_serial_number_2).
The controller will reject site data if these variables are missing from the file.

After the site template is created, you can add more variables for any elements that will be
unique within your site deployment.

STEP 7 | Editing Variables: allows to create additional variables for values that should be unique,
updating existing values to something new, and deleting default variables if they are

Prisma SD-WAN Administrator’s Guide 63 ©2024 Palo Alto Networks, Inc.

Prisma SD-WAN Sites and Devices

unnecessary. The variables within the template are listed in the 'Variables' section, and they
are highlighted in green text.
• Create variables: Variables serve as repositories for unique site-specific data. You can
customize these variables to align with your site configuration. The variables in the template
appear in the Variables list highlighted in green text.
1. Highlight the variable from the template.
2. Make Variable is highlighted. Click Make Variable.
3. In the Make Variable dialog, enter a Name for the variable.
4. Apply this change to all instances in the template and Update. The selected data appears
in the Variables list.
5. Save your changes.
6. If you want to remove a variable and make it a static value, delete the variable from the
variables list. On the confirmation dialog, click OK to delete. The variable becomes a
static value and the variable is removed from the variable list.
• Update Static Value:
1. Highlight the variable from the template.
2. Update Static Value is highlighted. Select Update Static Value.
3. In the Update Static Value dialog, enter a static Value for the variable.
4. Apply this change to all instances in the template and Update. The selected variable is
updated with static value.
• Delete Variables:
1. Enter a variable name to search in the search box.
2. Delete (X) the variable which will return the original value to the template. For example,
when you prefer to hard code your SNMP authentication string directly into the
template, rather than using a variable. By removing the variable and updating the value
directly, it offers a way to provision the SNMP settings for sites.
• Search Variables: Enter a variable name in the Search box to search.
• Check Syntax: If you have edited the variable, check the syntax of the template file. Green
indicates the template has no errors.

Download the Site Variables

Downloading the site variables provides a reference to the necessary data required to deploy new
sites at scale using this template. You can also access the site template, and site data (for sites
already deployed) from the site templates page.
STEP 1 | Select the site template you want to download.

Prisma SD-WAN Administrator’s Guide 64 ©2024 Palo Alto Networks, Inc.

Prisma SD-WAN Sites and Devices

STEP 2 | On the top-right corner, click the Download icon.

STEP 3 | Select Sites Variables. A CSV file containing all the variables defined in the template and
their corresponding values are downloaded.

If you choose to download the Site Template, it is downloaded in Jinja format. Site
Data, for sites deployed using a template, and site variables can also be downloaded
and is available in the CSV format. If there is no data, you get a notification that there
is no data to export.

Deploy Site with Template

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Prisma SD-WAN license

Edit the CSV containing the site variables to include the configuration information for the sites
you intend to deploy. This file serves as the CSV data source for the next step. Ensure the values
in the CSV match the variable values.
After creating a template, use the template to deploy sites with the template.
STEP 1 | Navigate to Manage > Resources > Site Templates.

STEP 2 | Select the site template using which you want to deploy sites.

STEP 3 | Click the Deploy Site with Template.

Prisma SD-WAN Administrator’s Guide 65 ©2024 Palo Alto Networks, Inc.

Prisma SD-WAN Sites and Devices

STEP 4 | Upload the CSV site data file you want to import and click Import

Optionally, you can manually enter the site data.

If the serial number of the device is added in the template, then it will always be
mapped to the device and you cannot assign the serial number to any other device. If
the serial number is not entered in the template, then you can assign it to any device
of the same model before deploying the site. After deployment, you cannot make any
changes to the serial number.

STEP 5 | Select the sites to deploy using the template. You can add or delete a particular site from the
list.
When importing sites, the color codes indicate the type of site data:
• Alert: If a site is missing a mandatory variable data, an alert icon is shown.
• Existing site: If a site already exists and you are using the same name, an existing icon is
shown.
• New site: For all new site names, a new icon is shown.
• Duplicate site: If any of the rows have a site name which already exists, a duplicate alert is
shown.
You can export site variables and site data for reuse, making it easier to populate them for
future branch deployments. Click Export to export the selected rows or all the rows. Select if
you want to export site data or site variables. Site variables and site data are downloaded in
CSV format.
The template is downloaded, by default, in a Jinja format.
The device serial numbers in the site templates are optional. If you do not have a device serial
number, the system will create a device shell, a virtual configuration file that can be assigned to
a device when the device is available.

Prisma SD-WAN Administrator’s Guide 66 ©2024 Palo Alto Networks, Inc.

Prisma SD-WAN Sites and Devices

STEP 6 | Click Deploy Sites.

It takes a few minutes to deploy the sites, you can view the status of the deployment on the
Job History page. A separate job is created for each site deployed.

Sites deployed using the template are listed on the Site Template page, and the original
configuration values can be downloaded using the download Site Data option. You can Unbind

After deploying the site, you can't edit the template. However, if you want to reuse the
template, download the template, edit it as per your need, and import the edited template to
reuse it.
You can download a copy of the current site configuration (yaml) from the site view by clicking
the Download icon. Downloading the site configuration helps to keep template backups to re-

Prisma SD-WAN Administrator’s Guide 67 ©2024 Palo Alto Networks, Inc.

Prisma SD-WAN Sites and Devices

provision or make a site modification. The template is downloaded in a Jinja format. If there is
no data, you get a notification that there is no data to export.

Device Pre-Staging

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

The ION device shell allows you to create elements, visualize the network, and do simple
configurations. You can now pre-stage device configurations before the hardware becomes
available to accelerate deployment. This new approach is referred to as the ‘Device Shell’. If there
are device-related attributes in the template, then when deploying using the site template, enter
the device serial number to which site it should be attached. If you don't have a physical device
serial number or if the device isn’t available at the time of deployment, a virtual configuration–
element shell–is created associating a device to the site.
A device shell icon represents a virtual configuration. It creates a dummy device and when
the physical device is ready to be assigned, assigns the device to the shell. After the device is
associated to the shell, all the configurations are transferred to the device and the shell ceases to
exist.
Associate a Device with the Shell

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Site templates offer the capability to pre-stage site and device configurations if the hardware is
inaccessible or offline during deployment. This feature, known as the Device Shell, allows the
creation of elements, network visualization, and basic configurations.
When deploying a site using a site template, if you input the device serial number, and if the
device is available, unclaimed, and online during the site deployment, it will be provisioned as
part of the deployment process. However, if the physical device's serial number is unavailable or
the device is inaccessible during deployment, a virtual configuration, termed as Device Shell, is
generated to preconfigure the device within the site. When the device is available, you can attach
the physical device to this device shell to finalize the deployment of the site.
A device shell icon represents an ION device that has not been assigned to that element yet.
When a device is allocated to the tenant and is online, it can be assigned to the device shell at the
site from theUnclaimed state. At this point, the configuration from the device shell is transferred
to the actual device, and the device shell is deleted.
There are two ways of assigning a device to a shell:

Prisma SD-WAN Administrator’s Guide 68 ©2024 Palo Alto Networks, Inc.

Prisma SD-WAN Sites and Devices

• Device shell is deployed and listed under Claimed Devices

1. Navigate to Workflows > Prisma SD-WAN Setup > Devices.
2. Select the device from the Claimed Devices, if the device shell is already deployed and listed
under Claimed Devices.
3. From the ellipsis menu, select Assign the Device to shell.

Only an unclaimed device can be assigned to a device shell.

4. From the Assign Device dialog, select an unclaimed device to assign the device shell, select
Assign.
After assigning, the shell icon is removed from the web interface and the device changes to
the Assigned state. If a device has been already claimed, unclaim it before making any new
assignments.
If you know the serial number of the device, you can directly update it in the table when
deploying a site. Internally, the serial number is associated with the device when the device
is available in the controller.

Prisma SD-WAN Administrator’s Guide 69 ©2024 Palo Alto Networks, Inc.

Prisma SD-WAN Sites and Devices

• The device is listed under Unclaimed Devices

1. If the device is listed under Unclaimed Devices, select a device from Unclaimed Devices.
2. From the ellipsis menu, select Assign to Device shell to select the device shell for the
selected device.

3. If there are multiple device shells, select and Assign a device shell for the device.

Manage Data Center Clusters

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

You can have visibility and control over the horizontal scaling of data center clusters.
In your Prisma SD-WAN configuration, you can configure one or more clusters to determine
which data center communicates with which branch sites and creates a secure connection (VPN)
between the data center and branch devices. For example, you can have the following clusters:
• First Cluster—The first cluster is the cluster that gets created automatically on the creation of
the Data Center site.
• Default Cluster—Default Cluster is the one that you can choose. Once you mark one of the
existing clusters as the default cluster, all branch sites created subsequently will map to this
particular cluster. The first cluster is the default cluster automatically until you mark another
cluster you create as the default.
• Peer sites—The sites associated with the data center cluster. The peer site corresponds to
branch sites for a Data Center site cluster.
STEP 1 | Select Workflows > Data Centers, and select a site from the list of Data Center sites.

Prisma SD-WAN Administrator’s Guide 70 ©2024 Palo Alto Networks, Inc.

Prisma SD-WAN Sites and Devices

STEP 2 | Click Configurations > Advanced > Show DC Clusters to view the clusters for a data center if
you don't see the clusters on the Configuration page and Configurations > Advanced > Hide
DC Clusters to hide them.

STEP 3 | On the screen, you can see the following details about the current clusters for the data
center:

Fields Description

Cluster Displays the details about all clusters, such as their name and
which cluster is designated as the default cluster.

Tags Displays the details about the tags or labels applied to the
clusters.

Device Displays details about the devices added/assigned to clusters.

Device Serial Displays device serial numbers for any devices assigned to
clusters.

Software Displays the software versions of devices assigned to clusters

Branches/Limit Displays the number of branches currently mapped and the soft
limit set for that cluster.

STEP 4 | Click Add new cluster to add a new cluster for a data center. You can also search for existing
clusters by name, description, or tags on the filter tabs.

1. On the New DC Clusters tab, fill in the NAME, (optional) DESCRIPTION, (optional)
TAGS, (optional) MAXIMUM BRANCH SITE COUNT (SOFT LIMIT) and also check
the box if you want the cluster to SET AS DEFAULT CLUSTER. By checking SET AS

Prisma SD-WAN Administrator’s Guide 71 ©2024 Palo Alto Networks, Inc.

Prisma SD-WAN Sites and Devices

DEFAULT CLUSTER, you will change the current default cluster to the one you are now
creating. Click Create.

If the MAXIMUM BRANCH SITE COUNT (SOFT LIMIT) value is not set, there
will be no limit on the number of branch sites you can add to the cluster (may
differ from user to user). If you provide a value for the MAXIMUM BRANCH
SITE COUNT (SOFT LIMIT), the Hub Cluster Branch Count Limit Exceeded
alarm will be raised once the limit is crossed. Though an alarm will be generated
if you exceed the soft limit, you are not prevented from adding more branches to
the cluster.
2. Once the cluster is created, you can see the new and existing clusters (if any) on the
Configuration screen to perform other functions listed in Step 5.

STEP 5 | From the ellipsis, you can:

1. Click Assign device to add the devices for the data center clusters. You can select any
available device to assign to the cluster.

You can add only two devices to a cluster by default. However, in cases when
one of the devices is locked for any maintenance, you can add one more device
to that cluster.
2. Click Edit cluster to edit or update the existing clusters. The Edit DC Cluster is the same
screen as the New DC Cluster screen operations.
3. Click View branch sites to view all the branch sites allocated on the Overlay
Connections screen. On the Overlay tab from the View branch sites option for a cluster,
branch sites are filtered to list only ones that belong to that specific cluster. You can also
see the number of VPNs up versus the total VPNs configured for the cluster.
4. If you want to unset or change the current default cluster, click Unset as default cluster
from the context menu for the current default cluster. Then, you are given the option to
choose a new cluster as the default cluster.
5. If the device is down for some reason, you can click Lock device to lock that device so
the data center cluster associated with the branch sites will not establish the connection
(VPNs) with the locked device after this operation.
6. Click Manage branches on cluster to move or remove branch sites from the current data
center cluster to a target cluster. Add branch sites to the existing data center cluster
from a source cluster by selecting the Add option.

When you choose the cluster, the branch site will only be mapped to a given
cluster and cannot be mapped to more than one cluster. You can also select
no cluster as an option to move the site, which means the branch site will not
establish a VPN with the data center. There will be an outage of VPNs when you
move the branch site from one cluster to another.
7. Click Move branches between devices if you want to move the branch site from one
device to another device within the cluster. You can also see other options on the Move

Prisma SD-WAN Administrator’s Guide 72 ©2024 Palo Alto Networks, Inc.

Prisma SD-WAN Sites and Devices

branches between devices screen. Next, you can choose the device you want to replace
and select the branch site to move.
1. Lock the device that is under maintenance or down.
2. Assign a third device (the replacement).
3. Attach site wan interfaces to a third device if you want to bring the VPNs.
4. Move peer sites from the locked device to the new device (recommended to move
oneby one).
5. Unassign the locked device once all the sites are transferred to the new device.

There will be an outage of VPNs when you move the branch site from one device
to another device within the cluster.
8. Once you click View cluster status, you can view the status of that cluster with the
information on the number of VPN connections added, VPN connections removed, and
the number of VPN connections up for that selected cluster.
9. Click Replace device if you want to replace the device. Like the Move branches between
devices, Replace deviceis also used for the same functionality. For example, if one of
the devices is under maintenance or down, you can replace that device with an active
device. Once you choose the device you want to replace, Device Replacement Wizard
will be displayed. Next, select a device for replacing the current device (which you want
to replace).
10. When you want to unassign a device from the cluster, click Unassign device and see all
the devices you can unassign from that cluster.
11. Click Delete cluster to delete any existing clusters you no longer need. If you delete a
default cluster, you select a cluster to be the new default cluster from currently available
clusters.
12. Click Audit Log to view all the data center cluster details, such as URL, API HTTP
method, and other information related to the clusters.

Configure a Site Prefix

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Prisma SD-WAN uses site prefixes to advertise reachability from sites into the SD-WAN fabric.
Site prefixes allow Prisma SD-WAN data center sites to easily advertise routes and reachability to
branch sites. This can also be accomplished using globally scoped static routes in the data center
ION devices, but for simplicity, configuring at the site level may be preferred.

You can configure site prefixes for branch sites, but the preferred method for advertising
branch reachability is through the use of global scope interfaces and static routes.

Configure site prefixes to route traffic for a data center site.

STEP 1 | Select Workflows > Data Centers > <Name of the site>.

Prisma SD-WAN Administrator’s Guide 73 ©2024 Palo Alto Networks, Inc.

Prisma SD-WAN Sites and Devices

STEP 2 | Under IP Prefixes, click Change IP Prefixes.

STEP 3 | On the IP Prefixes screen, click Edit > Edit IP Prefixes > Add IP Prefix. You can add IPv4 and
IPv6 addresses for prefixes and click Save.

STEP 4 | Enter an IP Prefix and click Save.

STEP 5 | (Optional) Click View to view the list of Global IP prefixes and VRF Prefixes attached to the
site.

Configure a DHCP Server

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

The ION device at a branch site can act as a DHCP server to support full router-replacement
deployments. The DHCP server will respond to both DHCP broadcast requests and DHCP unicast
requests in case of DHCP relay downstream. The DHCP server will listen for requests on all
interfaces and serve up IPs, if available in the pool. Leases granted will persist over reboots.
The DHCP server on Prisma SD-WAN supports responding to remote unicast DHCP relay agents.
These agents will send unicast DHCP packets to the interface IP addresses for clients in the
remote network (L3 hop away). One of the routers or switches in the LAN network will act as the
DHCP relay agent. There can be multiple such remote networks.

Prisma SD-WAN Administrator’s Guide 74 ©2024 Palo Alto Networks, Inc.

Prisma SD-WAN Sites and Devices

• For IPv4, only one DHCP server configuration will be allowed for any given subnet.
• DHCP server configuration can include up to 256 different subnets.
• DHCP leases granted before disabling a configuration shall be persistent when the
service is eventually enabled. DHCP leases that are persistent will expire as per the
granted lease expiry time.
• Starting from release 6.2.1, DHCPv6 server support is added. Currently LAN connected
DHCPv6 clients alone are supported.
• DHCP server is not supported for secondary IP addresses on interfaces.

STEP 1 | Select Workflows > Sites. Select a site for which you want to configure a DHCP server.

STEP 2 | On the site Configuration tab, select Configure DHCP Scopes.

STEP 3 | Click Add DHCP Server to add server details.

Prisma SD-WAN Administrator’s Guide 75 ©2024 Palo Alto Networks, Inc.

Prisma SD-WAN Sites and Devices

STEP 4 | On the Create DHCP Server screen, configure the DHCP Server and its attributes. You can
either choose IPv4 or IPv6 for the IP Protocol.
IPv4
1. Select IPv4.
2. For Subnet, enter the subnet for which the DHCP server is being configured.
3. For Broadcast Address, the address is auto populated based on the prefix provided in
the Subnet field.
4. For Gateway, enter the default gateway for clients.
5. For Domain Name, enter the domain name for clients.
6. For DNS Servers, enter the domain name servers for clients to resolve DNS requests.
7. For Default Lease Time, enter a lease time each client will get if a user does not request
a particular lease time.
A user sets the default lease time to the lease time they would like all clients to use.
8. For Max lease time, enter a value.
Max lease time is the maximum lease time each client can request. The default lease time
can be the same as max lease time.
9. For Description, enter a description for each instance of the DHCP server, per subnet.
10. Check the Disabled box to disable and uncheck it to enable the configuration.
Disabled provides the ability to temporarily disable the DHCP server instead of deleting
it.
11. For IP Ranges, define multiple start/stop ranges from which allocation will be done when
a broadcast DHCP request from clients or unicast DHCP relay request from a Layer 3
switch are received.
12. For Static Mappings, Add Static Mapping details.
IP addresses can be assigned to clients by statically mapping IPs to MAC addresses of
the clients.
13. For Custom Options, Add Custom Options like Vendor Class ID, Definition, and Value.
The following data types are supported:

Data Type Data Sub Type Example

Boolean option use-zephyr code 180 = boolean option use-

zephyr on
option use code 18 = boolean option use TRUE
option use code 18 = boolean option use false

IP Addresses option sql-server-address code 193 = ip-address option

sql-server-address sql.example.com option sql-server-
address code 193 = ip-address option sql-server-
address 10.10.10.2 option sql-server-address code 193
= ip-address option sql-server-address purpleflombles

Prisma SD-WAN Administrator’s Guide 76 ©2024 Palo Alto Networks, Inc.

Prisma SD-WAN Sites and Devices

Data Type Data Sub Type Example

option sql-server-address code 193 = ip-address option
sql-server-address 10.10.10.0

IP6 Addresses option sql-server-address code 193

= ip6-address option sql-server-
address1200:0000:AB00:1234:0000:2552:7777:1313
option sql-server-address code 193 =
ip6-address option sql-server-address
21DA:D3:0:2F3B:2AA:FF:FE28:9C5A option sql-server-
address code 193 = ip6-address option sql-server-
address 3ffe:bbbb:aaaa:aaaa::1

Integer Unsigned option sql-connection-max code 12 = unsigned

Integer 8 integer 8 option sqlconnection-max 0 option sql-
connection-max code 12 = unsigned integer 8 option
sqlconnection-max 256

Signed Integer option sql-connection-max code 12 = signed integer 8

8/Integer 8 option sql-connection-max -128 option sql-connection-
max code 12 = integer 8
option sql-connection-max 127

Unsigned option sql-connection-max code 12 = unsigned

Integer 16 integer 16 option sql-connection-max 0 option sql-
connection-max code 12 = unsigned integer 16 option
sql-connection-max 65535

Signed Integer option sql-connection-max code 12 = signed integer

16/Integer 16 16 option sql-connection-max -32768 option sql-
connection-max code 12 = integer 16 option sql-
connection-max 32767

Unsigned option sql-connection-max code 12 = unsigned

Integer 32 integer 32 option sql-connection-max 0 option sql-
connection-max code 12 = unsigned integer 32 option
sql-connection-max 4294967295

Signed Integer option sql-connection-max code 12 = signed integer

32/Integer 32 32 option sql-connection-max - 2147483648 option
sql-connection-max code 12 = integer 32 option sql-
connection-max 2147483647

Text option sql-server-address code 193 = text option sql-

server-address "!" option sql-server-address code 193 =
text option sql-server-address cloudoption sql-server-
address code 193 = text option sql-server-address

Prisma SD-WAN Administrator’s Guide 77 ©2024 Palo Alto Networks, Inc.

Prisma SD-WAN Sites and Devices

Data Type Data Sub Type Example

"cloud product" option sql-server-address code 193 =
text option sql-server-address "\""

String option sql-server-address code 193 = string option sql-

server-address"\\\"" option sql-server-address code
193 = string option sql-server-address "cloud" option
sql-server-address code 193 = string option sql-server-
address 17:23:19:a6:42:ea:99:7c:2c

Domain-list option sql-connection-max code 12 = domain-

list option sql-connection-max "example.com",
"foo.example.com","google.com", "h1.gslab.com"

Array of option kerberos-servers code 200 = array of

booleanoption kerberos-servers true, false, on, off

Record of option kerberos-servers code 200 = { boolean, integer

32, string } option kerberos-servers on 23 a option
kerberos-servers code 200 = { signed integer 8, boolean,
ipaddress,text } option kerberos-servers-128 on
10.10.10.1 "cloud service"

Array of Record option new-static-routes code 201 = array of {ip-

address, ip-address,ip-address, integer 8 } option
new-static-routes 10.0.0.0 255.255.255.0 net-0-
rtr.example.com 2, 10.0.1.0 255.255.255.0 net-1-
rtr.example.com 1

Custom Options can be defined in each configuration instance. These options are for
client consumption.
The ION devices on version 5.2.1 and later support Vendor Class Identifier (VCI) or
option 60 for a DHCP Server. A DHCP client sends an option code 60 (VCI) in its
communication with the DHCP server. On receiving option 60 or VCI, the DHCP

Prisma SD-WAN Administrator’s Guide 78 ©2024 Palo Alto Networks, Inc.

Prisma SD-WAN Sites and Devices

server matches the received VCI with a VCI from its own table. It then returns a value
corresponding to the VCI to the DHCP client.
IPv6
1. Select IPv6. The ION devices on version 6.2.1 and later support IPv6 servers.
2. For Domain Name, enter the domain name for clients.
3. For DNS Servers, enter the domain name servers for clients to resolve DNS requests.
4. For Default Lease Time, enter a lease time each client will get if a user does not request
a particular lease time.
A user sets the default lease time to the lease time they would like all clients to use.
5. For Max lease time, enter a value.
Max lease time is the maximum lease time each client can request. The default lease time
can be the same as max lease time.
6. For Description, enter a description for each instance of the DHCP server, per subnet.
7. Check the Disabled box to disable and uncheck it to enable the configuration.
Disabled provides the ability to temporarily disable the DHCP server instead of deleting
it.
8. For IP ranges, define multiple start/stop ranges from which allocation will be done when
a broadcast DHCP request from clients.
9. For Static mappings, Add Static Mapping details.
IP addresses can be assigned to clients by statically mapping IPs to DUID of the clients.

For release 6.2.1, custom options are not supported.

Create & Exit to complete the DHCP Server configuration.

Prisma SD-WAN Administrator’s Guide 79 ©2024 Palo Alto Networks, Inc.

Prisma SD-WAN Sites and Devices

STEP 5 | Click Restart DHCP Servers to restart the DHCP service whenever required.

Configure NTP for Prisma SD-WAN

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Network Time Protocol (NTP) is used to synchronize time between distributed time servers and
clients.
NTP Client has the capability to receive time from one or more time sources (NTP servers) using
Network Time Protocol (NTP). An NTP Client can synchronize time by polling an NTP server. The
ION device acts as an NTP Client and synchronizes its time with the configured NTP Servers.
Synchronizing a client with an NTP server involves several packet exchanges, wherein each
exchange consists of a request and a reply. NTP uses UDP/IP packets for data transfer due to
faster connection and response times.
In addition to NTP configuration, the Prisma SD-WAN web interface provides NTP configuration
templates at the tenant level. When you claim a device, it creates an NTP configuration by default.
The NTP configuration will have the following pre-configured set of time sources. The maximum
number of time sources or NTP servers supported per ION device is 10.

Host Version Minpoll Maxpoll

0.cloudgenix.pool.ntp.org 4 9 10

1.cloudgenix.pool.ntp.org 4 9 10

2.cloudgenix.pool.ntp.org 4 9 10

3.cloudgenix.pool.ntp.org 4 9 10

time.nist.gov 4 13 15

Prisma SD-WAN also provides an implicit Controller Time Source (CTS) which is available for use
as a system fail-safe in cases where there is no time source. This is because the accuracy of time
from the Controller is very low compared to typical Stratum 1 or Stratum 2 clocks that can supply
time using NTP.
• Create NTP Configuration Templates
• Add or Edit NTP Server Configuration
• Configure NTP Servers
• Load NTP Configuration from a Template

Create NTP Configuration Templates

STEP 1 | Select Manage > Resources > Configuration Profiles > NTP Templates.

Prisma SD-WAN Administrator’s Guide 80 ©2024 Palo Alto Networks, Inc.

Prisma SD-WAN Sites and Devices

STEP 2 | Click Create NTP Template.

STEP 3 | On the Create New NTP Template screen, enter a Name, (Optional) Description, and
(Optional) add a Tag.
You may add new NTP servers or edit information for existing NTP servers.

STEP 4 | Click Save.

Add or Edit NTP Server Configuration

STEP 1 | Select Workflows > Devices > Claimed, select a device and select the option Configure the
device from the ellipsis menu.

STEP 2 | Select Manage > Resources > Configuration Profiles > NTP Client tab.

STEP 3 | Click Add NTP Server to add a new NTP server, or click Edit for an NTP server record to
change information for an existing NTP server.
You can remove a time source by clicking Remove at the time source record.

STEP 4 | On the Edit NTP Server screen, you can add or change the host IP address or domain name
in the Host field.

STEP 5 | Change the NTP versions if needed in the Version field.

NTP versions 2, 3 and 4 are supported.

STEP 6 | Enter values for minimum polling interval in the Min Poll field and maximum polling interval
in the Max Poll field.
The Min Poll and Max poll values specify the minimum and maximum polling intervals for NTP
messages in seconds as a power of two.
For example, a Min Poll value of 4 indicates a polling interval of 16 seconds. The values of Min
Poll and Max Poll can be set between 4 and 17.
You can force an NTP client to poll an NTP server instantly by clicking the refresh button on
the NTP Client screen. This is an on-demand synchronization, after which polling will continue
as per the values set in the Min Poll and Max Poll fields.

STEP 7 | Click Save.

Prisma SD-WAN Administrator’s Guide 81 ©2024 Palo Alto Networks, Inc.

Prisma SD-WAN Sites and Devices

Configure NTP Servers

STEP 1 | Select Workflows > Devices > Claimed, select a device and select the option Configure the
device from the ellipsis menu.

STEP 2 | Select the NTP Client tab.

STEP 3 | Enter a name for the NTP configuration in the Name field.
You can create NTP configuration from an existing template by clicking Load from Template.

STEP 4 | (Optional) Select one or more source interfaces from the Source Interfaces drop-down. You
can now select the associated VRF interfaces (global or custom).
A source interface is the interface used for sending a request to an NTP server. A source
interface can include PPPoE or sub-interfaces with IP addresses. This does not include VPN
interfaces. Up to 10 source interfaces are supported.
You cannot delete a sub-interface or PPPoE that is configured as a source interface. If a port is
configured as a member of a bypass pair, it cannot be used as a source interface for NTP.

STEP 5 | Add a (Optional) Description and enter a (Optional) Tag in the respective fields.

STEP 6 | Add additional NTP sources by clicking Add NTP Server.

To Edit information for an NTP Server, select NTP Server Record from the ellipsis menu. You
may also view the status of the configured NTP servers.

STEP 7 | Click Save.

You may save the created NTP client configuration as a template by clicking Save As
Template. This template can be used to create an NTP configuration by using the Load from
Template option.

Load NTP Configuration from a Template

STEP 1 | Select Workflows > Devices > Claimed, select a device and select the option Configure the
device from the ellipsis menu.

STEP 2 | Select the NTP Client tab.

STEP 3 | Click Load from Template.

Prisma SD-WAN Administrator’s Guide 82 ©2024 Palo Alto Networks, Inc.

Prisma SD-WAN Sites and Devices

STEP 4 | Select the required template from the drop-down.

Information from the selected NTP template is displayed in the NTP configuration.

STEP 5 | Click Save.

Enable IoT Device Visibility in Prisma SD-WAN

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Prisma SD-WAN license

IoT Security license
Prisma Access Remote Networks license

Prisma SD-WAN with Strata Cloud Manager supports IoT device visibility to identify devices in
your network. Prisma SD-WAN branch ION devices inspect packets, extract information, and
generate messages to send to Strata Logging Service in a specific format.
IoT Security obtains this information from Strata Logging Service and lists all the devices
discovered in its portal. It also lists details such as IP address, MAC address, vendor details, and so
on, for greater visibility. IoT Security must have visibility into network traffic to discover, identify,
and monitor the network behaviors of devices.

When integrating IoT Security with Prisma Access, IoT Security relies on the Traffic logs that
Prisma Access provides to analyze traffic at the branch sites that Prisma Access serves. Although
Prisma Access can log outbound and inbound traffic from the sites it protects, it can't log traffic
that never reaches it; that is, the traffic between devices at the same branch site.
Of particular importance to IoT Security is network traffic with services such as DHCP and ARP
that link an IP address assigned to a device with its MAC address. In an environment where
devices are assigned IP addresses dynamically through DHCP, it's difficult to use IP addresses
alone to track the network activity of devices because they can each have multiple IP addresses
over a period of time. By having visibility into DHCP traffic, IoT Security can update the IP
address of a device when it changes. Similarly, by having visibility into ARP traffic (gratuitous ARP

Prisma SD-WAN Administrator’s Guide 83 ©2024 Palo Alto Networks, Inc.

Prisma SD-WAN Sites and Devices

announcements, for example),IoT Security can track how IP addresses correspond to device MAC
addresses.
Once IoT Security has an IP address-to-device mapping, it can use its AI and machine learning
engines to monitor and analyze the network activities of the device over time. It can form a
baseline of the normal device network behaviors, determine its identity, inform you of any known
vulnerabilities, and detect anomalous network behaviors indicating risk.
When a DHCP server is at a branch site, DHCP traffic will never reach Prisma Access. Neither
will ARP traffic, which only occurs within a Layer 2 broadcast domain. But, it's possible for ION
devices at branch sites to see DHCP traffic. If they’re in the same Layer 2 broadcast domain, then
the branch ION devices can also see the ARP traffic that devices generate. When integrated with
IoT Security, Prisma SD-WAN ION devices log this traffic and forward their logs to Strata Logging
Service where IoT Security accesses them for analysis.
To support IoT device visibility in Prisma SD-WAN, you need the following licenses and
subscriptions in the same tenant service group (TSG) that Prisma SD-WAN belongs to:
• Prisma Access for Remote Networks with Strata Logging Service
• IoT Security
IoT Security depends on the information extracted from the IoT device traffic, such as DHCP
& ARP, for device classification and risk assessment. Prior to Release 6.3.1, users adopting IoT
Security lacked visibility into the traffic generated by IoT devices that was local to the branch, or
traveled via WAN links outside of Prisma Access. This limited the scope of visibility to directly
connected devices or to packets that traversed the Prisma SD-WAN branch ION device.
Starting with Release 6.3.1, Prisma SD-WAN supports the discovery of devices not directly
connected to the Prisma SD-WAN branch ION devices. The system uses SNMP (Simple Network
Management Protocol) with LLDP (Link Layer Discovery Protocol) to discover IoT devices within a
branch network.

Prisma SD-WAN does not support Cisco Discovery Protocol (CDP) to discover devices.

With LLDP, each IoT device transmits its device information to its neighboring networking devices
(such as switches and routers). This information is available in the Management Information
databases (MIBs). The ION device launches an SNMP MIB (management information base) query
to retrieve the IP address and MAC address entries of the IoT devices.
The ION device then retrieves the LLDP neighbors of the neighboring devices, one at time to get
their IP or MAC address bindings. This process of recursively discovering the devices known as
“crawling” continues until the ION device discovers all its neighbors.
The ION device sends the discovered IP or MAC address bindings (along with information such
as VLAN, subnets, and so on) as part of the Enhanced Application logs (EAL) to Strata Logging
Service. IoT Security consumes these logs and provides visibility in the IoT Security portal.

You might need to modify security in the IoT devices to allow SNMP from a new source.

The following steps explain how to onboard IoT Security and Prisma SD-WAN to Prisma Access
as add-ons and how Prisma SD-WAN ION devices extend IoT Security visibility into their branch
sites.

Prisma SD-WAN Administrator’s Guide 84 ©2024 Palo Alto Networks, Inc.

Prisma SD-WAN Sites and Devices

STEP 1 | Add IoT Security and Prisma SD-WAN as Prisma Access add-ons.
Follow the steps in Activate a License for Panorama-Managed Prisma Access through Common
Services, and ensure to include IoT Security and Prisma SD-WAN as add-ons. You can onboard
them together or at different times.
When you onboard and enable both IoT Security and Prisma SD-WAN to a Prisma Access
(Managed by Panorama) account, the Prisma SD-WAN Controller automatically enables IoT
device visibility on ION devices at all branch sites that belong to the corresponding tenant
service group (TSG). The Prisma SD-WAN Controller learns the ID and FQDN of the Strata
Logging Service instance in its TSG and automatically gets the device certificate and distributes
it to ION devices to use when authenticating themselves to Strata Logging Service. The
controller then instructs the ION devices to log the DHCP and ARP traffic they detect on their
networks and forward their logs to Strata Logging Service.

ION devices send ARP Traffic logs by default but you must configure them as either
a DHCP relay agent or DHCP server to send DHCP Traffic logs to Strata Logging
Service.

IoT Security accesses the log data in Strata Logging Service and uses machine learning
algorithms to analyze it. Through its analysis, IoT Security discovers and identifies devices on
the network and deduces their usual network behaviors. IoT Security generates alerts when
there is anomalous network activity and detects device vulnerabilities and potential threats.
You can view the results of its analysis in the IoT Security portal.

STEP 2 | (Optional) Control the sites that can forward logs to the Strata Logging Service from the
Prisma SD-WAN web interface.
When a TSG for Prisma Access includes both IoT Security and Prisma SD-WAN add-ons, it
Prisma SD-WAN enables IoT Security visibility by default on the ION devices at all the branch
sites.
However, if you want to disable it on a particular site, pre-logon to Prisma SD-WAN, select
Workflows > Sites, select the site, and toggle IoT Device Visibility off. This disables IoT Device
Visibility on all ION devices at that site.

Prisma SD-WAN Administrator’s Guide 85 ©2024 Palo Alto Networks, Inc.

Prisma SD-WAN Sites and Devices

STEP 3 | View device information learned from Prisma SD-WAN sites in the IoT Security portal.
1. Navigate to the IoT Security portal and select the Devices tab to view device details.

After IoT Security receives data in Traffic logs from Prisma SD-WAN ION devices and
starts discovering and identifying network-connected devices at branch sites, it displays
its findings in the Inventory table on the Devices page in the IoT Security portal. For
each device thatIoT Security learned from Prisma SD-WAN, it displays various device
attributes such as its IP and MAC address, device category, vendor, model, and OS as
well as several identifying attributes of the ION devices that provided the logs such as:
• Prisma SD-WAN site name
• Prisma SD-WAN device name
• Prisma SD-WAN interface name

2. (Optional) Click a device to view details such as Prisma SD-WAN site, device, and
interface names.

Prisma SD-WAN Administrator’s Guide 86 ©2024 Palo Alto Networks, Inc.

Prisma SD-WAN Sites and Devices

Create an IoT Discovery Profile in Prisma SD-WAN

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Prisma SD-WAN license

IoT Security license
Prisma Access Remote Networks license

Create an IoT discovery profile that will have global configurations and can be associated with
sites. Since most of the configuration would be common across sites, the IoT discovery profile can
be used for multiple sites.
STEP 1 | Select Manage > Resources > Configuration Profiles > IoT Discovery.

STEP 2 | Click Add Profile.

STEP 3 | Add configuration details for the profile.

1. Add a Profile Name.
2. (Optional) Enter a Description.
3. Enable Automated SNMP Discovery to enable SNMP discovery for all sites having this
profile.

Automated SNMP Discovery is enabled by default. You can turn this off to
disable SNMP discovery for this profile.
4. (Optional) Enable Use local neighbors to enable local SNMP discovery.

This option is available only for branch ION devices.

5. Choose an interval for Network Discovery Schedulefor Every 6, 12, or 24 hours.

This site- level configuration specifies the frequency for a branch ION device to
determine the list of networking devices (either with a starting/seed address or based
on the LLDP/CDP neighbors). This configuration specifies the frequency with which

Prisma SD-WAN Administrator’s Guide 87 ©2024 Palo Alto Networks, Inc.

Prisma SD-WAN Sites and Devices

the ION device can run the SNMP MIB query to discover the LLDP neighbors in the
network. The default value is 24 hours.
6. Enter a time interval for the Device Discovery Schedule.
The time entered for the Device Discovery Schedule should be less than or equal to the
time entered for the Network Discovery Schedule.
7. Set discovery credentials for an SNMP Version.
Prisma SD-WAN supports SNMP versions v2 and v3.
• For SNMPv2, enter an SNMP Community String.
The default value is public.
• For SNMPv3, select a Security Level.
• Noauth—Enter a Username.
• Auth —Enter a Username, Authentication Protocol (None, MD5, or SHA128
(default)), and an Authentication Password.
• Private —Enter a Username, Authentication Protocol (None, MD5, or SHA) ,
Privacy Protocol (None, AES, DES), and an Authentication Password.
8. Click Submit.

Attach an IoT Discovery Profile to a Site

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Prisma SD-WAN license

IoT Security license
Prisma Access Remote Networks license

Attach an IoT discovery profile to a site to enable SNMP discovery for the site. When you attach
an IoT discovery profile to a site, and the profile has Automated SNMP Discovery enabled, the
SNMP discovery process begins for the site. Removing the profile from the site will stop the
SNMP discovery process.
STEP 1 | Select Manage > Resources > Configuration Profiles > IoT Discovery.
You can view the profiles attached to all the sites for a tenant.

STEP 2 | Click Manage Site to Profile bindings.

STEP 3 | Select an IoT Discovery Profile for a site.

STEP 4 | Click Save.

You can assign a profile to multiple sites by selecting Change Profile (Bulk).

Alternatively, to assign a profile to a site, select a site, click Site Configuration and select an
IoT Discovery Profile.

Prisma SD-WAN Administrator’s Guide 88 ©2024 Palo Alto Networks, Inc.

Prisma SD-WAN Sites and Devices

Configure a Security Policy Rule for SNMP

Configure a security policy rule which allows SNMP from all sources. Create a new security policy
rule, add it to a stacked security policy stack and bind the stack to a site.
STEP 1 | Configure Services for the security policy rule.
1. Select Custom for Protocol and enter a value of 161.

STEP 2 | On the Apps screen, select snmp-base and snmp-trap.

STEP 3 | Save the rule.

Configure IoT SNMP Start Nodes

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Prisma SD-WAN license

IoT Security license
Prisma Access Remote Networks license

You can configure a branch site ION device or a DC ION device as a start node for the discovery
process. In this configuration you can specify a list of IP addresses (IPv4) that can be used as the
start address for network discovery and subsequent device discovery.

Prisma SD-WAN Administrator’s Guide 89 ©2024 Palo Alto Networks, Inc.

Prisma SD-WAN Sites and Devices

Each site supports a maximum of 128 such starting endpoints. It also supports a scope (per
starting address) that limits the discovery to a set of devices within the specified scope. The IP
addresses configured in the list should be reachable from the ION devices that are associated with
the site.
STEP 1 | Select Sites, select a site and click Configure IoT SNMP Start Nodes.

STEP 2 | Add a Name.

STEP 3 | Enter a Start Node.

This is the IP address that the ION device uses as a starting point for network and device
discovery.

STEP 4 | (Optional)Enter a Description and Tags.

STEP 5 | (Optional) Enter separate subnets for Subnets Scope.

A maximum of eight subnets can be entered per start node. This limits the discovery to a set of
devices within the specified scope.

STEP 6 | Click Save.

Set a Source Interface for IoT SNMP Discovery

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Prisma SD-WAN license

IoT Security license
Prisma Access Remote Networks license

The ION device uses the controller port address or the management interface address as
the default source interface for discovery. For devices that do not have a controller port or
management interface, you can change the source interface.
STEP 1 | Select Device > Interfaces > IOT SNMP Discovery Source Interface.

STEP 2 | Select Yes for IOT SNMP Discovery Source Interface.

Prisma SD-WAN Administrator’s Guide 90 ©2024 Palo Alto Networks, Inc.

Prisma SD-WAN Sites and Devices

STEP 3 | Select a source interface and click Save.

You can select any virtual Interface or sub-interfaces as the Source Interface.
The ION device uses the interface configured as the source interface for discovery. If you
have not configured an interface, the system uses the following sequence for all active/VPN
interfaces to decide the source interface:
• Controller port
• Controller interface
• WAN interfaces
• LAN interfaces
• VPN links

The ION device does not support multiple source interfaces.

View Flows Tab

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

STEP 1 | Select Monitor > Activity > Flows .

The Flows chart displays the last 1000 flows for the selected time range, which can be up to
one hour. You can filter flows for individual applications, devices, paths, and WANs. Sort the
data by any of the columns displayed in the flow browser table.

STEP 2 | Click any flow to view detailed information on the attributes of the flow.
• Flow decision bitmap.
• Source and Destination IP and Port.
• Application Name, category, information on the parent application and the transaction type.
• Path and Priority policy set-specific information, such as policy set, policy rule, source,
destination prefix, network context, and the priority class. The Path and QoS policy rule
name lets you navigate to the edit screen of that rule where you can view and edit the rule.
• Security information like the Security Policy rule applied, zone the flow originated and
terminated in, and the action applied.
• Flow characteristics such as direction, start time, last activity time, and information on a
new flow.
• TCP session metrics like SYN, RST, FIN, transaction-related metrics like SACK, OOO
packets, and retransmit bytes and packets.
• Application Performance metrics like SRT and RTT.

STEP 3 | Hover over the Flow Decision Bitmap to see the detailed decisions taken for a flow as it was
processed.

Prisma SD-WAN Administrator’s Guide 91 ©2024 Palo Alto Networks, Inc.

Prisma SD-WAN Sites and Devices

STEP 4 | Click Advanced Info under a flow record to see the Flow Decision Data.
The Flow Decision Data, in addition to Flow Decision Bitmap, provides detailed information
on path evaluations made as the flow was processed.

Flow Detail

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

The Flow Detail provides information on the following attributes of the flow:

Field Description

Flow Decision Bitmap Lists the decisions taken for the flow as it was processed.

Source IP (Port) Source IP and port of the flow origin (depending on the direction
of the flow).

Destination IP (Port) Destination IP and port of the destined address of the flow
(depending on the direction of the flow).

Application Name Name of the application for a particular flow or transaction.

Application Category Application category for the flow.

Alt Application Alternate application is usually the parent application.

Security Policy Rule Security policy rule(s) that are applied for the flow.

Source Zone Source zone (Zone Based Firewall) for the flow.

Destination Zone Destination zone for the flow.

Action Action taken to allow or deny the policy rule applied for the flow.

Path Policy Set Path policy set used for the flow.

Path Policy Rule Path policy rule used for the flow.

Path Network Context Path policy context used for the flow.

Path Source Prefix Path source prefix used for the flow.

Path Destination Prefix Path destination prefix used for the flow.

QoS Policy Set QoS policy set used for the flow.

QoS Policy Rule QoS policy rule used for the flow.

Prisma SD-WAN Administrator’s Guide 92 ©2024 Palo Alto Networks, Inc.

Prisma SD-WAN Sites and Devices

Field Description

QoS Network Context QoS network context used for the flow.

QoS Source Prefix QoS source prefix used for the flow.

QoS Destination Prefix QoS destination prefix used for the flow.

Protocol Protocol detected for that particular flow.

Chosen WAN Path WAN path chosen for that particular flow.

Endpoint Endpoint for the flow.

Traffic Type Traffic type such as transactional, bulk, rt-audio or rt-video.

Priority Class Priority Class as defined by the Priority Policy.

Flow Direction Flow direction at the start of transaction.

Start Time Time when the first packet in this flow was detected.

Last Activity Time of the flow when the last packet was detected.

New Flow First record for this flow that was detected in the current time
window.

Packets Number of packets exchanged between client and server.

Bytes Number of bytes exchanged between client and server.

DSCP Fields Seen (LAN > DSCP markings seen between LAN-to-WAN that is used to
WAN) change the priority of the packets as they traverse the network.

DSCP Fields Seen (WAN > DSCP markings seen between WAN-to-LAN that is used to
LAN) change the priority of the packets as they traverse the network.

OOO Packets Out of order packets from the client to a server and the server to
a client.

SACK Packets Selective acknowledgment of the packets.

Retransmit Packets Number of TCP retransmit packets.

Retransmit Bytes Number of TCP retransmit bytes.

RST Number of TCP reset packets sent.

SYN Number of TCP SYN packets sent.

FIN Number of TCP FIN packets sent.

Prisma SD-WAN Administrator’s Guide 93 ©2024 Palo Alto Networks, Inc.

Prisma SD-WAN Sites and Devices

Field Description

VLAN Displays the VLAN used for the flow.

average_rtt Average round trip time calculated.

average_srt Average server response time.

average_pg Average inter-packet gap (a measure of network congestion and

packet loss) calculated.

init_success Indicates if the TCP session initiation was successful.

max_rtt Maximum round trip time detected.

max_srt Maximum server response time at the application level.

max_pg Maximum inter-packet gap (a measure of network congestion and

packet loss) detected.

min_rtt Minimum round trip time detected.

min_srt Minimum server response time at the application level.

min_pg Minimum inter-packet gap (a measure of network congestion and

packet loss) detected.

success_transactions Number of successful transactions.

Flow Decision Bitmap

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

The Flow Decision Bitmap displays decisions taken for a flow as it was processed. This
information can be viewed by hovering over the flow decision bitmap value. A typical logic of the
path selection engine is listed below and may be used for troubleshooting the flow.
• Select WAN path new flow
• App_id, dest IP and dest port
• Policy allowed public VPN
• Policy allowed private direct
• Allowed public WABN
• Allowed private direct
• Allowed public direct
• BW one WAN path

Prisma SD-WAN Administrator’s Guide 94 ©2024 Palo Alto Networks, Inc.

Prisma SD-WAN Sites and Devices

• Preferred path specified

• Public direct path
• Backup path in the network policy used
• Standard VPN allowed on public interface
• Standard VPN allowed on private interface
• Policy allowed standard VPN on public interface
• Policy allowed standard VPN on private interface

Flow Decision Data

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

The Flow Decision Data, provides detailed information on path evaluations made as the flow
processes.

Field Description

Time Time of the flow

Flow Decision Bitmap Bitmap details for the flow.

Available WAN Available WAN networks at the time of the flow.

Network(s)

Allowed WAN Paths Allowed WAN paths filtered by policy.

Filtered By Policy

Allowed WAN Paths Allowed WAN paths filtered by network reachability.

Filtered By Network
Reachability

Preferred WAN Path Preferred WAN path for the flow.

Chosen WAN Path WAN path currently used by the flow.

Device Device information.

Prisma SD-WAN Administrator’s Guide 95 ©2024 Palo Alto Networks, Inc.

Prisma SD-WAN Sites and Devices

Set Up Devices
Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Devices include the ION 1000, ION 1200, ION 2000, ION 3000, ION 3200, ION 5200, ION 7000,
ION 9000, and ION 9200. ION 1000, ION 1200, ION 2000, ION 3000, and ION 3200 can be
inserted in a branch site only. ION 3000, ION 3200, ION 5200, ION 7000, ION 9000 and ION
9200 can be inserted in a branch or a data center to communicate with the controller. These
devices, as mentioned before, can be physical or virtual devices.
When physical ION devices are allocated to sites, the devices are displayed on the Prisma SD-
WAN under Devices as Unclaimed and Offline. When virtual ION devices are added to the
system and licensed, they are displayed as Unclaimed and Online-Restricted.
Devices visible in the inventory are available to claim and then are assigned to sites. The claim
process authenticates and legitimizes the devices on each site. The devices come online with
enough knowledge to connect with the Prisma SD-WAN controller in the appropriate customer
context and start forwarding flows.

Connect the ION Device

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

When physical ION devices are allocated, they are displayed on the Prisma SD-WAN web
interface under Devices as Unclaimed and Offline. When virtual ION devices are added to
the system and licensed, they are displayed on the web interface as Unclaimed and Online-
Restricted.
• Unclaimed indicates that the device is available in the inventory, but has not been claimed.
• Offline indicates that the device is not yet communicating with the Prisma SD-WAN controller.
• Online-Restricted means that the device is communicating with the Prisma SD-WAN
controller, but has not yet been claimed.
STEP 1 | Connect the controller port of the ION device to a LAN switch in a subnet that has access to
the internet.
By default, this port is DHCP-enabled. However, if static IP is required, you may configure it by
connecting to the AUX port on the ION device.

The ION 1000 and ION 1200 do not have a dedicated controller port, use any port on
the device to connect to the controller.

Prisma SD-WAN Administrator’s Guide 96 ©2024 Palo Alto Networks, Inc.

Prisma SD-WAN Sites and Devices

STEP 2 | Allocate the ION device to a site.

As soon as an ION device is allocated to a site, it is displayed automatically on the web
interface under Devices as Unclaimed and Offline. The first step is to enable communication
with the SD-WAN controller. To enable communication of ION device with the controller,
connect the controller port of the ION device to a network that has access to the internet.

STEP 3 | Power on the ION device.

The device automatically connects and registers with the SD-WAN controller. When a secure
connection with the controller is established, the controller authenticates the device, and the
device state changes from Offline to Online.

If the ION device does not power on, follow the sub-steps. Else, continue with Step 4.

1. Check the Power Supply (PS) or Power Adapter (PWR) LED and device Power LED
status. If the PS/PWR LED is not green, proceed to the next steps. If the PS/PWR LED
light glows green after completing one of the steps below, then there is no need to
move to the following step. Instead, consider that the problem is solved and continue
monitoring your device.
2. Check if the Power cable is connected.
3. Check if the Power cable is secured.
4. Plug into a different power source.
5. Replace the power cord.
6. Reseat the Power Supply.
7. If you have eliminated that the problem is the power source or a loose/unplugged power
cable, proceed to Submit an RMA Request.

STEP 4 | Proceed to claim the ION device, assign the ION device, and configure the ION device at
your branch site or data center site and then configure the ports on the ION device.

Claim the ION Device

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Devices visible in your inventory are available for you to claim and then assign to sites. The claim
process authenticates and legitimizes the devices on each site. The devices come online with
enough knowledge to connect with the Prisma SD-WAN controller in the appropriate customer
context and start forwarding flows.
A data center and the ION 3000, ION 7000 or 9000 are not required for a simple deployment
where you intend to simply monitor the network and capture analytics in a branch, or actively
control traffic between private WAN and direct internet without VPNs. However, if you do have a
data center, claim the ION device at your data center as follows:

Prisma SD-WAN Administrator’s Guide 97 ©2024 Palo Alto Networks, Inc.

Prisma SD-WAN Sites and Devices

STEP 1 | From the Prisma SD-WAN web interface, select Workflows > Devices > Unclaimed.
A list of unclaimed devices in your inventory is displayed.

STEP 2 | Add Filters to find the serial number of an unclaimed device in the Prisma-SD WAN web
interface.

STEP 3 | Select the filter options. Search by Connected, Models, or serial number of the device in the
Search box.

The device matching your search criteria is displayed under Device Info.

STEP 4 | Hover to the right of the device and under State, select the icon.

STEP 5 | Choose Claim the device and click OK.

STEP 6 | Repeat the above claim process for all additional devices on your site.
Upon completion of the claim process, all customer-specific certificates are downloaded to
the device. Briefly, during this period, the device goes offline. When it comes back online, the
State of the device changes to Claimed and Online.

Assign the ION Device

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

You may begin to assign devices to the branch or data center site. Assigning a device simply
means that you are associating it with a specific branch or data center site. With the exception
of ports on the physical and virtual devices, the steps to assign and configure the devices are
identical.
STEP 1 | Select Workflows > Devices > Claimed.

STEP 2 | Under State, select the icon.

A drop-down displays.

STEP 3 | Select Assign to a site to assign the device to a site.

STEP 4 | Enter the name of the branch site, or select the branch site to associate the site with the
device from the list of sites.

STEP 5 | Select Done.

The device assignment occurs in the background; if it shows green, it is up, and red for down.

Prisma SD-WAN Administrator’s Guide 98 ©2024 Palo Alto Networks, Inc.

Prisma SD-WAN Sites and Devices

Configure Device Access One-Time Password

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Device Access One-Time Password provides the ability to regain access to the device toolkit
in the event that all toolkit passwords are forgotten and the device has lost connection to the
controller.
In order to access an offline device, the device must be:
• In a claimed or assigned state.
• Offline and unable to talk to the controller.
To access the offline device:
STEP 1 | At the console of the remote, offline device, log in with menu as the username and
digital>morgueS! as the password.
Once logged in, the console menu will present command options.

STEP 2 | Select the Status option.

This verifies that the device is offline.

STEP 3 | Once the device is offline and has a Claim certificate installed, select Device offline Access.
This generates the Challenge phrase.

STEP 4 | Note down the Challenge phrase.

STEP 5 | Log in to the Prisma SD-WAN web interface as a Super user and select Workflows >
Devices.

Prisma SD-WAN Administrator’s Guide 99 ©2024 Palo Alto Networks, Inc.

Prisma SD-WAN Sites and Devices

STEP 6 | Select a device, click the ellipsis menu, and select Generate one-time password.

STEP 7 | Enter the Challenge Phrase provided earlier by the device console, and click Submit.

If successful, a one-time password response will be generated.

Prisma SD-WAN Administrator’s Guide 100 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

STEP 8 | Enter this one-time password on the device console for access to the Device Toolkit.

Note the following:

• Challenge requests and incorrect entries in both forms will be logged.
• The Challenge Phrase and subsequent response is only valid for the configured number of
attempts.
• Exiting from the Challenge prompt or logging out will automatically invalidate the Challenge
string.
• You can modify the maximum number of one-time password attempts and expiration
timeframes from Manage > System > Access Management > Device Access > Device
Offline Access Policy on the Prisma SD-WAN web interface.

Prisma SD-WAN Administrator’s Guide 101 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

Configure the ION Device at a Branch Site

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Configure the branch ION device to connect to the internet and a private network.
By default, the following ports have hardware bypass capability and set to fail open or closed:
• Ports 4/5 on the ION 2000.
• All LAN/WAN ports on the ION 3000.
• Ports 5/6 and 7/8 on the ION 7000.
• Ports 1/2, 3/4, 5/6, 7/8 on the ION 9000.
Before you configure the device, gather the following information:
• Internet port IP address, subnet mask, and default gateway address.
• (Optional) If the device is behind a firewall, NAT IP details are required.
• LAN subnets and their VLAN IDs (if applicable) that you would like the SD-WAN system to
control.
STEP 1 | Select Workflows > Devices > Claimed and select the device you wish to configure.

STEP 2 | From the ellipsis menu, select Configure the device.

The device configuration screen displays.

STEP 3 | On the Basic Info screen, enter a name and an (optional) description for the device.
The ION device model, redundancy mode, serial number, and software version display
automatically.
• To Enable L3 Direct Private WAN Forwarding, toggle Yes or No. By default, the BGP
configuration uses a bypass pair for private WAN underlay traffic, and a Layer 3 interface
explicitly enables Layer 3 Direct Private WAN Forwarding for the private WAN underlay.
• To Enable L3 LAN Forwarding, toggle Yes or No. Yes indicates that traffic forwarding to
and from LAN interface, when Enable L3 Direct Private WAN Forwarding is enabled.
• Enabled or Disabled the Application Reachability Probe, is used to probe for application
reachability or to check if an application is reachable on a given path. Devices use the
controller port as the source probe interface by default. On devices running 5.4.1 and later
versions, you can configure a LAN port as a source probe interface.
• Click Create an HA group, to create an ION device cluster.

Prisma SD-WAN Administrator’s Guide 102 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

STEP 4 | Navigate to Device Toolkit to enable device session access.

• For Enable Device Session Access, toggle Yes.
• For Enable Outbound SSH, toggle Yes, if you want to use the device CLI commands to SSH
from an ION device to another device within your enterprise network. The default value is
No.
• Change values for Inactive Interval, Retry Login Count, and Account Disabled Interval, if
needed.
• You can access the device CLI from the web interface.

STEP 5 | Navigate to Interfaces to configure the controller ports, internet ports, and the WAN/LAN
ports.

Prisma SD-WAN Administrator’s Guide 103 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

Configure the ION Device at a Data Center

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Prisma SD-WAN license

As you get started to configure the ION device at the data center, you must know that the ION
5200, ION 7000, ION 9000 or ION 9200 provides eight 1GE ports and six 10GE SFP+ ports
for flexible configuration. Connect at least one port to the internet and one port to peer with a
network.
STEP 1 | Select Workflows > Devices > Claimed and select the device you wish to configure.

STEP 2 | On the Basic Info tab:

1. Enter a Device Name.
2. (Optional) Enter a Description and Tags.
3. Set Force VPN to VPN Traffic to Local Next Hop to Yes to force traffic from one
branch site to another via a local next hop within a data center site.
By default, the option Force VPN to VPN Traffic to Local Next Hop is toggled to No.

If you have configured a Private WAN circuit on the DC ION device and the
DC ION device is peering with a WAN edge router, the DC ION device will
have learnt the route to the destination from the WAN edge router. In this
case, the traffic will be routed to the WAN edge router and subsequently to the
destination.

Prisma SD-WAN Administrator’s Guide 104 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

STEP 3 | Configure the first port from the Interfaces tab.

1. From 1GE ports, select Port 1.
2. Leave Admin Up as the default Yes.
3. (Optional) Enter a name, description, and tags for this port.
The Interface Type displays as Port.
4. For Use This Port For, select Connect to Internet to enable public VPNs for a branch
site.
5. For Circuit Label, select the circuit that connects to the internet.
A circuit label is mandatory.
6. For IPv4 Configuration, select DHCP or Static.
• Choose DHCP and enter NAT Address and Port if the IP address is dynamically
assigned and if the internet port IP address is a private IP address behind a NAT
firewall.
• The External NAT address should be the public IP address NAT-translated to the
ION device’s IP address on this physical port.
• The External NAT port should be the External NAT IP address UDP port forwarded
to UDP 4500 on the ION device’s IP address on this physical port.
• Outside of this device configuration, if you have a firewall, you must allow protocol
TCP 443 and UDP 4500 in your firewall configuration.
• If the IP address is fixed and specified manually, choose Static and specify the IP
Address/Mask, Default Gateway, DNS Servers, and Secondary IPs.
7. Select Enable IPv6 On This Interface to configure IPv6.
8. For IPv6 Configuration, select AutoConf or Static.
Autoconf indicates the Global IP address is derived using stateless address
autoconfiguration (SLAAC).
Choose Static if the IP address is fixed and is manually assigned. Additionally specify the
IPv6 Address/Mask, Default Gateway (IPv6), and DNS server(s)(IPv6).
9. In Advanced Options, (optional) specify MAC, IP MTU, and Physical from the available
range.
10. Click Save Port.

Prisma SD-WAN Administrator’s Guide 105 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

STEP 4 | Proceed to configure the second port.

1. Leave Admin Up as the default Yes.
2. (Optional) Enter a name, description, and tags for this port.
The Interface Type displays as Port.
3. For Use This Port For, select Peer with a Network to inject routes towards the core
router.
You may pair any non-hardware ports on the physical and virtual ION 7000 or ION
9000. However, ports 5/6 and ports 7/8 are hardware bypass port pairs, and therefore,
must be configured as port pairs. These port pairs may be set to fail, open, or closed.
4. For Circuit Label, select the circuit to peer with the network.
5. For IPv4 Configuration, select DHCP or Static.
6. In Advanced Options, (optional) specify MAC, IP MTU, and Physical from the available
range.
7. Click Save Port.
Similar to configuring ports on a physical ION 7000, configure the ports on the virtual
ION device. The virtual device has one controller port and nine configurable ports to
connect to the internet or peer with a network.

STEP 5 | Proceed to configure Routing, SNMP, Syslog Export, and NTP Client for the ION device.

Prisma SD-WAN Administrator’s Guide 106 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

Switch a Site to Control Mode

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Switch sites to the Control mode to push network and security policies, prioritize applications,
control application paths, enable active-active WANs, and facilitate automatic zero-touch VPNs
that connect all SD-WAN branches. Activate the data center after the branch is activated so that
the VPNs are enabled between a branch and a data center, and can provide secure paths to reach
applications hosted in the data center.
STEP 1 | Switch the Branch to Control Mode.
1. Select Workflows > Sites
2. Select a site and from the ellipsis menu, select Switch to Control Mode.
3. Select OK to confirm switching to the Control mode.
Wait 3-5 minutes to view network and application analytics. The system uses all paths
and populates all application charts.

STEP 2 | Switch the Data Center to Control Mode.

1. Select Workflows > Data Centers.
2. Select a site and from the ellipsis menu, select Switch to Control Mode.
As soon as the branch and the data center are activated, an automatic VPN will be
established through zero-touch configuration between the branch site and the data
center over any configured internet paths and over any private WAN paths providing
both the branch and data center sites connect to the same WAN network.
No administrator action is required. The VPN path is visible on the map view of your
sites.
Configure a Secure Fabric Link Overlay between two branch sites to enable or disable as
needed.

Prisma SD-WAN Administrator’s Guide 107 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

Allow IP Addresses in Firewall Configuration

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

The purpose of this document is to maintain all services that run on the ION device that require
you to open ports on external firewalls.

The public IP addresses for customer firewall configurations use a domain-based ACL /
Firewall Rule. These public IPs are subject to change.

To ensure smooth functioning of the Prisma SD-WAN services, allow the following IP URLs and/
or IP addresses.

Although we have provided Static IP addresses for each URL, we recommend that you use
DNS for resolution.

Service Protocol Port Direction Source Interface Destination and IP

Name IP Addresses

IPSec for UDP 4500 Outbound Internet Port Internet Port IP on both
Prisma SD- at both IP on both ION ION devices.
WAN and Data devices.
Private WAN port IP on
Standard Center and
Private WAN Branch for VPNoMPLS.
VPNs Branch.
port IP on
Peering Port on the Data
Inbound Branch for
Center side for VPNoMPLS.
at least VPNoMPLS.
at one
Peering Port
side of the
on the Data
connection.
Center side for
VPNoMPLS.

ESP for IP proto NA Outbound Internet Port Internet Port IP on both

Prisma SD- 50 and IP on both ION ION devices.
WAN and Inbound devices.
Private WAN port IP on
Standard
Private WAN Branch for VPNoMPLS.
VPNs
port IP on
Peering Port on the Data
Branch for
Center side for VPNoMPLS.
VPNoMPLS.
Peering Port
on the Data
Center side for
VPNoMPLS.

Prisma SD-WAN Administrator’s Guide 108 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

Service Protocol Port Direction Source Interface Destination and IP

Name IP Addresses

Prisma TCP 443 Outbound Client PC https://

SD-WAN login.cloudgenix.com
access
https://
to web
portal.cloudgenix.com
interface
https://api.cloudgenix.com
https://
login.elcapitan.cloudgenix.com
https://
portal.elcapitan.cloudgenix.com
https://
portal.hood.cloudgenix.com/
https://
login.hood.cloudgenix.com/
https://
sase.paloaltonetworks.com/

Prisma TCP 443 Outbound Client PC https://

SD-WAN api.sase.paloaltonetworks.com
access
https://
to API
api.elcapitan.cloudgenix.com
Endpoints
https://
api.sugarloaf.cloudgenix.com
https://
api.hood.cloudgenix.com
https://
api.us.hood.cloudgenix.com
https://
api.us.elcapitan.cloudgenix.com
https://
api.jp.hood.cloudgenix.com
https://
api.jp.elcapitan.cloudgenix.com
https://
api.sg.hood.cloudgenix.com
https://
api.sg.elcapitan.cloudgenix.com
https://
api.ca.hood.cloudgenix.com

Prisma SD-WAN Administrator’s Guide 109 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

Service Protocol Port Direction Source Interface Destination and IP

Name IP Addresses
https://
api.ca.elcapitan.cloudgenix.com
https://
api.in.hood.cloudgenix.com
https://
api.in.elcapitan.cloudgenix.com
https://
api.au.hood.cloudgenix.com
https://
api.au.elcapitan.cloudgenix.com
https://
api.eu.sugarloaf.cloudgenix.com
https://
api.de.sugarloaf.cloudgenix.com
https://
api.uk.sugarloaf.cloudgenix.com
https://
api.uk.bowfell.cloudgenix.com
https://
api.sg.faber.cloudgenix.com
https://
api.au.townsend.cloudgenix.com

ION TCP 443 Outbound ION Controller https://controller.cgnx.net

Device Port IP Address
Address: 52.8.93.87
to Prisma (primary)
SD-WAN Address: 52.8.25.40
ION Internet
Cloud
Port IP Address
Controller https://locator.cgnx.net
(backup)
Address: 18.223.78.55
Address: 52.15.45.235

hood:
52.40.98.31
34.218.98.185

sugarloaf:
18.200.102.82
18.200.135.33

Prisma SD-WAN Administrator’s Guide 110 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

Service Protocol Port Direction Source Interface Destination and IP

Name IP Addresses
faber:
18.139.242.53
54.255.61.109
https://vmfg.cgnx.net
Address: 52.53.122.104
Address: 52.53.102.7

https://
controller.elcapitan.cgnx.net
Address: 3.23.240.174
Address: 3.136.181.240

https://
vmfg.elcapitan.cgnx.net
Address: 52.53.122.104
Address: 52.53.102.7

https://
controller.hood.cgnx.net
Address: 52.32.167.5
Address: 54.70.168.33

https://vmfg.hood.cgnx.net
Address: 50.112.136.184
Address: 34.210.34.87

https://
controller.sugarloaf.cgnx.net
Address: 108.128.176.192
Address: 18.200.144.58

https://
vmfg.sugarloaf.cgnx.net
Address: 99.81.179.99
Address: 99.80.52.255

https://sdwan-stats-hood-
us.cgnx.net

Prisma SD-WAN Administrator’s Guide 111 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

Service Protocol Port Direction Source Interface Destination and IP

Name IP Addresses
https://sdwan-stats-
elcapitan-us.cgnx.net
https://sdwan-stats-hood-
jp.cgnx.net
https://sdwan-stats-
elcapitan-jp.cgnx.net
https://sdwan-stats-hood-
sg.cgnx.net
https://sdwan-stats-
elcapitan-sg.cgnx.net
https://sdwan-stats-hood-
au.cgnx.net
https://sdwan-stats-
elcapitan-au.cgnx.net
https://sdwan-stats-hood-
in.cgnx.net
https://sdwan-stats-
elcapitan-in.cgnx.net
https://sdwan-stats-hood-
ca.cgnx.net
https://sdwan-stats-
elcapitan-ca.cgnx.net
https://sdwan-stats-
sugarloaf-eu.cgnx.net
https://sdwan-stats-
sugarloaf-de.cgnx.net
https://sdwan-stats-
sugarloaf-uk.cgnx.net
https://
controller.bowfell.cgnx.net
Address: 13.41.243.90
Address: 18.171.17.23

https://
vmfg.bowfell.cgnx.net
Address: 52.56.35.36
Address: 52.56.224.242

Prisma SD-WAN Administrator’s Guide 112 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

Service Protocol Port Direction Source Interface Destination and IP

Name IP Addresses
https://
controller.faber.cgnx.net
Address: 52.74.47.220
Address: 13.251.109.27

https://vmfg.faber.cgnx.net
Address: 18.142.153.59
Address: 52.74.58.219

https://
controller.townsend.cgnx.net
Address: 13.55.31.41
Address: 3.106.168.215

https://
vmfg.townsend.cgnx.net
Address: 52.64.177.240
Address: 13.55.164.51

https://sdwan-stats-faber-
sg.cgnx.net
https://sdwan-stats-
bowfell-uk.cgnx.net
https://sdwan-stats-
townsend-au.cgnx.net

Bandwidth TCP 443 Outbound ION Controller Peer DC ION 7K Peering

Monitoring and Port IP Address Interface IP Addresses
UDP
ION Internet Cloud service at
Port IP Address pcm.cgnx.net
52.25.78.62
34.212.76.47
54.172.15.178
52.207.248.9

Link TCP 443 Outbound ION Controller Peer DC ION Peering

Quality and Port IP Address Interface IP Addresses
UDP

Prisma SD-WAN Administrator’s Guide 113 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

Service Protocol Port Direction Source Interface Destination and IP

Name IP Addresses
VPN Tunnel
Internal IP
Address

Prisma SD- TCP 443 Outbound Client PC (or portal.cloudgenix.com

WAN Web NAT IP on ION)
login.cloudgenx.com
Interface
api.cloudgenix.com

portal.elcapitan.cloudgenix.com
login.elcapitan.cloudgenx.com
api.elcapitan.cloudgenix.com
52.8.33.74
52.8.122.116

NTP UDP 123 Outbound ION Controller time.nist.gov

Port IP Address
ION Internet
Port IP Address

DNS UDP 53 Outbound ION Controller Customer or Provider DNS

and Port IP Address servers
TCP
ION Internet
Port IP Address

WAN ICMP Outbound ION Internet 8.8.8.8

Layer 3 Port IP Address
8.8.4.4
Reachability
208.67.222.222
208.67.220.220

WAN TCP 80 Outbound ION Internet captive.apple.com

Layer 3 Port IP Address
clients3.google.com
Reachability

Prisma SD-WAN Administrator’s Guide 114 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

Configure Layer 2 Switch Ports

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

The integrated Layer 2 switch ports enable you to connect multiple devices directly on the L2
LAN or add downstream switches or Wireless Access Points (WAP). L2 LAN switch ports are
supported only on ION 3200, ION 1200-S, ION 1200-S-C-NA/ROW, and ION 1200-S-C5G-WW
on ports 5 -10. These platforms have six 1Gbps RJ-45 L2 switch ports, two 1Gbps RJ-45 WAN
ports, and two 2.5Gbps switch to host uplink ports.

When the ION 3200 device is running in L2 mode, it will function as ION 1200-S, and
when the ION 3200 is running in L3 mode, it will serve as the current ION 3200 device.

Layer 2 LAN Switch supports:

• Supports per port configuration of access or trunk ports.
• VLAN definition supports attributes such as numerical ID value, name, and tags. VLAN ID range
is 1-4000.
• Maximum number of active VLANs is 32.
• Native VLAN on a trunk port can be any VLAN ID in the supported range.
• Storm Control Thresholds are configurable for Unknown Unicast, Multicast, and Broadcast per
port. By default, the Broadcast Storm Control is enabled with a threshold of 1000Kbps.
• Spanning Tree supported modes are IEEE 802.1d, IEEE 802.1s, and IEEE 802.1w (default). The
modes are automatically detected and switched on receiving the BPDU.
• Configurable Hello Timer, Forward Delay, Max Age, and Aging Timer.
• Configurable Spanning Tree Priority at system level.
• Configurable per port Cost and Priority.
• Configurable BPDU Guard and Root Guard per port.
• Portfast is enabled by default.
• QoS is maintained.
L2 Switch ports are supported on a minimum ION device version of 6.0.2 for ION 1200-S and
6.3.1 for ION 3200. You cannot downgrade to a lower version.
• Add a VLAN or Switch Virtual Interface (SVI)
• Configure VLAN on Switch Ports
• Edit Switch Configurations
• Monitor Switch Activity and Statistics
• Switch Layer 2/Layer 3 Change Mode

Prisma SD-WAN Administrator’s Guide 115 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

Add a VLAN or Switch Virtual Interface (SVI)

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

To add virtual LAN or Switch Virtual Interface:

STEP 1 | Navigate to Manage > Setup > Devices > Configure the Device.

STEP 2 | On the Interface tab, select the Add (plus) icon and select VLAN/Switch Virtual Interface.

Prisma SD-WAN Administrator’s Guide 116 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

STEP 3 | Enter the following VLAN information:

1. Enter a valid VLAN ID, ranging from 1-4000. Enter a unique ID, else you get an error
message that the ID is duplicate.
2. (Optional) Enter a Name, Tags, and Description for the VLAN.
3. Select Admin Up to use the switch virtual interface.
Select Admin Up if you need the SVI (L3 routing). If you only need the L2 switching among
the switch ports, Admin Down can be used.
4. Enable or disable Auto Operational State.
Starting with release 6.4.1, Prisma SD-WAN introduces a SVI state configuration Auto
Operation State which can be configured to remain up, when all VLAN member ports are
down, or, to be brought down if all member ports are down.
By default, Auto Operational State is enabled and the SVI is up only when:
• SVI is configured Admin Up.
• At least one L2 switch port-access or trunk port-is a member of the SVI and has its link
up.
When Auto Operational State is disabled, if the SVI is configured Admin Up, it will remain
up.

5. Select the VLAN Type as Data or Voice LAN.

6. Select Used for as LAN.

Choose HA (referred to as Used for Control prior to release 6.3.1) if you want to
configure the SVI for HA setup.
7. Select IP Configuration for the interface–None, Static, or DHCP.
If you select static, provide the IP address, Default Gateway, and DNS Server.

Prisma SD-WAN Administrator’s Guide 117 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

Default gateway and DNS server are optional.

8. Enter the Scope of the interface.
9. (Optional) Add DHCP Relay.
10.(Optional) Add NAT Configuration.

STEP 4 | Enter Static ARP Config information.

You can add a maximum of 16 addresses.
1. Enter a valid IPv4 address.
2. Enter a valid MAC Address.

STEP 5 | Save your changes.

The VLAN is created with a system-generated name vlan-<id>. If you have specified a
VLAN name in step 3, the given name is used.

Configure VLAN on Switch Ports

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

After adding the VLAN, configure the VLAN on the switch ports.
STEP 1 | Select a port from the LAN ports.

STEP 2 | Enter Name, and optionally Tags, and Description for the selected interface.
The default VLAN ID is 1. It can be configured to any VLAN ID in the supported range.

STEP 3 | Select Admin Up.

STEP 4 | Interface type and Use Interface for are system-populated.

If the port is a switch port, Interface Type and Use Interface for are autopopulated.

Prisma SD-WAN Administrator’s Guide 118 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

STEP 5 | Select the Interface Mode.

• Access is used for endpoint access. Select the Access VLAN and Voice VLAN. If you need
a Voice VLAN, you need to first create the Voice VLAN when creating Switch Virtual
Interface.
• Use Trunk to use multiple VLANs. Select all VLANs or select a VLAN IDs.
Trunk ports carry only VLAN tagged packets. If Native VLAN is configured, select Native
VLAN for untagged packets.

STEP 6 | Control access to your network by using a different Authentication mode, it's Disabled by
default:
• 802.1X only - Select Reauthentication Timeout, select a value between 30-86400 seconds,
default is 1800 seconds.

802.1X authentication is a client-server model facilitating network access only to

authorized clients. It defines authentication controls for any user or device trying to
access a LAN or WLAN. The user's identity is determined based on their credentials
or certificate, which is confirmed by the RADIUS server. Before services can be
provided to a client by the ION device, the client connected to the switch port has
to be authenticated by the RADIUS authentication server.

802.1X is supported only on switch ports.

Prisma SD-WAN supports the following IEEE 8021X-PAE-MIB values. It supports

SNMP get and walk requests.
• ieee8021XEapolStatsTable
• ieee8021XAuthenticatorTable
• ieee8021XPaePortSessionTable
• ieee8021XPaePortLogonTable
• ieee8021XPaePortTable
• MAC Auth Only - Select Reauthentication Timeout, select a value between 30-86400
seconds, default is 1800 seconds.

Media Access Control (MAC) authentication is used to authenticate devices based

on their physical MAC addresses. You can authorize an endpoint using MAC
Authentication. The authenticator uses the MAC address of the connecting device
to determine what kind of network access to provide.

MAC Auth is supported only on switch ports.

• 802.1X to MAC Auth Fallback - Select the fallback option to fall back to MAC Auth if the
client isn't using 802.1X authentication.

STEP 7 | Enable PoE for the port.

By default, PoE is disabled.

Prisma SD-WAN Administrator’s Guide 119 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

STEP 8 | Enter the Port Power Usage Alarm Threshold value for the selected port between 50-100%.
If the port power usage exceeds the alarm threshold, an alarm is generated.

STEP 9 | Select the option for LLDP/LLDP-MED.

Receive Only option is the default option. Select Receive and Transmit, only if you want the
ION device to respond to the powered device (PD) when it receives LLDP-MED packets.

Starting with release 6.4.1, voice VLANs will be advertised as part of LLDP-MED to
support dynamic detection for VoIP phones on ION 1200-S device.

STEP 10 | Advanced settings

1. Physical indicates the speed of the interface, it's disabled by default. Select from the
available options.
Interface speed, displayed in Mbps, is the speed of each interface. Interfaces can have
ethernet speed rates of 10 Mbps, 100 Mbps, and 1000 Mbps.
2. Spanning Tree Protocol (STP) is enabled by default. By default, the STP type is RSTP.
The Spanning Tree Protocol (mSTP), used in case of multiple switches, provides connectivity
to a VLAN throughout a Bridged local area network. These LANs are connected into a single
Common Spanning Tree (CST).
3. Root/BPDU Guard is used to protect the Layer 2 STP topology from BPDU-related attacks.
Root Guard is enabled on a port-by-port basis, it prevents a configured port from becoming
a root port. Root Guard prevents a downstream switch (often mis-configured or rogue) from
becoming a root bridge in a topology.
BPDU Guard must be enabled on ports that should never receive a BPDU from its
connected devices. When a BPDU Guard enabled port receives BPDU from a connected
device, BPDU Guard disables the port.
4. Spanning tree Portfast is enabled by default.
5. Enter STP Port priority between 0-240. The default value is 128, STP port priority is in
multiples of 16.
6. Enter STP port cost between 1-65535. The STP port cost depends on the speed of the port.

STEP 11 | Select Storm Control. Set a threshold for traffic rate limit, the traffic is rate limited for the set
threshold value.
By default, the broadcast threshold is set to 1000 Kbps. Enter a value between 64-1000000
Kbps.
• Unknown Unicast threshold (Opt)- enter a value between 64-1000000 Kbps.
• Broadcast threshold (Opt)- enter a value between 64-1000000 Kbps.
• Multicast threshold (Opt)- enter a value between 64-1000000 Kbps.

Prisma SD-WAN Administrator’s Guide 120 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

STEP 12 | Save to update the changes.

To edit an existing VLAN, Edit the VLAN by selecting it from the ellipsis menu.

You can delete an existing VLAN only after deleting the VLAN from all the associated access
or trunk ports. To delete an existing VLAN, delete the VLAN by selecting it from the ellipsis
menu.

Edit Switch Configurations

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Edit the Switch configurations on the Switch tab.

STEP 1 | Select Workflows > Devices > Claimed Devices > Switch.

Prisma SD-WAN Administrator’s Guide 121 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

STEP 2 | On the Switch tab, Edit the configurations.

STEP 3 | Update the following Switch information:

• Default VLAN ID is 1.
• Enable Spanning Tree is checked by default.
• Select STP Mode as RSTP, default STP mode is RSTP.
• Enter Priority value between 0 - 61440, in multiples of 4096.
• Hello Time is the time Interval between BPDU transmission, set the value between 1-10
seconds.
• Forward Delay is the length of time spent in listening state, set the value between 4 - 30
sec.
• The length of Max Age time that the switch retains information learned from BPDUs, set
the value between 6 - 40 sec.
• Enter STP aging Timer between 10 - 1000000 seconds.

STEP 4 | Save your changes.

Monitor Switch Activity and Statistics

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Prisma SD-WAN Administrator’s Guide 122 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

Monitor the L2 Switch activity and statistics from the Prisma SD-WAN user interface.
STEP 1 | Select Workflows > Devices > Claimed Devices > Switch.

STEP 2 | Click the Stats icon to view the Switch statistics.

Prisma SD-WAN Administrator’s Guide 123 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

STEP 3 | Select MAC to view the MAC address table.

Select Update MAC table to update the table.

Prisma SD-WAN Administrator’s Guide 124 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

STEP 4 | View the Switch Activity by clicking the View Activity icon.
The following activity reports are available on the Activity dashboard.
• CPU Utilization

• Free Memory

Prisma SD-WAN Administrator’s Guide 125 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

• Free Disk

• PoE Power Consumption

• PSE Operating Temperature

Prisma SD-WAN Administrator’s Guide 126 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

• STP Topology Stats

• Interface Bandwidth Utilization

Prisma SD-WAN Administrator’s Guide 127 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

• Interface Dropped Packets

• Interface Errors
• Interface Power Consumption

• Interface PoE stats

Prisma SD-WAN Administrator’s Guide 128 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

• Interface LLDP Stats

• Interface STP Stats

Prisma SD-WAN Administrator’s Guide 129 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

Switch Layer 2/Layer 3 Change Mode

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

The integrated Layer 2 switch ports enable you to connect multiple devices directly on the L2
LAN or add downstream switches or Wireless Access Points (WAP). L2 LAN switch ports is
supported on ION 3200 on ports 5 -10. When the ION 3200 device is running in L2 mode, it
will function as ION 1200-S, and when the ION 3200 is running in L3 mode, it will serve as the
current ION 3200 device.

Prisma SD-WAN Administrator’s Guide 130 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

STEP 1 | Select Workflows > Devices > Claimed Devices and select the ION 3200 device you wish to
configure.

STEP 2 | On the Basic Info, click the ellipsis menu and select L2 to L3 to switch the Device Mode
from L2 to L3 or vice versa.

Prisma SD-WAN Administrator’s Guide 131 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

STEP 3 | On the screen you get the below pop-up to proceed with the change, click Proceed to
continue the change port.

See the Device Mode change from what you intended to switch (L2 to L3 or L3 to L2).

The mode change operation is allowed when the device is in a claimed state; it is
not allowed in unclaimed or assigned or any other states. Also, when the device
is declaimed or unclaimed, it returns to L3 mode. Only two retries will be allowed
per device, each spaced out by 15 minutes from the start time of the change mode
process.

Prisma SD-WAN Administrator’s Guide 132 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

Prisma SD-WAN Ports and Interfaces

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

After you have completed the sites and devices' set-up, configure the ports and interfaces. Ports
are the physical interfaces on the ION device and Interfaces are the logical interfaces on the ION
device. Every port or interface has specific configuration steps that must be followed. Read on to
understand to configure ports and interfaces on an ION device.
The various physical ports are:
• Controller Ports
• Internet Ports
• WAN/LAN Ports
The various logical interfaces are:
• Loopback Interface
• Virtual Interface
• Bypass Pair
• Sub-Interface
• PPPoE Interface
• Prisma SD-WAN Standard VPN
• L3 LAN Interface

Configure a Controller Port

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

An ION device has one or two controller ports. You are allowed to configure two controller
ports from Release 5.2.1. In a virtual interface, you can use both the controller ports to establish
redundancy in controller connectivity. The controller ports can thus be in the same subnet.
Controller port is by default used as source interface for controller connections and in the
absence of controller port, the device automatically picks any L3 port as source interface for
controller connections. If you plan to use the controller port, connect to existing LAN segment
with Internet reachability.
STEP 1 | Select the controller port.

STEP 2 | To enable the interface, for Admin Up, select Yes.

STEP 3 | (Optional) Enter a description.

Prisma SD-WAN Administrator’s Guide 133 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

STEP 4 | For IPv4 Configuration, select DHCP or Static.

Choose DHCP if the IP address is dynamically assigned.
Choose Static if the IP address is fixed and is manually assigned. Additionally specify the IP
Address/Mask, Default Gateway, and DNS server(s).

STEP 5 | Click Save Port.

Similar to configuring the first controller port, configure the second controller port.

Add a Used-for-Controller Interface

Gen-1 ION devices, including the ION 2000, 3000, 7000, and 9000, feature a dedicated controller
port designed to offer MRL connectivity, HA heartbeat exchange, and other management
functions. With the release of Gen-2 ION devices, beginning with version 6.3.1, any Layer
3 interface can now be configured as a controller port, leveraging the innovative Used-for-
Controller setting. This setting empowers the interface to furnish the same functionality
seamlessly.
Prisma SD-WAN supports Used-for-controller on:
• Main Interfaces
• Virtual Interfaces
STEP 1 | Select Workflows > Devices > Claimed Devices, select the device you want to configure.

STEP 2 | Select the Interfaces tab.

STEP 3 | Select a port.

STEP 4 | For Admin Up, select Yes.

STEP 5 | (Optional) Enter a Description.

STEP 6 | For Interface Type, select Port.

Prisma SD-WAN Administrator’s Guide 134 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

STEP 7 | For Use this Port for, select Controller.

STEP 8 | Click Save Port.

Configure Internet Ports

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

STEP 1 | From internet ports, select a port pair.

STEP 2 | To enable the interface, for Admin Up, select Yes.

STEP 3 | (Optional) Enter a description.

STEP 4 | For Interface Type, select Port.

STEP 5 | For Use these Ports For, select Internet.

Alternatively, you can select Private WAN for Use these Ports For to configure a WAN port
for a Private WAN circuit.

STEP 6 | For Scope, toggle Local or Global.

The default is Local.
If the scope is local, the route is not advertised to the data center.
If the scope is global, the route is advertised to the data center.

• This setting is applicable only to branch sites. It is not applicable to data center
sites.
• Configuring a global static route will advertise the destination IP/prefix to other
sites automatically.

STEP 7 | For Circuit Label, select the circuit label that corresponds to your internet connection for this
site.

STEP 8 | Select Enable IPv6 On This Interface to configure IPv6.

Prisma SD-WAN Administrator’s Guide 135 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

STEP 9 | For IPv6 Configuration, select AutoConf or Static.

Autoconf indicates the Global IP address is derived using stateless address autoconfiguration
(SLAAC).
Choose Static if the IP address is fixed and is manually assigned. Additionally specify the IPv6
Address/Mask, Default Gateway (IPv6), and DNS server(s)(IPv6).

STEP 10 | For IPv4 Configuration, select DHCP or Static.

Choose DHCP if the IP address is dynamically assigned.
Choose Static if the IP address is fixed and is manually assigned. Additionally specify the IP
Address/Mask, Default Gateway, and DNS server(s).

STEP 11 | In Advanced Options, (optional) specify MAC, IP MTU, External NAT Address and Port
(IPv4), External NAT Address and Port (IPv6),and Physical from the available range.

IP MTU value should be at least 1280 for IPv6. If it is less than 1280, IPv6 cannot be
enabled.

STEP 12 | Click Save Port.

The ION device inherently hardens all the ports designated as Internet. You can
access only UDP 4500, 500 (ISAKMP), and ESP ports. The utilization of UDP port 500
(ISAKMP) is exclusively reserved for standard VPNs. Configure the ports accordingly to
avoid automatic rejection of requests. The ION device blocks any unsolicited incoming
internet traffic.

Configure WAN/LAN Ports

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

STEP 1 | Select WAN/LAN as a port pair.

STEP 2 | To enable the interface, for Admin Up, select Yes.

STEP 3 | (Optional) Enter a description.

Prisma SD-WAN Administrator’s Guide 136 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

STEP 4 | Interface Type displays the selected WAN/LAN bypass pair.

STEP 5 | For Hardware Relay – Fail to Wire, select Yes to get fail-to-wire functionality.

STEP 6 | For Use These Ports For, select Private WAN.

STEP 7 | For Circuit Label, select the circuit label that corresponds to your private WAN connection
for this site.

STEP 8 | Select Enable IPv6 On This Interface to configure IPv6.

STEP 9 | For IPv6 Configuration, select DHCP or Static.

Choose DHCP if the IP address is dynamically assigned.
Choose Static if the IP address is fixed and is manually assigned. Additionally specify the IPv6
Address/Mask, Default Gateway(IPv6), and DNS server(s)(IPv6).

STEP 10 | For Attached Networks, enter the router’s VLAN ID and IP address.
You may enter multiple VLAN IDs and IP addresses.
1. Select Network Context if this is a subnet and you would like to segment one subnet for
which you would like to define a separate policy. For example, guest Wi-Fi.
2. Select Local or Global.
Select Local when defining an IP subnet that is not advertised to any other site.
Select Global when defining an IP subnet that is advertised to every Prisma SD-WAN
site.

Prisma SD-WAN does not control traffic if a prefix/subnet is not defined on the
ION device.

STEP 11 | Save Bypass Pair.

STEP 12 | Optionally configure Routing, SNMP Config, Syslog Export, and NTP Client.

STEP 13 | Click Save.

Configure Cellular Interfaces

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

The cellular ION devices have integrated 4G or 5G cellular modem for primary or backup WAN
connectivity. If there is no 4G or 5G coverage, these modems can fall back to 3G network. In a
typical deployment, the cellular WAN is configured as a backup to the wired WAN interface. It
can also be configured in an active/active model with wired WAN interface and also as the only
WAN link.

Prisma SD-WAN Administrator’s Guide 137 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

These cellular ION devices are optionally installed with dual SIMs to provide backup connectivity
when the primary SIM carrier connection is down. These devices detect SIMs from carriers such
as AT&T, T-Mobile, Verizon, and auto configure the required modem profile and firmware and
bring up cellular WAN connectivity.
Configure the cellular feature on the ION device by setting SIM specific configuration like primary
SIM slot, SIM PIN configuration and cellular IP interface specific configuration. Separate primary
and backup interface configurations are supported to allow configuring different APNs and circuit
labels for different SIMs.
Configure the cellular interfaces to use the required WAN path and circuit labels.
Manually configure cellular interface on the cellular ION device. You can create a new APN
profile, Use for Internet or Private WAN , Circuit Label, Modify Cellular SIM Settings, Manage SIM
Operations, and Customize Cellular Firmware.
STEP 1 | Select Workflows > Devices > Claimed Devices, select the device you want to configure.

STEP 2 | Configure the Device and select Interfaces, and then select Cellular Interfaces.

Prisma SD-WAN Administrator’s Guide 138 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

STEP 3 | Select the interface from the Cellular Interfaces list.

The Interface Name, Interface Type and Interface Status are already populated.
You can view the interface status and statistics by clicking the Status icon.
The SIM card status shows the status of the SIM, whether it is in use, present in the device, or
whether the SIM pin is configured.

STEP 4 | (Optional) Add the Description and Tags.

STEP 5 | Enter the Use This For that corresponds to your Internet or private WAN.

STEP 6 | Select the Circuit Label.

Select the circuit label that corresponds to your private WAN connection for this site. For
more information on how to reduce non-user traffic on cellular links, refer to Minimize
Metered LTE Usage.

Prisma SD-WAN Administrator’s Guide 139 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

STEP 7 | Select the APN Configuration.

Based on the SIM, you may need to configure a specific APN to get the cellular connection up.
Contact your carrier to get this information.
• Auto APN—By default, Auto APN is selected.

If you are using a regular (dynamic IP) SIM from AT&T, T-Mobile or Verizon, use the
default Auto APN option.
• Use APN Profile—You can either select from the available list of APN profiles or create a
new customized APN profile.
• Enter APN Configuration—You can manually enter the APN:
1. Enter APN.
2. (Optional) Enter Authentication Type, select from PAP, CHAP or PAP/CHAP.
3. (Optional) Configure the User name and Password given by the cellular carrier.

STEP 8 | Select IPv4 or IPv4v6 for IP Address Type in the configuration. By default, IPv4 is selected.
Starting with release 6.1.1, Prisma SD-WAN now supports IPv4v6 dual stack for some use
cases.
For LAN interfaces IPv4 is supported. For WAN or Uplink interfaces dual-stacked IPv4v6 is
supported. For VPN underlay IPv4 or IPv6 is supported. For LAN to WAN Direct internet
traffic and device-to-controller connectivity on cellular interface IPv4 is supported.

STEP 9 | Configure the NAT Zone in NAT Configuration as internet.

STEP 10 | Save Cellular Interface to save the configuration.

View Cellular Statistics

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Prisma SD-WAN allows you to view the Statistics for the Cellular Devices on the Cellular Module
and Packet Statistics screen; you can view the V4 and V6 Packet Statistics(Received (Rx) and
Transmitted (Tx)) like Total Bytes, Drops, Packet Successes, Packet Errors, and Packet Overflows.
STEP 1 | Select Workflows > Devices > Claimed Devices, select the device you want to configure.

STEP 2 | From the ellipsis menu, select Configure the Device and select Interfaces, and then select
the Cellular module to edit.

Prisma SD-WAN Administrator’s Guide 140 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

STEP 3 | Select Main Configuration and click the Status icon on the Cellular Module Status tab to
view the Cellular Module and Packet Statistics.

STEP 4 | On the Cellular Module and Packet Statistics window, you can view the Packet Statistic, and
IPv6 Statistics (Received (Rx) and Transmitted (Tx)) like Total Bytes, Drops, Packet Successes,
Packet Errors, and Packet Overflows.

Create a Customized APN Profile

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

An Access Point Name (APN) defines the network path for cellular data connectivity. APN
information is required to connect to a cellular network. An APN could be generic or customized.
Generic or default APN configuration is automatically detected when the device connects to a
carrier network. The device connects to a carrier network using the Auto APN profile option.
Auto APN supports all major carriers in the following countries:
• USA
• Canada
• Japan

Prisma SD-WAN Administrator’s Guide 141 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

• Australia
• Taiwan
• Philippines
• Thailand
• Cambodia
• Vietnam
• Hong Kong
• Korea
• Qatar
For more information, contact Palo Alto Networks Customer Support.
If you need a customized APN, create a new APN on the Prisma SD-WAN web interface. Contact
your network carrier and configure the correct APN to enable connectivity.
STEP 1 | Select Manage > Resources > Configuration Profiles > APN from the home page.

STEP 2 | Create APN Profile.

STEP 3 | Enter a Name for the profile.

STEP 4 | (Optional ) Add a Description and Tags for the profile.

STEP 5 | Enter the APN details.

Based on the SIM, you may need to configure a specific APN to get the cellular connection up
and maintain different APNs. Contact your cellular carrier for support.

STEP 6 | Select the Authentication Type.

Select from the available options PAP, CHAP, or PAP/CHAP.

STEP 7 | (Optional) Configure the User name and Password given by the cellular carrier.

STEP 8 | Save the changes.

Prisma SD-WAN Administrator’s Guide 142 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

Modify Cellular SIM Settings

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Automatic SIM switchover occurs when the primary or the active SIM fails. The switchover occurs
only if there are two SIMs in the ION device and the data session cannot be established for more
than five minutes. SIM switchover is limited to only two times when both the SIMs are unable to
establish a valid data session—SIM 1 to SIM 2 to SIM 1.
When the switchover is initiated, if a different carrier SIM is present in the secondary slot, the
modem is reset and loads a new firmware. If the secondary SIM is from the same carrier, the
modem is not reset.
STEP 1 | Select Workflows > Devices > Claimed Devices, select the device you want to configure.

STEP 2 | From the ellipsis menu, select Configure the Device and select Interfaces, and then select
the Cellular module to edit.

Prisma SD-WAN Administrator’s Guide 143 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

STEP 3 | Select Main Configuration and enter the following information:

Cellular Module Status and Name of the module is displayed.

The Radio and GPS are enabled by default.

STEP 4 | (Optional) Add the Description and the Tags.

Prisma SD-WAN Administrator’s Guide 144 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

STEP 5 | Configure the SIMs:

The SIM table displays the SIM slot 1 and SIM slot 2 configuration:
SIM Slot
• Primary—If there is only SIM, generally slot 1 is for the Primary SIM.
If there are two SIMs, you can manually configure slot 2 as primary SIM by selecting the
radio button.
• Carrier—Displays the Carrier name and whether the SIM PIN is enabled. Lock symbol
indicates the SIM PIN protection is enabled. Unlock symbol indicates that the SIM PIN
protection is not enabled. It is optional to secure the SIM.
SIM protection configuration is done in two steps:
1. Configure the SIM PIN number. Refer to Enter the SIM PIN to Unlock the SIM for more
information.
2. Enable or disable SIM protection.
You can Disable/Enable the SIM PIN, Change PIN. Refer to Manage SIM Operations for
more information.
• SIM Status—Displays if the SIM is in use or is present in the device.

STEP 6 | Save Cellular to update the changes.

Enter the SIM PIN to Unlock the SIM

The SIM PIN prevents unauthorized use of SIM cards. With SIM PIN enabled, a SIM is locked to
a modem. A PIN code is required to unlock the SIM for the modem to access the cellular network
and start data sessions.
The entered PIN is saved in the ION device and this PIN is used for PIN verification when the ION
device is reset. PIN verification is not required for an unlocked SIM.
STEP 1 | Select the ellipsis icon against the SIM and select Enter PIN

Prisma SD-WAN Administrator’s Guide 145 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

STEP 2 | Enter the PIN Number for the SIM.

The check box Remove PIN from Configuration is deselected by default. When deselected, the
PIN is used to secure the SIM. You cannot use the SIM until the SIM PIN is configured.

STEP 3 | Enable PIN for SIM#1 to enable the PIN for the selected slot.

STEP 4 | Save to save the configuration.

Manage SIM Operations

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Secure your SIM cards by using PINs to prevent unauthorized use of the SIM cards. You can
manage the cellular SIM by enabling, disabling or unblocking the SIM PIN.

On an inactive SIM, only PIN configuration can be saved. All other SIM operations such as
enable, disable, unblock or change PIN, are not available.

Set the SIM PIN using the CLI toolkit commands toolkit commands before a device is claimed. The
ION device sends the configured PIN to the controller.

Even before an ION device is claimed, a superuser can configure the APN, SIM security,
and upgrade the firmware using CLI toolkit commands to configure a specific APN to
gain WAN connectivity or to unlock a locked SIM from the provider to establish WAN
connectivity.

Prisma SD-WAN Administrator’s Guide 146 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

Enable the SIM PIN

Enable the SIM PIN to lock the SIM card to a modem so it can't be used until the correct code is
entered to access the cellular network. PIN verification is triggered after every modem reset. You
get three attempts to enable the SIM PIN.

A yellow triangle adjacent to the lock icon indicates failed PIN verification. A red lock
indicates PIN validation failure after the third failed attempt, after which the SIM is
blocked. A PUK (Personal Unblocking Key) from the provider is required to Unblock
SIM PIN. A Device_Cellular_SIM_PUK_Needed alarm is raised when the SIM is
blocked after three failed attempts.

When the active SIM is blocked, an automatic switchover to a secondary SIM, if present, happens.
STEP 1 | Select the ellipsis icon against the SIM and select Enable PIN.

STEP 2 | Enter a PIN Number.

STEP 3 | (Optional) Save PIN for SIM Slot 2 configuration to enable the SIM PIN in slot 2.
Save the PIN configuration in the ION device for subsequent PIN verifications.

Disable SIM PIN

To disable the SIM PIN, PIN verification is not required for the SIM.

Prisma SD-WAN Administrator’s Guide 147 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

STEP 1 | Select the ellipsis icon next to the active SIM and select Disable SIM PIN.

STEP 2 | Enter the PIN number to disable the PIN.

STEP 3 | (Optional) Select the check box to remove SIM PIN configuration.

Prisma SD-WAN Administrator’s Guide 148 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

Unblock SIM PIN

STEP 1 | Select the ellipsis icon next to the active SIM and select Unblock SIM.

STEP 2 | Enter PUK (Personal Unblock Key) code and the new PIN code.

STEP 3 | (Optional) Save the PIN for SIM configuration.

Save the PIN configuration in the ION device for subsequent PIN verifications.

STEP 4 | Select Unblock to save your changes.

Similarly, change the SIM PIN of an active SIM card.

Customize Cellular Firmware

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

The ION device and the modem store multiple carrier-specific firmware files. The firmware
specific to AT&T, T-Mobile, and Verizon along with Generic (PTCRB and/or GCF certified) are
pre-loaded on the modem and the ION device storage. The appropriate firmware is loaded on the
modem based on the inserted SIM.
The Firmware page displays the current firmwares available on the modem and the current
recommended firmware and version. Upgrade the firmware when the recommended version is
different from the current version for your specific carrier. The ION device downloads the new
firmware from controller inventory and then upgrades the carrier firmware on the modem.

Prisma SD-WAN Administrator’s Guide 149 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

After you customize the firmware, the pre-loaded carrier firmwares on the modem and the
ION device is removed or updated based on the customization.

STEP 1 | Select Workflows > Devices > Claimed Devices, select the device you want to configure.

STEP 2 | From the ellipsis menu, select Configure the Device and select Interfaces > Firmware to
customize.
Firmware Configuration shows the running firmware and version, carriers, current and
recommended versions, and the Update Status. The Update Status recommends if you need to
customize or update the firmware.

STEP 3 | Click Customize Firmware to update the firmware.

STEP 4 | Select Carrier Firmware and the corresponding version and click Next.
You can select a maximum of two firmwares files which are loaded on to the modem. Inactive
firmware are stored on the ION device.
To delete an existing firmware, click the delete icon against the firmware file .

Prisma SD-WAN Administrator’s Guide 150 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

STEP 5 | For Download and Update Time select whether you want to update the selected firmware
Now or Later.
If you selected Later, select the Download Time and Update Time.
You can choose Custom time option to update the firmware.

STEP 6 | (Optional) Configure the Advanced settings.

• Leave the Interfaces blank to use the default setting.
• Leave Max Download Time blank for default setting or enter 5 - 59 number of minutes.
• Leave Max Upgrade Time blank for default setting or enter 5 - 59 number of minutes.

STEP 7 | Save the changes.

Cellular Tab

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

The Cellular tab provides telemetry data for the cellular modules. The charts shows the time series
data indicating the quality of the cellular network.
Use the filters to view the data for cellular modules.
• View Cellular Tab
• Cellular Charts
View Cellular Tab
STEP 1 | Select Monitor > Activity > Cellular .

STEP 2 | Use the following filter criteria to refine your data search:
• Select Sites to narrow down analytics per site.
• Select Devices to narrow down analytics per device.
• Select Cellular Modules.
• (Optional) Select Carriers and APNs.
• (Optional) Select Circuits to view traffic by a circuit.

STEP 3 | Click Update charts to show data from the selected filters.
The dashboard displays data for the selected filters for a specific time period.

Cellular Charts
The cellular activity charts present cellular module telemetry data such as the bandwidth
utilization of cellular modules on a site and a device. Select a site, one or more devices, and one or
more cellular modules to view the cellular charts.
You can also filter by Carriers, APN profiles and Circuits. WAN and Paths are not applicable to the
Cellular charts. You can view the data by the available time frames options—1H, 1D, 1W, 1M, and

Prisma SD-WAN Administrator’s Guide 151 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

3M. The data refreshes every 5 minutes, click the Refresh icon to view the latest data at any given
time. Export the data by clicking the Export icon.
• Signal Strength Quality
• Signal Stats
• Traffic Volume
• Technologies
• Bandwidth Usage
• Packet Drops
• Packet Errors
• Packet Overflows
• GPS Locations
• Cellular Tower Switches

Signal Strength Quality

The Signal Strength Quality presents time series data for the quality of the signal strength in terms
of Excellent, Good, Fair, Poor, and Dead Zone. Sort the data by Average, Best (max), or Worst
(min).

Signal Stats
The Signal Stats chart displays various signal related statistics, the drop-down shows signal stats
to choose from. Sort the data by Average, Best (max), or Worst (min).

Prisma SD-WAN Administrator’s Guide 152 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

• Signal-to-Noise Ratio (SNR)—Signal-to-Noise Ratio levels reported by the module (units: dB)

• Radio Signal Strength Indicator (RSSI)—Radio Signal Strength Indicator levels reported by the
module (units: dBm)

• Reference Signals Received Power (RSRP)—Reference Signals Received Power levels reported
by the module (units: dBm)

Prisma SD-WAN Administrator’s Guide 153 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

• Reference Signals Received Quality (RSRQ)—Reference Signals Received Quality levels

reported by the module (units: dB)

• Reference Signals Code Power (RSCP)—Reference Signals Code Power levels reported by the
module (units: dBm)
The RSCP values shows the 3G signal data.

Traffic Volume
The Traffic Volume chart presents the traffic volume in KB on the selected cellular module. The
volume of downloaded and uploaded data is exported to the controller every minute. View the
data by Ingress, Egress, Ingress and Egress, or Summary.

Technologies
The Technologies chart presents the time series data for the cellular technology (3G/LTE/5G)
used at any given time and correlates with signal strength time series data. View the data by
Worst or Best.

Prisma SD-WAN Administrator’s Guide 154 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

Bandwidth Usage
The Bandwidth Usage chart presents the time series data on bandwidth utilized in Kbps on a
Cellular module. The cellular interface throughput is exported to the controller every minute.
Use this chart to identify congestion in a network. View the data by Ingress, Egress, Ingress and
Egress, or Summary.

Packet Drops
The Packet Drops shows the number of packet dropped on the cellular module. Correlate packet
dropped with bandwidth usage to understand the issue. View the data by Ingress, Egress, Ingress
and Egress, or Summary.

Prisma SD-WAN Administrator’s Guide 155 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

Packet Errors
The Packet Errors chart shows the packet-related errors on the cellular module. Correlate packet
errors with traffic volume and bandwidth usage. View the data by Ingress, Egress, Ingress and
Egress, or Summary.

Prisma SD-WAN Administrator’s Guide 156 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

Packet Overflows
The Packet Overflows chart shows the packet overflows on the cellular module. The chart helps
to analyze bandwidth issues. View the data by Ingress, Egress, Ingress and Egress, or Summary.

Prisma SD-WAN Administrator’s Guide 157 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

GPS Location(s)
The GPS location chart shows the GPS location history of the selected cellular module. If there is
only GPS location indicating the device is static, the chart displays the map of the GPS location.
If there are multiple GPS locations indicating the device is moving, the chart shows the time and
GPS location history with an option to view the location on the map.

Prisma SD-WAN Administrator’s Guide 158 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

Cellular Tower Switches

The Cellular Tower Switch presents the time series data for the number of cellular switches by
the selected cellular module. If the ION device is mobile or if the device is closer to more than one
cellular tower, tower switches are likely to happen and indicated in the chart. Use this chart to
correlate with the signal strength time series data.

Configure a Sub-Interface

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

You can create sub-interfaces on physical or virtual interfaces and use bypass pairs for Local Area
Networks (LANs) and private and public Wide Area Networks (WANs). A sub-interface is created
by dividing one physical interface into multiple virtual interfaces.
The parent interface can be an Ethernet port, a virtual port, or a bypass pair that does not contain
any configuration. You cannot configure a sub-interface on the controller port or any interfaces or
bypass pairs already configured with loopback as a member with PPPoE or standard VPNs.
• If the sub-interface is on a bypass pair and the sub-interface is used for internet or private
WAN, then the sub-interface is created on the bypass pair's WAN port.
• If the sub-interface is on a bypass pair and the sub-interface is used for LAN, then the sub-
interface is created on the LAN port of the bypass pair.
Multiple sub-interfaces may be configured on a physical or virtual interface or bypass pairs. If
multiple interfaces are configured, a VLAN ID is required to create and uniquely identify each sub-
interface.
Pre-5.1.x device releases, LAN sub-interfaces may only be used for the following branch services.
Release 5.1.1 and later device releases enable LAN sub-interfaces to forward user and application
traffic in addition to the following branch services.
• DHCP Server
• DHCP Relay

Prisma SD-WAN Administrator’s Guide 159 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

• DHCP Relay source interface

• SNMP Agent
• SNMP Trap source interface
• Ping to and from the interface IP
• Secure Socket Shell (SSH) access to the ION device CLI commands
You cannot configure a Virtual Interface (VI) on a sub-interface. DHCP Relay and DHCP server
cannot be configured on the same sub-interface. DHCP Relay when configured on a sub-
interface:
• Can listen to broadcast and unicast DHCP requests.
• Can use the sub-interface as the source interface to reach DHCP servers.
When SNMP is configured on a sub-interface:
• An SNMP Agent can listen to unicast requests.
• An SNMP Trap can use the sub-interface as the source interface to reach SNMP servers.
When Virtual Routing and Forwarding tables (VRF) is configured on a sub-interface:
• Select LAN type interface for branch sites.
• Select Peer with the Network for data center sites.
STEP 1 | Select Workflows > Devices > Claimed Devices, select the device you want to configure.

STEP 2 | Select the Interfaces tab.

STEP 3 | Select a port.

STEP 4 | For Admin Up, select Yes.

STEP 5 | (Optional) Enter a Description.

STEP 6 | Leave Use This Port To and IPv4 Configuration blank.

STEP 7 | For VRF, select Global or any other custom VRF listed. VRF Global is enabled only when the
associated device supports VRF.

Currently, VRF supports LAN. Configure the sub-interface individually, as the sub-
interface configurations don’t inherit from the parent interface.

STEP 8 | Save Port.

STEP 9 | Click the Sub-Interfaces tab.

STEP 10 | Select + Add Sub-Interface to create a new sub-interface.

STEP 11 | For Admin Up, select Yes.

STEP 12 | (Optional) Enter a Description.

STEP 13 | From Use This Sub-Interface To drop-down, select the option applicable to the interface you
are configuring; Connect to Internet, or Peer with a Network.

Prisma SD-WAN Administrator’s Guide 160 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

STEP 14 | For Circuit Label, select circuits and click Done.

STEP 15 | Enter a VLAN ID.

The VLAN ID can be updated or changed.

STEP 16 | Mark the Native VLAN box if the identified sub-interface is used for native VLAN.
Only one sub-interface of a parent interface can be configured for native VLAN. By default,
the native VLAN box is unchecked.

DNS Servers need to be entered for Internet and Private WAN but not for LAN.

STEP 17 | (Optional) If DHCP Relay functions are required, choose DHCP for the Configuration field.
Change Add DHCP Relay from No to Yes.

Prisma SD-WAN Administrator’s Guide 161 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

STEP 18 | Select Create Sub-Interface.

The following use case shows a topology in which a sub-interface is used for the MPLS
connection to the provider router on the WAN side. On the LAN side, there is a trunk interface
with 2 VLANs (user and server) connected to a LAN switch.

The interface configuration summary for the above topology is as follows:

Prisma SD-WAN Administrator’s Guide 162 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

Detailed configuration for LAN sub-interface 3.100

Prisma SD-WAN Administrator’s Guide 163 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

Detailed configuration for LAN sub-interface 3.101

Prisma SD-WAN Administrator’s Guide 164 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

Detailed configuration for WAN sub-interface 2.200

Configure a Loopback Interface

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Loopback is a logical, virtual interface used to emulate a WAN port to provide LAN functionality.
You can free up a physical port previously used for LAN/WAN configuration by designating a
loopback interface. You can configure a maximum of four loopback interfaces per device.
ION devices on versions 4.5.3 or later at a site, support loopback interface. A loopback interface
can only be used as a WAN port on interfaces with no hardware bypass circuitry. Interfaces with
no hardware bypass circuitry per device are as follows:
• ION 1000—All ports.
• ION 1200—All ports.
• ION 2000—Ports 1–3.
• ION 7000—Ports 1–4, 9–14.
• Virtual IONs—All non-controller ports.

Prisma SD-WAN Administrator’s Guide 165 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

A loopback interface may be brought up or down administratively and may not contain any sub-
interfaces or IP configurations.
• You can update or delete a loopback interface. However, you cannot delete if it is part of a
bypass pair.
• Decouple a port coupled with another port before a loopback interface can be coupled to
create a bypass pair.
• The only valid option in the Use These Ports For drop-down is Private Layer 2 for a bypass pair
that is made up of a physical LAN port and a loopback interface as the WAN port.
• The network policy rules assigned to such a site must not have any rules using the Direct on
private WAN path. Valid paths are Direct on public or VPN on public. Traffic is dropped if a
direct on private path is used.
STEP 1 | Select Workflows > Devices > Claimed Devices, select the device you want to configure.

STEP 2 | Select the Interfaces tab.

STEP 3 | On the interface configuration page for a device, click the + add icon to add a loopback
interface and select Add.

STEP 4 | For Admin Up, select No or Yes to administratively bring the interface up or down.

STEP 5 | Enter a Description and select Create Loopback.

The system assigns a default loopback ID to the interface. A confirmation message displays
that the loopback interface is successfully created.

STEP 6 | Next, select a port to be configured with a loopback interface.

STEP 7 | For Admin Up, select No or Yes to administratively bring the interface up or down. The
default is Yes.

STEP 8 | (Optional) Enter a Description.

STEP 9 | From the Interface Type drop-down, select Bypass Pair.

STEP 10 | From the Pair With drop-down, select the Loopback Interface.
A confirmation message displays.

STEP 11 | Select Done to create a bypass pair with the loopback interface successfully.
A confirmation message displays the port's successful creation and the loopback interface.

Prisma SD-WAN Administrator’s Guide 166 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

STEP 12 | For Use These Ports For, select Private L2 from the drop-down.
This is the only valid option for a bypass pair that is made of a physical LAN port and a
loopback interface for the WAN port.

STEP 13 | Select the Circuit Label from the drop-down.

STEP 14 | (Optional) If you choose Copy Settings from Another Port, select the bypass pair to copy the
settings. If not, you may leave it blank.

STEP 15 | Similar to configuring bypass pairs, for Attached Networks, enter a VLAN ID, IP Address at
Router, optional Network Context, and toggle the scope tp Local or Global scope.

STEP 16 | Save Bypass Pair.

The port and the loopback interface are displayed under Interfaces.

Virtual Interface
Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

A Virtual Interface enables the combination of two physical ports into one logical interface. Virtual
Interfaces provide increased redundancy in areas of the network where uptime is critical and
additional design flexibility is needed.
A Virtual Interface can contain a maximum of two member interfaces and is used to ensure
redundant physical connectivity from a device to one or more switches, routers, or firewalls. For
example, two controller ports may be connected to two Layer 2 switches for physical redundancy
of controller port connectivity.
In order for a port to be an eligible Virtual Interface member it must be a:
• Physical port—Cannot be a bypass pair nor a logical interface.
• Similar port type—For example, a controller port can only be added to a virtual interface with
another controller port.
• Default configuration—The interface cannot have any type of IP, sub-interface, used-for, circuit
label, nor PPPoE configuration.

Prisma SD-WAN Administrator’s Guide 167 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

A virtual interface can be created, updated, or deleted. It displays as Down if both the member
interfaces are operationally down, and Up if at least one of the member interfaces is operationally
up.

Deployment Topologies of Virtual Interface

Virtual Interfaces can be configured on both branch and data center ION devices. A few sample
deployment topologies are discussed below.

Controller Port Redundancy

Controller port redundancy is enabled for both branch and data center ION devices where
applicable.
In this scenario, the virtual interface is used to provide physical redundancy from a single Prisma
SD-WAN ION device with dual controller ports to two Layer 2 switches in the event of a port
failure between the ION devices and one of the switches.
The ION device has each controller port physically connected to two different switches. A new
virtual interface is configured with the two member interfaces, controller ports 1 and 2. IP address
information is configured on the virtual interface controller port. In the event of a loss of a switch
or controller port, controller connectivity remains uninterrupted.

Branch Deployments
Branch site deployments shown below include scenarios where a virtual interface is configured
for port redundancy when an ION device is connected to a LAN switch or when a firewall is
present.
Branch ION Device LAN Port Redundancy
In this scenario, the virtual interface is used to provide physical redundancy from a single ION
device to two Layer 2 switches in the event of an uplink failure between the ION device and one
of the switches.
The ION device is physically connected to two Layer 2 switches with VLAN 100 defined on each
switch. A new virtual interface is configured with two member interfaces, ports 1 and 2. A sub-
interface for VLAN 100 is created on the new virtual interface and the appropriate IP information
is configured.
Once configured, the application traffic from clients connected to VLAN 100 is sent to the IP
address (and corresponding MAC address) bound to the VLAN 100 sub-interface of the virtual
interface. In the event of a physical interface failure, the other interface assumes the forwarding
role for the failed interface.

Prisma SD-WAN Administrator’s Guide 168 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

Branch ION Device Internet Port Redundancy

In this scenario, a virtual interface is used to provide internet uplink port redundancy between a
single branch ION device and an active / backup firewall pair. The firewall pair is responsible for
inspecting untrusted internet traffic that is sent direct on the internet by the ION device.
The ION device is physically connected directly to each firewall. A new virtual interface is
configured with two member interfaces, ports 1 and 2. Since a VLAN tag is not required for this
configuration, the IP address information is configured directly on the virtual interface along
with 'Used For Internet.' Corresponding port tracking should be configured on the firewall pair to
ensure that a unit goes inactive or standby in the event of a failure of the port connected to the
ION device.

For purposes of load-balancing or redundancy, these firewalls can be configured in an

active-active or active-standby mode.

Data Center Deployments

Data Center deployments include scenarios where an ION device is deployed with two core peers
in the same subnet with a firewall for internet circuits.
Redundancy in Data Center ION Device Deployment with 2 Core Peers in the Same Subnet
In this scenario, a virtual interface is used to provide redundant physical connections to a pair
of Layer 3 core switches. The ION device is peering via BGP with both switches in the same IP
network.
The Data Center ION device is physically connected to each of the Layer 3 Core switches
with VLAN 10 defined on each switch. A new virtual interface is configured with two member

Prisma SD-WAN Administrator’s Guide 169 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

interfaces, ports 1 and 2. A sub-interface for VLAN 10 is created on the new virtual interface and
the appropriate IP information is configured. Corresponding BGP Peers are configured on both
the ION device and the core switches.
The configured traffic forwards in an active-active fashion based upon the route table of the
devices. In the event of an interface or core switch failure, continuous data center connectivity is
enabled.

This scenario is applicable to both dual core control plane designs as depicted as well as
single core control plane designs such as a switch stack.

Redundancy in Data Center ION Device Deployment with Internet Circuits and Firewall
In this scenario, a virtual interface is used to provide redundant physical connections to a pair of
Layer 2 switches that are connected to an internet facing firewall pair. The ION device uses the
firewall for the default gateway for the redundant internet facing ports.
The Data Center ION device is physically connected to each of the Layer 2 switches through an
untagged switch interface. A new virtual interface is configured with two member interfaces,
ports 1 and 2. Since a VLAN tag is not required for this configuration, the IP address information
is configured directly on the virtual interface along with 'Connect to Internet' configuration.
Configure the corresponding port tracking on the firewall pair to ensure that a unit goes inactive
or standby in the event of a failure of the port connected to the ION device.

Add and Configure a Virtual Interface

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

STEP 1 | Select Workflows > Devices > Claimed Devices, select the device you want to configure.

Prisma SD-WAN Administrator’s Guide 170 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

STEP 2 | Click the add icon to add a virtual interface and select Add.

STEP 3 | For Admin Up, select No or Yes to administratively bring down the interface or bring up the
interface.
• An interface will not be operational if Admin Up is No.
• Admin Up must be Yes for a virtual interface with controller ports.
• Admin Up can be Yes or No for a virtual interface with non-controller ports.

STEP 4 | Enter a Name and Description for the virtual interface.

STEP 5 | (Optional) Add Tags.

STEP 6 | For Virtual Interface Members, select a maximum of two interfaces from the drop-down.
The interfaces can be either controller ports or non-controller ports. A combination of
controller and non-controller ports is not allowed. Configuring the second controller port
provides port-level and cable-level redundancy.

STEP 7 | For Use These Ports For, select an appropriate option from the drop-down.
• For controller ports, the option can be None.
• For non-controller ports, the available options are: LAN, Internet, and Private WAN.

STEP 8 | For Scope, select Global or Local.

• When Global is selected, the IP addresses advertised into the Prisma SD-WAN Fabric.
• When Local is selected the IP addresses are not advertised into the Prisma SD-WAN Fabric.

STEP 9 | For Circuit Label, select the circuit label that corresponds to the connection for this site.
A circuit label cannot be attached to a virtual interface composed of two controller ports.

STEP 10 | For IPv4 Configuration, select DHCP or Static.

• If the IP address dynamically assigned, select DHCP.
• If the IP address is fixed and specified manually, select Static. If you select Static, specify
the IP Address/Mask, Default Gateway, and DNS server(s).

STEP 11 | Select Enable IPv6 On This Interface to configure IPv6.

Prisma SD-WAN Administrator’s Guide 171 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

STEP 12 | For IPv6 Configuration, select AutoConf or Static.

Autoconf (automatic interface configuration) indicates the Global IP address is derived using
stateless address autoconfiguration (SLAAC).
Choose Static if the IP address is fixed and is manually assigned. Additionally specify the IPv6
Address/Mask, Default Gateway (IPv6), and DNS server(s)(IPv6).

IPv6 configuration is available for Private WAN and Internet ports.

STEP 13 | If DHCP Relay functions are required, select DHCP. Change Add DHCP Relay from No to
Yes.

STEP 14 | Create Virtual Interface to complete the configuration.

Prisma SD-WAN Standard VPN

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Prisma SD-WAN ION devices can communicate with other Prisma SD-WAN devices through
Prisma SD-WAN Secure Fabric Links or communicate with standard VPN endpoints through
traditional IPsec or GRE tunnels. Similar to all other paths, a standard VPN will be monitored
for application reachability and best path selection. Traffic on a standard VPN is subject to QoS
policies.
A Standard VPN can be of type:
• IPSec
• GRE
A standard VPN has two endpoints—one endpoint is on the Prisma SD-WAN ION device and the
other endpoint is on the remote peer. You can configure a combination of IPsec and GRE tunnels
from an interface on the ION device to a standard VPN endpoint. However, there cannot be two
tunnels of the same type to the same endpoint from the same interface.
When you connect a Prisma SD-WAN branch with a non-Prisma SD-WAN branch through
a private WAN and you select direct private WAN as a viable route, traffic flows seamlessly
between these sites without any additional configuration. When using an internet WAN, you
can manually configure an IPSec or GRE tunnel to enable direct traffic flow between Prisma SD-

Prisma SD-WAN Administrator’s Guide 172 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

WAN branch sites and non-Prisma SD-WAN sites. For a streamlined autoconfiguration of IPSec
or GRE tunnels, explore the available options provided by CloudBlade. For more details, refer to
CloudBlade Integrations.

Create an IPsec Profile

To create and configure an IPsec VPN connection between a branch device and a cloud security
service endpoint, you must configure both endpoints with the same crypto settings. Since crypto
settings required to connect to the cloud security service are likely to be the same across all ION
devices, an IPsec profile can be configured once and reused across all ION devices.
Before you configure the IPsec profile on Prisma SD-WAN, make sure you have the IPsec
protocols and authentication details required to connect to the cloud security service endpoint or
consult your cloud security service provider’s documentation for relevant details.
STEP 1 | Select Manage > Resources > Configuration Profiles and then select IPsec.

STEP 2 | To add a new IPsec Profile, click Add IPsec Profile.

If there are previously created IPsec profiles, these will display.

STEP 3 | On the Info screen, enter a name for the IPsec Profile and (optional) enter a description and
tags.

Prisma SD-WAN Administrator’s Guide 173 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

STEP 4 | Click Next and proceed to define the IKE Group.

1. For the Key Exchange field, select IKEv1 or IKEv2.
2. Enter a life time for the IKE Group from the Lifetime drop-down if required.
The default lifetime of an IKE Group is 24 hours. The tunnel will have to be re-established
after the life time expires.
3. Enter the port number of the communication port in the Port field.
The default port is 500. The port number configured in the IKE group has to be the same as
the port number configured in the standard VPN endpoint IKE group.
4. Select the mode of operation from the Mode drop-down.
The mode for IKEv1 can be Main or Aggressive. Choose the aggressive mode if the source
interface or endpoint is behind NAT or there are multiple tunnels to the same remote
endpoint.
The mode for IKEv2 is ReAuth. If selected, then a new tunnel has to be re-negotiated when
the lifetime is reached.
5. On the Proposals screen, select a DH Group, Encryption and Hash.
Proposals is a list of crypto parameters to be used to secure the IKE and ESP sessions
between the ION device and the endpoint.

The set of parameters selected in the Proposals screen have to be identical to the
set of parameters selected for the standard VPN endpoint. You can add a proposal
by clicking Add Proposal. Up to 8 proposals can be added. While establishing
the IPsec tunnel, the system checks for a proposal match with the standard VPN
endpoint.
6. Select if Dead Peer Detection (DPD) is to be enabled from the DPD tab.
If enabled, enter the DPD delay and DPD timeout in seconds for IKEv1. If DPD fails within
the configured timeout period, a new tunnel is attempted. For IKEv2, there is no DPD
timeout; instead a series of 5 retransmissions is used.

STEP 5 | Click Next and proceed to define the ESP Group.

1. Enter a life time for the ESP Group from the Lifetime drop-down if required.
The default lifetime of an ESP Group is 24 hours.
2. Choose the type of encapsulation from the Encapsulation drop-down.
You can choose Auto or Force UDP. The type of encapsulation selected has to match the
encapsulation configured at the standard VPN endpoint.
3. Configure parameters in the Proposal tab, and then click Next.

Prisma SD-WAN Administrator’s Guide 174 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

STEP 6 | On the Authentication screen, select the authentication type as either PSK or Certificates
from the Type drop-down.
• For PSK authentication:
1. Enter a secret in the Secret field.

This field is mandatory.

2. For the Local ID Type, choose between Interface IP Address, Hostname or Custom.
3. Enter an optional ID for the standard VPN endpoint in the Remote ID field.
• For Certificate authentication:
1. For the Certificate field, upload the certificate by clicking Import File.
2. Similarly upload a CA certificate in the Local CA Certificate field and a private key file in
the Private Key field.
3. (Optional) You can choose to upload the standard VPN endpoint CA certificate in the
Remote CA Certificate field.

STEP 7 | Click Next to proceed to the Summary screen.

STEP 8 | Review the parameters selected and click Save and Exit.

All new customer tenants should have the default IPsec profiles allocated which match
the best practices of some of our cloud partners. These default profiles can be copied and
manipulated to meet the needs specific to standard VPN services. If these default profiles are
not present on your tenant, open a support case to have them allocated.

Configure Generic Routing Encapsulation (GRE) Tunnels

Prisma SD-WAN supports Generic Routing Encapsulation (GRE) tunnels from branch or data
center sites to standard VPN endpoints to integrate with cloud security services. Due to the
insecure nature of GRE, as a best practice we strongly recommend applying a Zone Based Firewall
Policy to any traffic using GRE for transport over an insecure transport, such as the Internet.
Additionally, you should also consider implementing Source Network Address Translation (NAT)
for any traffic going through a GRE tunnel to obscure the Internal IP addressing scheme. Exposure
of the internal addressing scheme along with unencrypted data over GRE can significantly
increase attack vectors at a site.
STEP 1 | Select Workflows > Devices > Claimed Devices.

Prisma SD-WAN Administrator’s Guide 175 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

STEP 2 | From the ellipsis menu, select Configure the device.

STEP 3 | Select Interfaces and click the + add icon to create a new interface as Standard VPN.

Prisma SD-WAN Administrator’s Guide 176 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

STEP 4 | On the Configure Interface: New Standard VPN screen, set up the Main Configuration for
the new interface.
1. For Admin Up, select Yes.

GRE tunnels are stateless by design, the GRE tunnel is established when the
standard VPN interface is created, and the parent interface is up.
When Keep-Alive is disabled, the standard VPN interface immediately enters the
Up state when:
• The standard VPN interface is created.
• The parent interface is up.
• The Admin Up is set to Yes.
The standard VPN interface may later be moved to the down state due to the
failure of a liveliness probe if one or more were configured on the standard VPN
endpoint associated with this interface. We strongly recommend to have GRE keep-
alive enabled or have a liveliness probe configured on the standard VPN endpoint
such that a failure can be detected and avoid traffic being black-holed.
2. (Optional) Enter a Name, Description, and Tags.
3. Select GRE as the Standard VPN Type.
The Interface Type must display as Standard VPN.
4. Select a Parent Interface to establish the GRE tunnel.
For a branch ION device any of, the following ports can be used as a parent interface:
• Internet L3 Port
• Private WAN L3 Port
• Virtual Interface (private and public)
• PPPoE interface
• Bypass Pair - Internet and Private WAN ports
• Sub-Interfaces - Internet and Private WAN ports
For a data center ION device, any of the following ports can be used as a parent interface:
• Any Connect to Internet port
• Any Connect to Peer Network port
The following interfaces, which don’t have an IP address can’t be used as a parent interface:
• A Private Layer 2 port of a bypass pair
• A Loopback interface
5. Toggle Scope to Local or Global.
6. For VRF, select Global or any other custom VRF listed. VRF Global is enabled only when the
associated device supports VRF.

Prisma SD-WAN Administrator’s Guide 177 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

Currently, VRF supports LAN. Two standard VPNs in two different VRFs cannot
have the same overlay endpoint IP Address. Example:

SL1(Vrf: RED) sl1_ip: 1.1.1.1

SL2(Vrf: Blue) sl2_ip: 1.1.1.1

7. Enter an Inner Tunnel IP Address or Mask.

The address is the address of the innermost envelope's payload. When the standard VPN
peer receives the IP packet from the tunnel interface, the outer IP header and GRE header
are removed. The packet is then routed based on the Inner Tunnel IP Address.
8. (Optional) Enter values for Checksum and Keep Alive.
The default value for Keep-Alive Interval is 10 seconds, which implies that a Keep-Alive is
sent every 10 seconds. The default value for Keep-Alive Retry Count is 3, which means that
the device tries sending a keep alive three times before declaring the interface to be down.

• If you configure Keep-Alive on the ION device, the standard VPN peer device
should be capable of replying to the Keep-Alive. If the ION device does not
receive a response from the peer device within the configured Keep-Alive Retry
Count, it will result in the interface being marked as down.
• If devices act as remote service endpoints, they don't support Prisma SD-WAN
GRE Keep-alives. In such cases, you may need to use service endpoint liveliness
probes.
• If the Prisma SD-WAN Data Center devices do not support service endpoint
configuration, the liveliness probes cannot be configured and multiple remotes,
and remote selection cannot be used.
• If NAT performs between the local and remote endpoints of the GRE Tunnel, this
may disrupt the use of GRE Keep-Alives.
• If Checksum is configured on the ION device, the standard VPN peer device
should also respond with a checksum in its GRE header. If the standard VPN
peer device doesn’t support Checksum, the packet drops as a Frame Error.
9. Select a Standard VPN Endpoint from the Endpoint field.
The GRE tunnel can only be created if the standard VPN interface has an endpoint or Peer
IP configured. The Peer IP must be available either through the endpoint or the Peer IP
field.
An endpoint must be configured when the ION device is being used at a branch site. This
enables the endpoint to be used in path policies to direct traffic. Endpoints can, but aren’t
required to, specify IP addresses or host names of the possible peer device(s).
The Peer IP overrides any IP addresses provided by the endpoint. If the ION device is being
used at a Data Center site, the Peer IP has to be provided.

Prisma SD-WAN Administrator’s Guide 178 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

10.Click Create Standard VPN.

Configure Data Center (DC-DC) Interconnectivity

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Prisma SD-WAN supports standard VPN for connection between two Data Center ION devices.
Both the DC ION devices may try to initiate a tunnel, in which case, the tunnel will not be
established. To overcome this issue, Prisma SD-WAN supports the responder-only mode for the
DC ION devices, so that the ION device only responds to the IKE connection and does not initiate
it.

Prisma SD-WAN currently supports this feature only for IPsec VPNs and not for GRE
VPNs. Prisma SD-WAN supports both IKEv1 and IKEv2.

STEP 1 | Select Manage > Workflows > Devices > Claimed Devices.

STEP 2 | From the ellipsis menu, select Configure the device.

Prisma SD-WAN Administrator’s Guide 179 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

STEP 3 | On the Configure Interface: New Standard VPN screen, set up the Main Configuration for
the new interface.
1. For Admin Up, select Yes.
2. (Optional) Enter a Name, Description, and Tags.
3. Select IPsec as the Standard VPN Type.
The Interface Type must display as Standard VPN.
4. Select a Parent Interface to establish the GRE tunnel.
For a data center ION device, any of the following ports can be used as a parent
interface:
• Any Connect to Internet port
• Any Connect to Peer Network port
5. Toggle Scope to Local or Global.
6. Enter an Inner Tunnel IP Address or Mask.
7. For the Endpoint name, add the name of the connected Data Center site.
Note that although configured, the Endpoint will not be pushed to the DC ION device,
since the Endpoint applies only for a branch ION device. Hence, you have to enter a
Peer IP for the tunnel to be established.
8. Enter a Peer IP of the connected DC site.

The Peer IP is mandatory for a DC-DC tunnel.

9. Select an IPsec Profile.

Select a created IPsec profile.
10. Under Advanced Options, navigate to Passive Mode.
By default, Passive Mode is No, which means that the device can act as a responder and
an initiator.
(Optional) Select Yes for Passive Modeto have the ION device in the responder-only
mode. Set one end of the tunnel to Yes and the other end to No.

STEP 4 | Click Create Standard VPN.

You can view the DC-DC tunnels on the Overlays Connection page for a DC site.
Port Translation between Data Centers
If one of the ION devices is behind a NAT device, you need to configure an inbound DNAT
rule for port translation for the receiving ION device, so that port 4500 is translated to port
4501 for a given IP address.

Prisma SD-WAN Administrator’s Guide 180 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

Bypass Pair
Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

A Bypass Pair is a pair of ports where one port is connected to a LAN network while the second
port is connected to a WAN network. Bypass pairs can be configured only for branch ION
devices.
Bypass pairs can be of the following types:
• Hardware Bypass Pair—A pair of ports or ethernet interfaces that can be associated with each
other with underlying support for a hardware bypass relay. Hardware Bypass Pairs have strict
pairing rules where only certain ports can be paired together.
• Virtual Bypass Pair—A pair of ports or ethernet interfaces that can be associated with each
other without any hardware capabilities. A Virtual Interface (VI) cannot be created on a virtual
bypass pair.
Both types of bypass pairs are not allowed on controller interfaces or interfaces that are part
of another logical interface. You can break a bypass pair into two individual ports and use the
individual ports for configuring sub-interfaces.
Bypass pairs can be configured as per the following:
• Used for - Internet, Private WAN—One interface of the bypass pair is private WAN facing
and can be assigned either a static or dynamic IP address. The other interface of the pair is
connected to a LAN network.
• Used for - Private L2—One interface of the bypass pair is private WAN facing and connects to
one or more routers - Core Edge or Peer Edge, and is capable of acting as an Layer 2 interface
only. The other interface of the pair is connected to a LAN network. Static or dynamic IP
addresses cannot be assigned to this bypass pair.
• Used for - LAN—The interface is LAN facing and can be connected only to a LAN network. A
static or dynamic IP address can be assigned to this interface. The WAN part of the bypass pair
is not used. This topology is used for configuring the branch ION device in a cluster for high
availability.

Configure a Bypass Pair

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

STEP 1 | Select Workflows > Devices > Claimed Devices, select the device you want to configure.

STEP 2 | Select Interfaces.

STEP 3 | Select each port of the interfaces chosen for the bypass pair.

Prisma SD-WAN Administrator’s Guide 181 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

STEP 4 | Make them Admin Up by selecting Yes individually before creating a bypass pair.

When you create a bypass pair, both the ports need to admin up. When you bring
down the bypass pair, both ports will not be set to down; you must bring down the
ports individually. After that, you have to bring up the ports individually too. For
security reasons, bringing up the individual port of the bypass pair is necessary. If you
do so, the respective ports of the bypass pair will remain down and may impact the
software upgrade process.

STEP 5 | (Optional) Enter a Description.

STEP 6 | Select Bypass Pair as the Interface Type.

STEP 7 | For Pair With, choose a pairing port to create a bypass pair and then click Done.
Set one port as WAN and the second as LAN on the Couple Ports to create a Bypass Pair pop-
up.

STEP 8 | For Propagate LAN State?, leave the default as No or select Yes to propagate the link state
of a LAN port to its corresponding WAN port.

STEP 9 | For Use These Ports For, select either Internet, or Private WAN, LAN, or Private L2.

The LAN option is used for configuring the branch ION device in a cluster for high
availability.

STEP 10 | Toggle Scope as Global or Local for Internet and Private WAN.

STEP 11 | (Optional) Choose a Circuit Label.

STEP 12 | Choose DHCP for the IPv4 Configuration field.

If DHCP Relay functions are required, change Add DHCP Relay from No to Yes.
If Configuration selected is Static, enter an IP address and mask for the interface. Enter a
Default Gateway for the interface. Wherever applicable, enter DNS servers. Up to three DNS
servers may be configured.

Configuration will not be applicable for Private Layer 2.

STEP 13 | Select Enable IPv6 On This Interface to configure IPv6.

STEP 14 | For IPv6 Configuration, select AutoConf or Static.

Autoconf indicates the Global IP address is derived using stateless address autoconfiguration
(SLAAC).
Choose Static if the IP address is fixed and is manually assigned. Additionally specify the IPv6
Address/Mask, Default Gateway (IPv6), and DNS server(s)(IPv6).

Prisma SD-WAN Administrator’s Guide 182 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

STEP 15 | For Attached Networks, (optional) add the VLAN Network details.
1. Click Add VLAN.
2. On the New VLAN Entry pop-up, enter a VLAN, Tags, LAN Network IP Address At
Router , IPv6 Address At Router Scope, and Network Context.
3. Click Create.

STEP 16 | Save Bypass Pair.

You can also create a sub-interface on a bypass pair. If the bypass pair is used for Internet or
Private WAN, then the parent interface will be the WAN port. If the bypass pair is used for
LAN, then the parent interface will be the LAN port. Each sub-interface should be configured
with its own VLAN, IP and subnet.

Configure a Cellular Software Bypass Pair

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Software cellular bypass creates a software bridge between the ethernet and cellular interfaces of
an ION device. To support cellular WAN links in a high availability (HA) configuration, configure
a software cellular bypass pair with a cellular link as one interface and an ethernet link as another
interface. When both the links are active, the active ION device employs a path selection
algorithm to select the best path.
In an HA topology, when the WAN link attached to the active device fails, the active device can
continue to route traffic over the WAN link attached to the backup device. If one of the ION
devices fails, the other device can take over routing of the traffic between LANs and to/from the
WANs.
STEP 1 | Select Workflows > Devices > Claimed Devices, select the device you want to configure.

STEP 2 | Select Interfaces.

STEP 3 | Select a port.

STEP 4 | For Admin Up, select Yes.

When you create a bypass pair, both the ports are up. When you bring down the
bypass pair, both ports will be set to down. After that you have to bring up the ports
individually. For security reasons, bringing up the individual port of the bypass pair is
necessary. Failing to do so, the individual ports of the bypass pair will remain down and
may impact the software upgrade process.

STEP 5 | (Optional) Enter a Description.

STEP 6 | Select Bypass Pair as the Interface Type.

Prisma SD-WAN Administrator’s Guide 183 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

STEP 7 | For Pair With, choose a pairing port to create a bypass pair and then click Done.
Set one port as WAN and the second as LAN on the Couple Ports to create a Bypass Pair pop-
up. For cellular bypass pairs, the cellular interface is always WAN and the peer is always LAN.

STEP 8 | For Use These Ports For, select either Internet, or Private WAN.

STEP 9 | Choose a Circuit Label.

The circuit label for the cellular interface should match the circuit label for the peer
device’s directly attached cellular interface.

STEP 10 | The IPv4 Configuration is auto-negotiated for the Cellular bypass.

STEP 11 | Configure the Cellular WAN interface as an internet transit zone in the NAT Zone
configuration.

STEP 12 | Save the bypass pair.

Configure WAN (Peer) Interfaces

In an HA configuration, the initial step is to configure a cellular bypass pair and configure a WAN
port on each ION device. The next step is to mirror the WAN configuration on the connected
WAN port of the other ION device.
The ION devices operate in an active/backup configuration, and through fail-to-wire functionality,
the active ION device constantly maintains complete control and utilizes the full capacity of all the
WAN circuits. As a result, you need to configure WAN circuits on both the ION devices.
STEP 1 | Select Workflows > Devices > Claimed Devices, select the device you want to configure.

STEP 2 | Select Interfaces.

STEP 3 | Select a port.

STEP 4 | For Admin Up, select Yes.

STEP 5 | Select Internet or WAN for Use this ports for.

STEP 6 | Select Cellular in Peer Bypass Pair Wan Port Type to use the cellular bypass pair in a HA
topology.
This field is used in an HA environment to inherit cellular configuration on an Ethernet port
using the peer bypass pair for the cellular traffic.

When creating a Cellular 5G/LTE + Ethernet software bypass, the LAN interface in a
bypass pair should be directly connected to the Ethernet port on the other ION device,
which will terminate the VPNs built over the cellular circuit.

Prisma SD-WAN Administrator’s Guide 184 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

STEP 7 | Specify the APN profile for the Cellular interface.

STEP 8 | The IPv4 Configuration is auto-negotiated for the Cellular bypass.

STEP 9 | Choose a Circuit Label.

Use the same circuit on the bypass pair. The circuit label for the cellular interface should match
the circuit label for the peer spoke’s directly attached cellular interface.

STEP 10 | Save the configuration.

Configure LAN State Propagation

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

LAN state propagation allows propagating a LAN port's link state to its corresponding WAN port
in a bypass pair. When LAN connectivity to a downstream switch is lost, the LAN port state is
communicated to the upstream WAN device, thereby allowing traffic to take alternate paths
through other Prisma SD-WAN LAN ports. LAN State Propagation is applicable only in the LAN-
to-WAN direction. In effect, when a LAN port in a bypass pair goes down, it also brings down the
corresponding WAN port of the bypass pair. However, in a failure with a WAN port, the LAN port
will continue to remain up.
STEP 1 | Select Workflows > Devices > Claimed Devices, select the device you want to configure.

STEP 2 | Select the Interfaces tab.

STEP 3 | Select a port that is configured as a Bypass Pair.

Prisma SD-WAN Administrator’s Guide 185 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

STEP 4 | For Propagate LAN State, select Yes.

STEP 5 | Save Bypass Pair.

Thus, when a LAN port in a bypass pair goes down, it also brings down the corresponding
WAN port of the bypass pair.

Configure a PoE Port

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Power-over-Ethernet (PoE) is a technology that sends electrical power over twisted-pair ethernet
cable to powered devices (PD), such as wireless access points, IP phones or cameras along with
the data traffic on the same cable.
PoE ports support a maximum system PoE power of 90W that is dynamically distributed on the
four PoE ports—port 7, 8, 9, 10—on a first-come-first-serve basis. Each PoE ports support up to
60W 802.3bt PoE power (4-Pair or 2-channel PoE).
The following new platforms support 4x1Gbps RJ45 PoE capable ports, with maximum of power
per port of 60W, maximum power per system of 90W, and supported classes of 0-6:
• ION 1200-S
• ION 1200-S-C-NA
• ION 1200-S-C-ROW
• ION 1200-S-C5G-WW
• ION 3200
You can configure PoE at:
• Configure Interface level PoE Ports
• Configure System Level PoE Ports
You can Monitor PoE Activity and Stats.

Configure Interface level PoE Ports

Enable or disable PoE and the usage threshold on a port at the interface level. PoE is disabled by
default.
STEP 1 | Select Workflows > Devices > Claimed Devices, select the device you want to configure.

STEP 2 | Select Interface tab of the device you want to configure.

STEP 3 | Select Configure the device.

STEP 4 | Select the port to enable PoE.

Only ports 7, 8, 9, 10 are PoE capable and can be enabled.

Prisma SD-WAN Administrator’s Guide 186 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

STEP 5 | Enable PoE.

STEP 6 | Set Port Power Usage Alarm Threshold value between 50 - 100%.
The default threshold is 100% (60W). If the usage threshold exceeds the configured value for
the port, an alarm is generated.

Configure System Level PoE Ports

Set the system-level power usage threshold for the PoE ports.
STEP 1 | Select Workflows > Devices > Claimed Devices.

STEP 2 | Select the device to configure and then select System tab to set the power usage threshold
for the PoE ports.

STEP 3 | On the PoE table, edit the Main Power Usage Threshold value between 50-100%
The default value is 100%. If the usage threshold exceeds the configured value for the entire
system, an alarm is generated.

STEP 4 | Save your changes.

Monitor PoE Activity and Stats

Monitor the activity and statistics of the PoE ports by selecting the Activity icon and the Stats
icon on the System Tab.
STEP 1 | Select Workflows > Devices > Claimed Devices > Configure the Device > System > PoE to
view the PoE ports statistics and status.

Prisma SD-WAN Administrator’s Guide 187 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

STEP 2 | Select View Activity to view the PoE ports activity.

The dashboard displays reports on PoE Power Consumption and Interface PoE Stats.

Configure and Monitor LLDP Activity and Status

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

LLDP-MED (Media Endpoint Discovery) is an extension to LLDP that operates between endpoint
devices to support voice-over-IP (VoIP) applications. LLDP-MED allows a device to determine the
capabilities of a connected device, neighbors, and if these capabilities are enabled.
The device is capable of operating in receive-only mode or transmit-and-receive mode for LLDP.
By default, all non-PoE ports are set to receive-only mode and PoE ports are set to transmit-and-
receive mode. All the ports are set to default LLDP TLVs until the port receives LLDP-MED TLVs.
Change the LLDP configuration at the interface level on the Prisma SD-WAN user interface.
The following LLDP and LLDP-MED TLVs are currently supported:
• LLDP TLVs
• Chassis ID
• Port ID
• TTL
• System Name
• System Description
• System Capabilities

Prisma SD-WAN Administrator’s Guide 188 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

• LLDP-MED TLVs
• LLDP-MED Capabilities
• Extended Power-via-MDI
• Inventory Management
• Hardware Revision
• Software Revision
• Firmware Revision
• Serial Number
• Manufacturer Name
• Model Name
Monitor the LLDP activity on per port basis. Each interface display details of up to 10 LLDP
neighbors at any given time. An additional neighbor entry causes the oldest neighbor to age out
based on the association time. The LLDP neighbor entries are cleared out when the interface
operational state is Down or when a powered device (PD) is disconnected from a PoE port.
STEP 1 | Select Workflows > Devices > Claimed Devices, select the device you want to configure and
select the System tab.

STEP 2 | Select the Stats icon on the LLDP table.

Select All Interfaces or select any particular port or switch port to view the LLDP status.

You can also view the interfaces of the LLDP Neighbors.

STEP 3 | View the LLDP activity by selecting the View Activity option.
The Activity page displays report on LLDP total frames received, transmitted, and failed
transmissions.

Prisma SD-WAN Administrator’s Guide 189 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

Configure a PPPoE Interface

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Point-to-Point Protocol over Ethernet (PPPoE) is a configuration option for Digital Subscriber Line
(DSL) circuits. You can configure PPPoE only on WAN ports and physical interfaces. You cannot
configure it on sub-interfaces or logical interfaces such as bypass pairs or an interface with Layer
3 configuration, such as DHCP or static IP addresses.
Upon completing PPPoE authentication, the system establishes a connection with the DSL
provider. In the event of PPPoE connection failures or termination, this PPPoE logical interface
displays as down.
A logical PPPoE interface acts as the underlay interface for all Prisma SD-WAN-related features,
statistics, counters, and configuration.
STEP 1 | Select Workflows > Devices > Claimed Devices, select the device you want to configure.

STEP 2 | Select the Interfaces tab.

STEP 3 | Select a port.

STEP 4 | For Admin Up, select Yes.

STEP 5 | (Optional) Enter a Description.

STEP 6 | For Interface Type, select Port.

STEP 7 | For PPPOE Attached?, select Yes and then Save Port.
PPPoE is now attached to an interface. Proceed to configure PPPoE attributes.

STEP 8 | For Use This Port For, select Internet or Private WAN from the given list.

STEP 9 | Select a Circuit Label.

• To enable this port to forward direct traffic and establish secure fabric links as per the site
network policy, select a Circuit Label from the provided list.
• If no label is selected, the port continues to be active and available for communication with
the Prisma SD-WAN controller and for reporting statistics, but all network policy traffic
ignores this interface.

Prisma SD-WAN Administrator’s Guide 190 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

STEP 10 | For IPv4 Configuration, choose Negotiated or Static.

• Negotiated indicates that the IP address is negotiated with the PPPoE server.
• Static indicates that the IP address is statically configured. If the IP address is static, the
system ignores any PPPoE server-provided IP address and use the static IP address instead.

STEP 11 | Select Enable IPv6 On This Interface to configure IPv6.

STEP 12 | For IPv6 Configuration, select AutoConf or Static.

In both the cases, PPPoE server provides the linklocal address.

Autoconf indicates the Global IP address is derived using stateless address autoconfiguration
(SLAAC).
Static indicates the IP address is statically configured. Additionally specify the IPv6 Address/
Mask, Default Gateway (IPv6), and DNS server(s)(IPv6).

STEP 13 | (Optional) Enter Username and Password.

STEP 14 | Proceed to Advanced Options.

Configure a Layer 3 LAN Interface

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Prisma SD-WAN extends the capabilities of the Layer 3 LAN interface to include traffic
forwarding. Release 5.1.1 and later enables you to use Layer 3 LAN interfaces for services such
as DHCP Relay, DHCP Server, SNMP source interface, and so on. The LAN interface's enhanced
Layer 3 capabilities allow for simplified topologies and help facilitate an improved branch HA
model. Layer 3 LAN interface can be configured with a static or dynamic IP address and is used to
forward traffic to and from the LAN. Layer 3 LAN Interface now supports static routing.
When Virtual Routing and Forwarding tables (VRF) is configured on a sub-interface:
• Select LAN type interface for branch sites.
• Select Peer with the Network for data center sites.
STEP 1 | Select Workflows > Devices > Claimed Devices, select the device you want to configure.

Prisma SD-WAN Administrator’s Guide 191 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

STEP 2 | On the Basic Info screen, toggle Yes for Enable L3 Direct Private WAN Forwarding.

STEP 3 | Click Save.

STEP 4 | Select the Interfaces tab.

STEP 5 | Select a port that connects to the LAN.

STEP 6 | For Admin Up, select Yes.

STEP 7 | (Optional) Enter a Description and add Tags.

STEP 8 | Select Port as the Interface type.

STEP 9 | For Use This Port For, select LAN.

STEP 10 | Toggle Scope as Global or Local.

STEP 11 | For VRF, select Globalor any other custom VRF that is available and associated in the VRF
profile. VRF Global is enabled only when the associated device supports VRF.

STEP 12 | Select Enable IPv6 On This Interface to configure IPv6.

STEP 13 | For IPv6 Configuration, select AutoConf or Static.

Autoconf indicates the Global IP address is derived using stateless address autoconfiguration
(SLAAC).
Choose Static if the IP address is fixed and is manually assigned. Additionally specify the IPv6
Address/Mask, Default Gateway (IPv6), and DNS server(s) (IPv6).

In Advanced Options, you can specify, IPv6 Prefix Distribution, for address
distribution.
IPv6 is supported only for Global VRF.

Prisma SD-WAN Administrator’s Guide 192 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

STEP 14 | Select IPv4 Configuration as either DHCP or Static.

1. If Static is selected, enter an IP address and mask for the interface.

Default Gateway and DNS server configurations are not required for LAN
interfaces. This is indicated by using LAN in the Use This Port For field.
2. Select DHCP for dynamic allocation of IP address.
3. If DHCP Relay functions are required, then click the DHCP Relay drop-down and select
Yes for Enabled.
4. For Server IPs, add server IP addresses as required.

STEP 15 | Save Port.

Configure Application Reachability Probes

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Configure application probes to check an application's reachability for a given path for an ION
device. Application probes are initiated on detection of an unreachable prefix for an application.
You may configure application reachability probes on any valid Layer 3 LAN interface.
Prisma SD-WAN supports dynamic probing for TCP applications when 3-way handshake failures
are detected. The ION device generates these dynamic probes to verify that a destination service
is actually up or down on that path. If verified as down, the ION device avoids sending additional
user requests for the service down the specific path while continuing to generate synthetic probes
to detect any change in service reachability.
Starting with Release 6.3.2, Prisma SD-WAN supports probing for UDP DNS traffic. The
application probes handle DNS probe requests and start a DNS probe on the destination on
receiving a DNS probe request. If the DNS server responds to the request, irrespective of whether
it responds with the requested domain name, the ION device treats the probe as successful. If
the DNS server does not respond, the application probe notifies the flow controller to change the
path.
When the probe detects that the DNS server is unreachable, the ION device continues probing
once every minute for the first three probes and then once every 5 minutes. If the probe is
successful again, the probe notifies the flow controller to use the path again.
You can view the health of the DNS traffic under Monitor > Activity > App Health.

Prisma SD-WAN Administrator’s Guide 193 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

Application probe is enabled by default for all ION devices, except for ION 1000. The controller
port generates the application probes if you do not configure any LAN ports for generating
application probes.
For the ION 1000 device, you must configure a LAN port for the application probe. If not, the
controller generates an alarm.
You can choose to exclude specific circuits and circuit categories from being used for checking the
reachability of an application on a given path. Refer Configure Device Initiated Connections.
STEP 1 | Select Workflows > Devices > Claimed Devices, select the device you want to configure.

STEP 2 | Select Interfaces and a port for configuring application reachability probes.

STEP 3 | Select LAN in the For Use this Port option.

Once an interface is designated as the application probe interface, Use This Port For cannot be
changed from LAN and Admin Up for the interface has to be Yes.

STEP 4 | Toggle Yes for Application Reachability Probe Source Interface.

STEP 5 | Select Static or DHCP for Configuration.

STEP 6 | Retain the default values for the other fields, and Save Port.

STEP 7 | View and update the application reachability probe configuration from the Basic Info tab.
1. Toggle Yes for Application Reachability Probe Source Interface.
2. Select a port from the Source Interface drop-down.
The ports which have Use This Port For set to LAN appear in the drop-down.
3. Select None for Source Interface to use the controller port as the source interface for
generating application probes.

Ensure that you configure a source interface for ION device series 1200, 1200-
S, 3200, 5200, and 9200, since these platforms do not have a dedicated
controller port.

Configure a Secondary IP Address

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Prisma SD-WAN Administrator’s Guide 194 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

Prisma SD-WAN extends the Layer 3 LAN interface capabilities to include the secondary IP
addresses to provide multiple logical subnets for an interface. Configure a secondary IP address
on the branch site devices that are on 5.5.1 and later versions. If you have secondary IP address
configured on any LAN interface, downgrading to a lower version is not allowed.

DHCP server is not supported for secondary IP addresses on interfaces.

STEP 1 | Select Workflows > Devices > Claimed Devices, select the device you want to configure.

STEP 2 | On the Basic Info screen, toggle Yes for Enable L3 Direct Private WAN Forwarding and
Enable L3 LAN Forwarding, then Save.

STEP 3 | Select the Interface tab.

STEP 4 | Select a port that connects to the LAN.

STEP 5 | Select Yes for Admin Up.

STEP 6 | (Optional) Enter a Description and add Tags.

STEP 7 | Select Port or BypassPair as the Interface type.

Interface type must be physical or sub-interface or bypass pair for configuring

secondary IP addresses.

STEP 8 | For Use This Port For, select LAN.

STEP 9 | Toggle Scope as either Local or Global.

STEP 10 | Select IPv4 Configuration as Static.

Primary IP address must be static.

Prisma SD-WAN Administrator’s Guide 195 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

STEP 11 | (Optional) Specify Secondary IPs.

You can add a maximum of 8 entries to assign a secondary IP address per Layer 3 LAN
interface manually.

Network context is standard for all secondary IP addresses and is the same as Primary
IP addresses.
Each secondary IP can have its own scope configured.
When secondary IP is configured on the LAN interface, you cannot disable LAN
forwarding.

STEP 12 | Save Port.

Configure a Static ARP

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Prisma SD-WAN extends the capabilities of the Layer 3 LAN interface to include the static
address resolution protocol (ARP). Configure a static ARP on the branch site devices on 5.5.1 and
later versions. If you have static ARP configured on any LAN interface, downgrading to a lower
version is not allowed.
STEP 1 | Select Workflows > Devices > Claimed Devices, select the device you want to configure.

STEP 2 | On the Basic Info screen, toggle Yes for Enable L3 Direct Private WAN Forwarding and
Enable L3 LAN Forwarding then Save.

STEP 3 | Select the Interfaces tab.

STEP 4 | Select a port that connects to the LAN.

STEP 5 | Select Yes for Admin Up.

STEP 6 | (Optional) Enter a Description and add Tags.

STEP 7 | Select Port or BypassPair as the Interface type.

Prisma SD-WAN Administrator’s Guide 196 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

STEP 8 | For Use This Port For, select LAN.

STEP 9 | Toggle Scope as either Global or Local.

STEP 10 | Select IPv4 Configuration as either DHCP or Static.

STEP 11 | (Optional) In Advanced Options, specify MAC, IP MTU, Physical from the available range or
the drop-down, and Static ARP Config.

The IP addresses and MAC addresses mapping for static ARP can have a maximum of
16 entries per Layer 3 LAN interface.

The MAC addresses should be provided in the shown xx:xx:xx:xx:xx:xx or xx-xx-xx-

xx-xx-xx format.
Interface type must be physical, or sub-interface, or bypass pair for configuring static ARP.
When static ARP is configured on the LAN interface, you cannot disable LAN forwarding.

STEP 12 | Save Port.

Configure a DHCP Relay

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

DHCP Relay is a branch-site feature that is configured at the interface level on a device. Typically,
a DHCP Relay agent is used to forward DHCP requests between clients and servers that are not
on the same physical subnet. DHCP Relay can be configured on a controller port, a LAN port, or
on a sub-interface that has a defined, static IP address. DHCP Relay is enabled for VRF.
When a ION device receives a DHCP request from a client on the interface configured with
DHCP Relay, it forwards those requests to configured DHCP servers. It also listens to DHCP
responses from all DHCP servers and relays them to the client. The DHCP Relay requests are
forwarded only when the ION device is assigned to a site and the site is in active mode.
An ION device with DHCP Relay:
• Forwards DHCP client broadcast requests to the configured DHCP server.
• Forwards DHCP unicast request from another DHCP Relay agent downstream on the LAN-side
to the configured DHCP server.
• Forwards DHCP client/DHCP Relay agent broadcast/unicast requests to another DHCP Relay
agent.

Prisma SD-WAN Administrator’s Guide 197 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

In the event of a DHCP server error, the ION device forwards all rejections back to the
client. In the event of a client rejection, the ION device forwards all rejections from the
client back to the DHCP server.

STEP 1 | Select Workflows > Devices > Claimed Devices, select the device you want to configure.

STEP 2 | Select the Interfaces tab.

STEP 3 | Select a port.

STEP 4 | For Admin Up, select No or Yes.

STEP 5 | (Optional) Enter a Description.

STEP 6 | For Interface Type, select Port.

STEP 7 | For Use This Port For select LAN.

STEP 8 | For IPv4 Configuration select Static or DHCP.

For Static, enter the IP Address/Mask, and Default Gateway information.

STEP 9 | For DHCP Relay, select Yes to enable it.

1. Define DHCP server IP addresses.
Up to 16 DHCP server IP addresses may be added.
2. (Optional) Define the source interface used to send DHCP requests to the servers.
By default, the controller port is used. Make sure that the defined source interface can
reach DHCP server IP addresses and vice versa. If the DHCP server is local to the branch
the source interface must be the interface from which the DHCP server is accessible.
3. (Optional) Enable Option 82 and configure the Circuit ID, Remote ID, and Reforwarding
policy.
The ION device DHCP Relay agent can include additional information by using DHCP
Option 82, Circuit ID, and Remote ID, which the DHCP server uses to allocate the
appropriate IP address.

STEP 10 | Save Port.

Prisma SD-WAN Administrator’s Guide 198 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

Configure IP Directed Broadcast

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Traffic from remote networks can be broadcast over LAN networks through Layer 3 LAN
interfaces. Traffic can be broadcast for a subnet connected to an interface through the broadcast
address of that subnet.

IP directed broadcast is supported on an ION device as follows:

• Incoming interface—Prisma SD-WAN VPN (Private or Public from a branch site or a
data center site)
• Outgoing interface—Layer 3 LAN interface
IP Directed Broadcast is not supported if:
• A Zone-Based Policy Firewall (ZBFW) is in use for non-UDP traffic.
• NAT is applied on the Layer 3 LAN interface.

STEP 1 | Select Workflows > Devices > Claimed Devices, select the device you want to configure.

STEP 2 | Navigate to Interfaces, and select a port for configuring IP directed broadcast.

STEP 3 | For Use This Port For, select LAN.

STEP 4 | For IPv4 Configuration, select Static.

STEP 5 | For the IP Address Mask field, enter a subnet address.

STEP 6 | For Directed Broadcast, select Yes to enable.

The Direct Broadcast is disabled by default.

STEP 7 | Select Enable IPv6 On This Interface to configure IPv6.

STEP 8 | For IPv6 Configuration, select AutoConf or Static.

Autoconf indicates the Global IP address is derived using stateless address autoconfiguration
(SLAAC).
Choose Static if the IP address is fixed and is manually assigned. Additionally specify the IPv6
Address/Mask, Default Gateway (IPv6), and DNS server(s)(IPv6).

STEP 9 | Save Port.

STEP 10 | Navigate to Activity > Flows to check responses to an IP directed broadcast.

Prisma SD-WAN Administrator’s Guide 199 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

VPN Keep-Alives
Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

VPN keep-alive packets determine whether a given path is reachable for an ION device. VPN
keep-alive packets are sent at a fixed interval on a VPN link. The VPN link is declared down, if the
peer is unreachable after a certain number of attempts and a certain period of time.
The location of the ION device in a network topology plays an important role in configuring VPN
keep-alives. For example, you need to configure a higher value of the keep-alive Interval between
two ION devices behind routers as compared to the keep-alive Interval between two ION devices
not behind routers.
VPN keep-alives are configured at the following levels:
• Configure VPN Keep-Alives for Circuit Categories
• Configure VPN Keep-Alives for Circuits
• Configure VPN Keep-Alives for Secure Fabric Links
The order of precedence for VPN keep-alives is as follows:
• VPN keep-alives configured at the secure fabric link level have the highest priority.
• If VPN keep-alives are not configured at the secure fabric link level, then VPN keep-alives
configured at the circuits level take effect.
• If VPN keep-alives are not configured at both secure fabric link level and circuits level, then
VPN keep-alives configured at the circuit categories level take effect.
If there is a mismatch in configuration between two VPN endpoints, then:
• The keep-alive configuration with the larger keep-alive interval takes effect.
• If keep-alive intervals are the same, then the configuration with the higher keep-alive failure
count takes effect.

Configure VPN Keep-Alives for Circuit Categories

For metered links, where there is a cost for usage (such as LTE interfaces), VPN keep-alives can
be adjusted to minimize the usage of the link and any costs associated with using the link. VPN
keep-alives can also be modified for unreliable circuits that experience high latency and loss such
as satellites.
STEP 1 | Select Manage, Resources, and then select Circuit Categories.

Prisma SD-WAN Administrator’s Guide 200 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

STEP 2 | Edit a circuit category and enter values for Keep-Alive Failure Count and Keep-Alive
Interval.
• For Keep-Alive Failure Count, enter a value between 3 and 30.
The Keep-Alive Failure Count indicates the number of consecutive missed keep-alive
packets before a link is declared as down. The default value is 3.
• For Keep-Alive Interval, enter a value between 100 ms and 600000 ms.
The Keep-Alive Interval indicates the time interval in milliseconds between two VPN keep-
alive packets. The default value is1000 ms.

STEP 3 | Select Use for Controller Connections and Use for Application Reachability Probes, as
required for this selected circuit category.

STEP 4 | Click Update.

Prisma SD-WAN Administrator’s Guide 201 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

Configure VPN Keep-Alives for Circuits

STEP 1 | SelectWorkflows > Sites/Data Centers > Select a Site > Configuration.

STEP 2 | Click Change Circuits for either Internet Circuits or Private WAN Circuits.

STEP 3 | Click Edit below the circuit.

STEP 4 | In VPN Configs, for Keep-Alive Fail Count, enter a value between 3 and 30.
The Keep-Alive Fail Count indicates the number of consecutive missed keep-alive packets
before a link is declared as down. The default value is 3.
1. For Keep-Alive Interval, enter a value between 100 ms and 600000 ms.
The Keep-Alive Interval indicates the time interval in milliseconds between two VPN
keep-alive packets. The default value is 1000 ms.
2. Select the Override VPN Keep-Alive check box to use the VPN keep-alive values
configured on the Circuit Information screen.

When you select the Override VPN Keep-Alive check box, it implies that VPN
keep-alive values configured for circuits are considered, and values configured
for circuit categories are ignored.

STEP 5 | For Controller Connections and Application Reachability Probes, select Yes, No, or Use
Circuit Category Setting from the drop-down.

STEP 6 | Click Done.

Configure VPN Keep-Alives for Secure Fabric Links

STEP 1 | From Map, select a branch site and click Overlay Connections.

STEP 2 | Select an overlay from either Branch-DC, or Branch-Branch.

STEP 3 | On Secure Fabric Link screen, click the edit icon and select the Enable VPN Configs check
box.

STEP 4 | For Keep-Alive Failure Count, enter a value between 3 and 30.
The keep-alive failure count indicates the number of consecutive missed keep-alive packets
before a link is declared as down. The default value is 3.

STEP 5 | For Keep-Alive Interval, enter a value between 100 ms and 600000 ms.
The keep-alive interval indicates the time interval in milliseconds between two VPN keep-alive
packets. The default value is 1000 ms.

STEP 6 | Click Save.

Prisma SD-WAN Administrator’s Guide 202 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

Use External Services for Monitoring

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Prisma SD-WAN enables the use of external services that can be configured for monitoring
purposes. These services are:
• Configure Prisma SD-WAN IPFIX
• Configure the DNS Service on the Prisma SD-WAN Interface
• Syslog Server Support in Prisma SD-WAN
• Configure SNMP

Configure Prisma SD-WAN IPFIX

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Prisma SD-WAN IPFIX provides network and application visibility by transmitting flow
information to an external collector. This increased awareness allows for more efficient network
operations, decreased operation costs, and better utilization of the network infrastructure.
IPFIX monitors traffic across the network by collecting traffic records at different points in the
network. The ION device exports these flow records to third-party collector applications. The
IPFIX implementation and the terms used are based on the guidelines outlined in RFC 7011
(https://tools.ietf.org/html/rfc7011). You can use the exported IPFIX records for various purposes
such as network management and planning, optimized troubleshooting, enterprise accounting,
studying trends in performance metrics, data mining, understanding network anomalies, and
protecting the network from security vulnerabilities.
Configure IPFIX to apply to all sites and devices globally or configure IPFIX for an ION device to
override the global IPFIX configuration.
• Configure IPFIX globally.
• (Optional) Configure IPFIX on a device to override the global configuration.

Prisma SD-WAN Administrator’s Guide 203 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

Configure IPFIX globally for multiple ION devices.

Configure IPFIX globally by creating an IPFIX profile and attaching it to multiple ION devices.
1. Configure an IPFIX profile.
2. Bind IPFIX profiles to ION devices.
To verify that you have pushed the IPFIX profile to a device, select Profiles > Edit a
profile > View Device Bindings. The IPFIX configuration bound to the device displays in
the Device Binding column.

Configure IPFIX on a device to override the global IPFIX profile settings.

You can optionally configure device specific IPFIX parameters to override parameters such as
collectors, filters, and sampling configured in an IPFIX profile.
1. Select Manage > Devices > Claimed > Select a device > Configure the device > IPFIX.

2. Enter a name and select a profile from the IPFIX Profile drop-down and Save.
3. (Optional) Click the + icon next to IPFIX Profile to create an IPFIX profile.
• When you create a new profile at the device level, it becomes a part of the global
profiles and you can use it for multiple devices.
• You can optionally configure an IPFIX templat, configure collectors, filters and
sampling on the ION device to override the parameters configured in the IPFIX
profile.

The ION device uses the collectors, filters, and sampling configured in the IPFIX
profile, unless you provide optional overriding configuration.

Prisma SD-WAN Administrator’s Guide 204 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

Configure High Availability (HA) for IPFIX

Prisma SD-WAN supports High Availability (HA) between ION devices by ensuring automatic
switchover between active and backup devices, maintaining all services and forwarding paths
when an ION device experiences a software, hardware, or network related failure.
To ensure uninterrupted IPFIX exports, replicate the IPFIX configuration on both devices.
STEP 1 | Configure interfaces.
Configure interfaces as per the network topology.

STEP 2 | Configure and attach the same IPFIX profile to both the ION devices.

STEP 3 | Attach the collector context to both the ION devices.

STEP 4 | (Optional) If using filters, attach the filter context to both the ION devices.

After a device switchover, the collector application receives IPFIX records from the
new source interface, so this is considered as a new IPFIX session.

Configure IPFIX Profiles and Templates

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

An IPFIX profile is a global IPFIX configuration object which identifies collector configuration,
filter configuration, the template for exporting flow information elements, and flow sampler
configuration.
Create or edit an IPFIX profile to apply globally to all sites and devices using the following
workflow.
• Select or create an IPFIX template.
• Configure collectors.
• (Optional) Configure filters.
• (Optional) Configure sampling.

Prisma SD-WAN Administrator’s Guide 205 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

STEP 1 | Select an IPFIX template.

An IPFIX template specifies the information elements to export as part of the flow records.
1. Select Manage > Resources > Configuration Profiles > IPFIX > Profiles and click Create
Profile.

2. Enter a name for the IPFIX Profile and (optional) description and tags.
3. Select a template from the IPFIX Template drop-down, and click Next.
(Optional) Click the + icon next to IPFIX Template to create a new template.
You can configure a maximum of 4 collectors per IPFIX profile.

STEP 2 | Configure collectors.

Collectors define the third-party applications which consume the exported flow records.
1. On the Collector tab, click Add to configure a new collector.

2. Protocol— Select the protocol.

3. IPv4 Address/FQDN Schema—Select IPv4 Address to enter an IPv4 address of the
collector in the Host field or select FQDN Schema to enter the domain name of the
IPFIX collector in the Host field.

You can enter either an IPv4 address or an FQDN. Entering one of them is
mandatory.
4. (Optional) IPFIX Collector Context—Select a collector context from the drop-down.
The device uses the IP address of the interface to which the collector context is bound
as the source interface to export IPFIX flow records.
If you do not bind a collector context to an interface, the device uses the controller port
by default to establish the connection with the third-party collector. For platforms that

Prisma SD-WAN Administrator’s Guide 206 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

do not have a controller port, it is mandatory to specify a collector context and bind it to
an interface.
5. Host Port—Enter a port number to match the port on which the collector is configured
to receive IPFIX records.
6. Click Done.

STEP 3 | (Optional) Configure filters.

Configure filters to select a subset of flows from all the observed flows to export to a collector.
The criteria for filtering can be protocols, applications, source interface filter contexts, and
source and destination port ranges. You can configure a maximum of 8 filters per IPFIX profile.
1. On the Filters tab, click Add to create a new filter.

2. (Optional) Select a protocol from the Protocols drop-down.

If you select TCP or UDP as the protocol, you can associate Source Port Ranges and
Destination Port Ranges with the protocols. If you do not select any protocol, the device
allows all protocols.
3. (Optional) Select an application from the Applications drop-down to filter flow records
for the selected applications.
A blank value indicates that flow records from all applications are allowed.
If you do not select any application, the device allows all applications.
4. (Optional) Select a Filter Context to map to an interface on the ION device.

If you configure a filter context and use it in a profile, you must attach the IPFIX
filter context to an interface on the ION device for proper IPFIX export of the
flow records.
5. (Optional) Select a Source Prefix and Destination Prefix filter to match.
The prefixes can be local or global. If nothing is selected, the device allows flow records
from all prefixes.
6. (Optional) Select Source Port Ranges and Destination Port Ranges if applicable for TCP
and UDP protocols.
The device evaluates the values in these fields only if the flows are TCP or UDP. The
device ignores the values for all other protocols.
7. Click Done.

Prisma SD-WAN Administrator’s Guide 207 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

STEP 4 | (Optional) Enable sampling.

Enable sampling to select a subset of flows to export from all the observed flows. The
device forwards this subset to the filtering process to perform further selection if filters are
configured.

1. Enter a value for Export Cache Timeout between 10 and 600 seconds.
Export Cache Timeout specifies the time for which the ION device should cache a new
flow record before exporting it. The default value is 30 seconds.
2. (Optional) Select the Enable Sampling check box to choose a sampling algorithm.
Disabling sampling exports IPFIX information for all flows.
Select a time-based algorithm to configure the duration for sampling. If you select a
time-based Algorithm, enter values in milliseconds for Time Interval and Time Spacing.
Time Interval indicates the length of the sampling interval during which flows are
selected. The default value is 5 ms.
Time Spacing indicates the spacing between the end of one sampling interval and the
start of the next sampling interval. The default value is 5 ms.

The sampling rate is defined by Time Interval / (Time Interval + Time Spacing).
The default values give a 50% sampling rate.
3. Submit the configured IPFIX profile.

Configure IPFIX Templates

An IPFIX template specifies the information elements to export as part of the flow data records
and options data records.

Prisma SD-WAN Administrator’s Guide 208 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

STEP 1 | Select Manage > Resources > Configuration Profiles > IPFIX > Templates > Create
Template.

STEP 2 | On the Add New IPFIX Template tab, enter a name for the IPFIX Template.

STEP 3 | (Optional) Enter a description and tags.

STEP 4 | (Optional) Click Default Flow Fields to view the information elements exported by default in
the flow record.
The default flow fields are as follows:
• TIME_STAMPS—Identifies when a flow has started or ended. It includes the absolute time
stamp of the first packet and last packet of this flow in milliseconds. For long lived flows,
where delta information is sent, flow end time stamp indicates when the last packet was
seen.
• DST_IPV4_ADDRESS—Identifies the destination address for the flow.
• DST_PORT—Identifies the destination port for the flow.
• SRC_IPV4_ADDRESS—Identifies the source address for the flow.
• SRC_PORT—Identifies the source port for the flow.
• PROTOCOL—Identifies the protocol used by the flow. Only IPv4 is currently supported.

STEP 5 | (Optional) If you want to export additional flow fields in the flow records, select the fields
from the Flow Fields drop-down.
Use the Prefill from a preset configuration option to select a preset template to export specific
flow fields.

STEP 6 | (Optional) Select fields from the Options drop-down to export additional information.
Selecting Options allows export of additional information to the collector that would not be
possible with Flow Fields alone.

STEP 7 | (Optional) Enter a value in seconds for Template Export Timeout.

The Template Export Timeout controls how often the device sends flow templates to a
collector. This is only applicable when the connection to a collector uses the UDP protocol.
The default value is 600 seconds.

Prisma SD-WAN Administrator’s Guide 209 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

STEP 8 | (Optional) Enter a value in seconds for Option Export Timeout.

The Option Export Timeout indicates how often the device sends the option record
information to a collector. With this information, the collector can supplement its
interpretation of the flow record information. This is only applicable when the connection to a
collector uses the UDP protocol. The default value is 600 seconds.

STEP 9 | Click Save.

Attach an IPFIX Profile to an ION Device

Attach an IPFIX profile to an ION device or multiple ION devices to push the IPFIX configuration
to the device. You can attach IPFIX profiles only to branch ION devices.
Multiple ION devices across different sites can use a single IPFIX profile.
STEP 1 | Select Manage > Resources > Configuration Profiles > IPFIX > Profiles.

STEP 2 | Click the ellipsis icon for a profile, select View Device Bindings, and then click Bind Devices.

STEP 3 | Select one or more ION devices from the list to associate with the selected IPFIX profile and
Submit.

The name of the IPFIX configuration displays in the form <Profile Name> on <Device Name>.

Configure and Attach a Collector Context to a Device Interface in

IPFIX
Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Prisma SD-WAN Administrator’s Guide 210 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

A collector context is an optional ID to associate with an interface of the ION device. The
interface acts as the source interface for the IPFIX packets exported from the ION device to the
collector.
STEP 1 | Select Manage > Resources > Configuration Profiles > IPFIX > Contexts > Create Collector
Context.

STEP 2 | Enter a name and an optional description and Save the collector context.
(Optional) Use the IPFIX collector context when configuring a collector as part of either an
IPFIX profile or when configuring IPFIX profile overrides on the device.
You need to attach the collector context to an interfaceon the ION device to designate the
interface as a source interface for exporting IPFIX packets.

You can define multiple collectors that use the same collector context, but you can
assign the IPFIX collector context to only one interface of an ION device.

Attach a Collector Context to a Device Interface

Attach a collector context to an ION device interface to configure the device interface as a source
interface for exporting flow records. You cannot attach a collector context to more than one
interface on the same device, however you can reuse the collector context for different devices.

If you do not bind a collector context to an interface, the device uses the controller
port by default to establish the connection with the third-party collector. For
platforms that do not have a controller port, it is mandatory to specify a collector
context and bind it to an interface. Otherwise, the device raises a major alarm
DEVICE_SW_IPFIX_COLLECTORS_DOWN.

The device raises the DEVICE_SW_IPFIX_COLLECTORS_DOWN major alarm only when it

is not able to connect to any of the configured collectors. There may be different collector
configurations on a device that use different collector contexts. If the device is able to connect to
any of the configured collectors, it will not raise the DEVICE_SW_IPFIX_COLLECTORS_DOWN
alarm.
There are two ways of attaching a collector context to a device.

Select a collector context and assign it to a device interface.

1. Select Manage > Resources > Configuration Profiles > IPFIX > Contexts > Collector.
2. Click the ellipsis icon for an IPFIX Collector Context, select View Interface Bindings, and
then click Bind Interfaces.
3. Select a device and an interface to bind the collector context and Save.
You can assign a collector context to any of the following interfaces:

Interface Type Supports Collector Context

Controller Yes

Virtual Ports Yes

Prisma SD-WAN Administrator’s Guide 211 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

Interface Type Supports Collector Context

Loopback No

Standard VPN No

Virtual Interfaces Yes

Port Channel No

Sub-interfaces Yes

PPPoE Yes

Bypass Pair Yes

(Optional) Repeat the procedure to bind the collect context to an interface on another
device.

Select a device interface and then assign the collector context.

1. Select Manage > Setup > Devices > Claimed > Select a device > Configure the device >
Interfaces.
2. Select an interface to assign as a source interface for exporting flow records.

3. Select a previously configured IPFIX Collector Context and Save.

You can assign a collector context to only one interface of an ION device.

Prisma SD-WAN Administrator’s Guide 212 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

Configure and Attach a Filter Context to a Device Interface in

IPFIX
Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Filter Context is a criteria used to filter the flow records that are exported to the collector.
STEP 1 | Select Manage > Resources > Configuration Profiles > IPFIX > Contexts > Create Filter
Context.

STEP 2 | Enter a name and an optional description.

STEP 3 | Save the filter context.

Use the IPFIX filter context when configuring a filter as part of either an IPFIX profile or an
IPFIX device override.
If you have configured a filter context and used it in a profile, you must Attach a Filter Context
to a Device Interface in IPFIX for filtering the flow records.

You can assign an IPFIX filter context to multiple interfaces of a single ION device or
multiple ION devices. You cannot assign an IPFIX filter context to a controller interface
because the controller interface does not forward application traffic.

Attach a Filter Context to a Device Interface in IPFIX

Attach a filter context to an ION device interface to filter flow records for export. You can assign
an IPFIX filter context to multiple interfaces of a single ION device or to multiple ION devices.

Prisma SD-WAN Administrator’s Guide 213 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

Select a filter context and assign to a device interface.

1. Select Manage > Resources > Configuration Profiles > IPFIX > Contexts > Filter.
2. Click the ellipsis icon for an IPFIX Filter Context, select View Interface Bindings, and
then click Bind Interfaces.

3. Select a device and an interface to bind the filter context.

You can assign a filter context to any of the following interfaces:

Interface Type Supports Filter Context

Controller No

Virtual Ports Yes

Loopback No

Standard VPN No

Virtual Interfaces Yes

Port Channel No

Sub-interfaces Yes

PPPoE Yes

Bypass Pair Yes

Select an ION device interface and bind the filter context.

1. Select Manage > Setup > Devices > Claimed > Select a device > Configure the device >
Interfaces.
2. Select an interface to assign a filter context for filtering flow records.

You cannot assign an IPFIX filter context to a controller interface. This is

because the controller interface does not forward application traffic records.
3. Select a previously configured IPFIX Filter Context and Save.

Prisma SD-WAN Administrator’s Guide 214 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

Configure Global and Local IPFIX Prefixes

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Use prefixes in IPFIX filter configuration to export flow records for matching IP prefix ranges. You
can use global IPFIX Prefixes across all sites in your network.
STEP 1 | Select Manage > Resources > Configuration Profiles > IPFIX > > Prefixes > Global > Create
Global Prefix.

STEP 2 | Enter a name, and optionally description and tags.

STEP 3 | For IP Prefixes, enter an individual IP address or IP address subnets.

(Optional) Click Add IP prefix to include additional IP Prefixes.

STEP 4 | Click Save.

Configure Local IPFIX Prefixes

Configure local IPFIX prefixes to denote subnets or specific IP addresses within a subnet which
are locally significant for a site.
STEP 1 | Select Manage > Resources > Configuration Profiles > IPFIX > > Prefixes > Local and click
Create Local Prefix

Prisma SD-WAN Administrator’s Guide 215 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

STEP 2 | Enter a name, description (optional), and tags (optional). Click Save.

You have to bind the IPFIX local prefix to a site for the local prefix to take effect. If
a local IPFIX prefix is used in a filter configuration in a profile and the local prefix is
not bound to a site, then the configured filter does not match the prefixes for the flow
records for the devices in the site.

Flow Information Elements

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

The table below describes the flow information elements, which are based on the IANA IP Flow
Information Export (IPFIX) entity definitions included at https://www.iana.org/assignments/ipfix/
ipfix.xhtml#ipfix-information-elements.

Flow Field Information ElementId Description Data Data

Element Type Type
Semantics

APPLICATION_HOST
httpRequestHost
IANA 460 Identifies the domain string
name of the application's
request host. Encoded in
UTF-8.

APP_DEF_ID applicationId IANA 95 Identifies the flow octetArraydefault

application ID.

CONNECTION_BIFLOW_BYTES
cgnxBidirectionalOctetDeltaCount
1006 CGNX Specifies the number of unsigned64
deltaCounter
octets since the previous
report (if any) in both
directions for this flow at
the observation point.

CONNECTION_BIFLOW_PACKETS
cgnxBidirectionalPacketDeltaCount
1007 CGNX Specifies the number unsigned64
deltaCounter
of packets since the
previous report (if any) in
both directions for this
flow at the observation
point.

CONNECTION_INIT
cgnxTcpConnInit
1021 CGNX This boolean flag unsigned8flags
indicates if a SYN-ACK
packet is seen in response
to a SYN packet.

Prisma SD-WAN Administrator’s Guide 216 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

Flow Field Information ElementId Description Data Data

Element Type Type
Semantics

CONNECTION_NTT
The NTT subTemplate contains the following Information Elements and is
exported as part of the flow when you configure the CONNECTION_NTT
flow field option:
• cgnxNttMinMilliseconds
• cgnxNttMaxMilliseconds
• cgnxNttObservedDeltaCount
• cgnxNttSumMilliseconds

cgnxNttMinMilliseconds
1012 CGNX Specifies the minimum unsigned32
default
network transfer time
for an application in
milliseconds.

cgnxNttMaxMilliseconds
1013 CGNX Specifies the maximum unsigned32
default
network transfer time
for an application in
milliseconds.

cgnxNttObservedDeltaCount
1014 CGNX Specifies the total unsigned32
deltaCounter
number of network
transfer time
observations for this Flow
at the Observation Point.

cgnxNttSumMilliseconds
1015 CGNX Specifies the sum of unsigned32
default
network transfer times
for an application in
milliseconds.

CONNECTION_RTT
The RTT subTemplate contains the following Information Elements and is
exported as part of the flow when you configure the CONNECTION_RTT flow
field:
• cgnxRttMinMilliseconds

Prisma SD-WAN Administrator’s Guide 217 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

Flow Field Information ElementId Description Data Data

Element Type Type
Semantics
• cgnxRttMaxMilliseconds
• cgnxRttObservedDeltaCount
• cgnxRttSumMilliseconds

cgnxRttMinMilliseconds
1008 CGNX Specifies the minimum unsigned32
default
round trip time for
an application in
milliseconds.

cgnxRttMaxMilliseconds
1009 CGNX Specifies the maximum unsigned32
default
round trip time for
an application in
milliseconds.

cgnxRttObservedDeltaCount
1010 CGNX Specifies the number unsigned32
deltaCounter
of round trip time
observations for this Flow
at the Observation Point.

cgnxRttSumMilliseconds
1011 CGNX Specifies the sum unsigned32
default
of round trip times
for an application in
milliseconds.

CONNECTION_SRT
The SRT subTemplate contains the following Information Elements and is
exported as part of the flow when you include the CONNECTION_SRT flow
field:
• cgnxSrtMinMilliseconds
• cgnxSrtMaxMilliseconds
• cgnxSrtObservedDeltaCount
• cgnxSrtSumMilliseconds

cgnxSrtMinMilliseconds
1016 CGNX Specifies the minimum unsigned32
default
server response time
for an application in
milliseconds

cgnxSrtMaxMilliseconds
1017 CGNX Specifies the maximum unsigned32
default
server response time
for an application in
milliseconds.

cgnxSrtObservedDeltaCount
1018 CGNX Specifies the number unsigned32
deltaCounter
of server response time

Prisma SD-WAN Administrator’s Guide 218 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

Flow Field Information ElementId Description Data Data

Element Type Type
Semantics
observations for this Flow
at the Observation Point.

cgnxSrtSumMilliseconds
1019 CGNX Specifies the sum of unsigned32
default
server response times
for an application in
milliseconds.

CONNECTION_UDPTRT
The TRT subTemplate contains the following Information Elements and is
exported as part of the flow when you configure the CONNECTION_UDPTRT
flow field:
• cgnxTrtMinMilliseconds
• cgnxTrtMaxMilliseconds
• cgnxTrtObservedDeltaCount
• cgnxTrtSumMilliseconds

cgnxTrtMinMilliseconds
1024 CGNX Specifies the minimum unsigned32
default
transaction response
time for an application in
milliseconds.

cgnxTrtMaxMilliseconds
1025 CGNX Specifies the maximum unsigned32
default
transaction response
time for an application in
milliseconds.

cgnxTrtObservedDeltaCount
1026 CGNX Specifies the number of unsigned32
deltaCounter
transaction response time
observations for this Flow
at the Observation Point.

cgnxTrtSumMilliseconds
1027 CGNX Specifies the sum of unsigned32
default
transaction response
times for an application in
milliseconds.

CONNECTION_UNIFLOW_BYTES
octetDeltaCountIANA 1 Identifies the number of unsigned64
deltaCounter
octets since the previous
report (if any) in incoming
packets for this Flow at
the Observation Point.

CONNECTION_XACT
The XACT subTemplate contains the following Information Elements and is
exported as part of the flow when you configure the CONNECTION_XACT
flow field:

Prisma SD-WAN Administrator’s Guide 219 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

Flow Field Information ElementId Description Data Data

Element Type Type
Semantics
• cgnxConnectionTransactionSuccessTotalCount
• cgnxConnectionTransactionFailureTotalCount

cgnxConnectionTransactionSuccessTotalCount
1022 CGNX Specifies the total unsigned32
TotalCounter
number of connection
transaction success
observations for this Flow
at the Observation Point.

cgnxConnectionTransactionFailureTotalCount
1023 CGNX Specifies the total unsigned32
TotalCounter
number of connection
transaction failure
observations for this Flow
at the Observation Point.

DSCP_MAP cgnxDiffServCodePointMap
1000 CGNX Identifies the Prisma unsigned64
flags
SD-WAN DSCP bitmap
observation for the flow
at the interface.

DSCP_LAST ipDiffservCodePoint
IANA 195 Identifies the last unsigned8Identifier
observed DSCP value for
the flow.

INTERFACES • ingressInterface
• Ingress Identifies a flow's ingress unsigned32
Identifier
(where packets are
• egressInterface interface—
IANA 10 received) and/or egress
interface (where packets
• Egress
are sent) (physical &
interface—
logical). The Interface ID
IANA 14
exported shall match the
SNMP IF ID.

MEDIA_CODEC cgnxMediaCodecList
1034 CGNX A list of codec identifiers octetArrayIdentifier
as identified from the
flow. Each codec is
represented by an single
octet in the list.

MEDIA_JITTER Identifies the jitter of a media flow. The Media Jitter subTemplate contains the
following Information Elements and is exported as part of the flow when you
configure the MEDIA_JITTER flow field:
• cgnxMediaJitterMaxMilliseconds
• cgnxMediaJitterObservedDeltaCount

Prisma SD-WAN Administrator’s Guide 220 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

Flow Field Information ElementId Description Data Data

Element Type Type
Semantics
• cgnxMediaJitterSumMilliseconds

cgnxMediaJitterMaxMilliseconds
1036 CGNX Specifies the maximum unsigned32
default
jitter time for an
application in
milliseconds.

cgnxMediaJitterObservedDeltaCount
1037 CGNX Specifies the number of unsigned64
deltaCounter
jitter time observations
for this Flow at the
Observation Point.

cgnxMediaJitterSumMilliseconds
1038 CGNX Specifies the sum of jitter unsigned32
default
times for an application in
milliseconds.

MEDIA_LOSS Identifies the packet loss percentage of a media flow. The Media Loss
subTemplate contains the following Information Elements and is exported as
part of the flow when you configure the MEDIA_LOSS flow field:
• cgnxMediaLossMax
• cgnxMediaLossObservedDeltaCount
• cgnxMediaLossSum

cgnxMediaLossMax
1039 CGNX Specifies the maximum float32 quantity
packet loss percentage
for an application.

cgnxMediaLossObservedDeltaCount
1040 CGNX Specifies the number of unsigned64
deltaCounter
packet loss percentage
observations for this Flow
at the Observation Point.

cgnxMediaLossSum Specifies the sum of float32 quantity

packet loss percentages
for an application.

MEDIA_MOS cgnxMediaMosMin
1042 CGNX Specifies the minimum float32 quantity
MOS sample for an
application.

cgnxMediaMosMax
1043 CGNX Specifies the maximum float32 default
MOS sample for an
application.

cgnxMediaMosObservedDeltaCount
1044 CGNX Specifies the number unsigned32
deltaCounter
of MOS observations

Prisma SD-WAN Administrator’s Guide 221 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

Flow Field Information ElementId Description Data Data

Element Type Type
Semantics
for this Flow at the
Observation Point.

cgnxMediaMosSum
1045 CGNX Specifies the sum of float32 default
MOS observations for an
application.

QOS_QUEUE cgnxQosQueue 1001 CGNX Identifies the QoS queue unsigned8Identifier

that the flow is assigned
by the ION device.

RTP_TRANSPORT_TYPE
cgnxRtpTransport
1033 CGNX The value of the RTP unsigned8Identifier
transport identifier is
Prisma SD-WAN specific
and is identified from the
flow.

Identifies the minimum and maximum TCP window size for a

flow.The TcpWin subTemplate contains the following Information
Elements and is exported as part of the flow when you configure the
TRANSPORT_TCP_WINDOWSIZETRANSPORT_TCP_WINDOWSIZE flow
field:
• cgnxMinTcpWindowSize

Prisma SD-WAN Administrator’s Guide 222 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

Flow Field Information ElementId Description Data Data

Element Type Type
Semantics
• cgnxMaxTcpWindowSize

cgnxMinTcpWindowSize
1003 CGNX The minimum value unsigned32
quantity
observed for the TCP
window for the flow.

cgnxMaxTcpWindowSize
1004 CGNX The maximum value unsigned32
quantity
observed for the TCP
window for the flow.

TROUBLESHOOT_DECISION_MAP
Specifies the Prisma SD-WAN decision bitmap observation for the flow at the
interface.
The information is encoded in a set of bit fields allocated in 4 octet word
groups. The decision map flags are mapped to bits according to their flag
numbers.
Single Decision map subTemplate : Contains the following Information
Elements and is exported as part of the flow when you configure the
TROUBLESHOOT_DECISION_MAP flow field:
• cgnxDecisionMap
Multiple Decision map subTemplate : The subTemplateList allows a list of
Single Decision Map subTemplate records to be presented. Currently the
maximum that may be presented is 4.

cgnxDecisionMap
1048 CGNX Specifies the CloudGenix octetArrayflags
decision bitmap
observation for this flow
at the Observation Point.

TROUBLESHOOT_TCP
The troubleshoot TCP flags subTemplate contains the following Information
Elements and is exported as part of the flow when you configure the
TROUBLESHOOT_TCP flow field:
• cgnxTcpSynDeltaCount
• cgnxTcpFinDeltaCount
• cgnxTcpRstDeltaCount
• cgnxTcpAckDeltaCount
• cgnxTcpRexmitDeltaCount
• cgnxTcpOoopDeltaCount
The TCP flags, remit and oop information is combined into a single unified TCP
Troubleshoot subTemplate.

cgnxTcpSynDeltaCount
1050 CGNX The number of packets unsigned32
deltaCounter
of this Flow with TCP

Prisma SD-WAN Administrator’s Guide 223 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

Flow Field Information ElementId Description Data Data

Element Type Type
Semantics
"Synchronize sequence
numbers" (SYN) flag set
observed since the last
record for the flow was
sent.

cgnxTcpFinDeltaCount
1051 CGNX The number of packets unsigned32
deltaCounter
of this Flow with TCP (Reduced
"No more data from to
sender" (FIN) flag set unsigned8)
observed since the last
record for the flow was
sent.

cgnxTcpRstDeltaCount
1052 CGNX The number of packets of unsigned32
deltaCounter
this Flow with TCP "Reset (Reduced
the connection" (RST) flag to
set observed since the unsigned8)
last record for the flow
was sent.

cgnxTcpAckDeltaCount
1053 CGNX The number of packets unsigned32
deltaCounter
of this Flow with TCP
"Acknowledgement field
significant" (ACK) flag set
observed since the last
record for the flow was
sent.

cgnxTcpRexmitDeltaCount
1046 CGNX unsigned32
deltaCounter

cgnxTcpOoopDeltaCount
1047 CGNX Specifies the number of unsigned32
deltaCounter
new TCP out of order
packet observations for
this TCP Flow at the
Observation Point since
the last export record for
the flow.

WAN-PATH cgnxWanPath 1002 CGNX WAN path identifier unsigned64

Identifier

Prisma SD-WAN Administrator’s Guide 224 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

Options Information Elements

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

The table below describes the options available for the IPFIX template flow record. The flow
information elements are based on the IANA IP Flow Information Export (IPFIX) entity definitions
included at https://www.iana.org/assignments/ipfix/ipfix.xhtml#ipfix-information-elements.

Options Information Element ElementId Description Data Data

Type Type
Semantics

APP_DEF_ID_TABLE Application Name Option Records: This Options Template Record

contains the following Information Elements:
• Scope = applicationId : IANA 95.
• applicationName : IANA 96. A more detailed example of this can be
found in RFC 6759- Section 6.8

applicationId IANA 95 From RFC

5101: The
scope,
which
is only
available in
the Options
Template
Set, gives
the context
of the
reported
Information
Elements
in the Data
Records.

applicationName IANA 96

WAN_PATH_ID_TABLEThe WAN Path Name Option Template Record contains the following
Information Elements:
• Scope = cgnxWanPath. The Prisma SD-WAN ID associated with the
WAN Path.
• cgnxWanPathName - A generated descriptive name to associate
with the cgnxWanPath.

Prisma SD-WAN Administrator’s Guide 225 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

Options Information Element ElementId Description Data Data

Type Type
Semantics

cgnxWanPathName 1100 Specifies string default

CGNX the name
of a WAN
Path. The
name
includes
path type,
circuit
name, and
possibly
remote
endpoint
information.

LINK_QUALITY_METRICS
The LQM Options Template Record contains the following Information
Elements:
• Scope = 'Link' (cgnxLqmPathIdentifier), and 'Time
Stamp' (observationTimeSeconds)
• Information Element(s) for various Link Quality Metrics as described
below.

cgnxLqmPathIdentifier 1060 The value unsigned64 Identifier

CGNX of the path
identifier
is Prisma
SD-WAN
specific and
is generated
during
configuration
of the WAN
element.

observationTimeSeconds
IANA This dateTimeSeconds
default
322 Information
Element
specifies
the
absolute
time in
seconds
of an
observation.

Prisma SD-WAN Administrator’s Guide 226 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

Options Information Element ElementId Description Data Data

Type Type
Semantics

cgnxLqmRemoteSiteIdentifier
1061 Indicates unsigned64 Identifier
CGNX the value
of the
remote site
identifier
generated
during
configuration
of the WAN
element.
An
identifier
value of 0
represents
the
aggregated
LQM
information
for the
associated
path
identifier.
Only
Private
WAN paths
will have a
non-zero
remote site
identifier.
This is
a scope
element for
the option
template.

cgnxRttSumMilliseconds1011 Specifies unsigned32 default

CGNX the sum of
round trip
times for an
application
in
milliseconds.

cgnxLqmDownLinkJitterMilliseconds
1062 The float32 quantity
CGNX downward

Prisma SD-WAN Administrator’s Guide 227 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

Options Information Element ElementId Description Data Data

Type Type
Semantics
jitter
associated
with the
path in
milliseconds
for the
observation
period.

cgnxLqmDownLinkPacketLoss
1063 The float32 quantity
CGNX downward
packet loss
associated
with the
path as a
percentage
for the
observation
period.

cgnxLqmDownLinkMos1064 The float32 quantity

CGNX downward
packet loss
associated
with the
path as a
percentage
for the
observation
period.

cgnxLqmUpLinkJitterMilliseconds
1065 The upward float32 quantity
CGNX jitter
associated
with the
path in
milliseconds
for the
observation
period.

cgnxLqmUpLinkPacketLoss
1063 The float32 quantity
CGNX downward
packet loss
associated
with the
path as a

Prisma SD-WAN Administrator’s Guide 228 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

Options Information Element ElementId Description Data Data

Type Type
Semantics
percentage
for the
observation
period.

cgnxLqmUpLinkMos 1067 The upward float32 quantity

CGNX MOS
associated
with the
path for the
observation
period.
Value 1 - 5.

cgnxLqmRttLatencyMilliseconds
1068 The RTT float32 quantity
CGNX latency
associated
with the
path in
milliseconds
for the
observation
period.

cgnxLqmLinkHealthy 1069 The overall float32 quantity

CGNX health
associated
with the
path for the
observation
period

cgnxLqmBadLinkHealthReasonBitmap
The overall
health
associated
with the
path for the
observation
period.

Prisma SD-WAN Administrator’s Guide 229 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

Options Information Element ElementId Description Data Data

Type Type
Semantics

DEVICE_IDENTIFICATION
Device Identification Information Option Record: The Identification
Information Option Template Record contains the following
Information Elements:
• Scope = cgnxElementIdentifier. The Prisma SD-WAN ID associated
with the device to uniquely identify it.
• cgnxSiteIdentifier, cgnxTenantIdentifier - Additional identification
information needed to make use of the REST API to interact with
the controller to gather detailed information.
• cgnxElementName - Information that can be useful to present to the
user.

cgnxElementIdentifier 1101 Specifies unsigned64 identifier

CGNX the Prisma
SD-WAN
ID that is
uniquely
associated
with the
device that
is exporting
the IPFIX
records.

cgnxSiteIdentifier 1102 Specifies unsigned64 identifier

CGNX the Prisma
SD-WAN
ID that is
uniquely
associated
with the
site that
the element
resides.

Prisma SD-WAN Administrator’s Guide 230 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

Options Information Element ElementId Description Data Data

Type Type
Semantics

cgnxTenantIdentifier 1103 Specifies unsigned64 identifier

CGNX the Prisma
SD-WAN
ID that is
uniquely
associated
with the
tenant that
owns the
element.

cgnxElementName 1104 Specifies string default

CGNX the Name
that has
been
configured
for the
device that
is exporting
the IPFIX
records.

Configure the DNS Service on the Prisma SD-WAN Interface

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Domain Name System (DNS) is a protocol that translates (resolves) a user-friendly domain name
to an IP address so that users can access computers, websites, services, or other resources on the
internet or private networks.
Create and configure both DNS Service Roles and DNS Service Profiles from the Prisma SD-WAN
web interface. After the DNS roles and profiles are created, enable the DNS service on the branch
ION device.
Locally significant configuration and attributes are specified at the device-level DNS service
configuration, effectively augmenting or, in some cases overriding the configuration specified in
the DNS Service Profile.
DNS Service Roles is used to group interfaces that have common functions. Some interfaces
listen for DNS requests, while others only forward DNS requests. In some cases, interfaces listen
and forward DNS requests. After you assign a role to a specific DNS server's IP address in a global
DNS service profile, the role gets assigned at the device level.

Prisma SD-WAN Administrator’s Guide 231 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

DNS Service Profiles is used to specify configuration parameters for the DNS service. Commonly
configured parameters include DNS Servers, Domain to Address Mapping, Cache Configuration,
and DNSSEC Configuration. After the DNS service profile is created, it is bound to a device.
The following topics describe how to configure the DNS Service on the Prisma SD-WAN web
interface and the ION device.
• Configure the DNS Service on the Prisma SD-WAN Interface
• Configure DNS Service on the ION Device

Configure DNS Roles

The Prisma SD-WAN DNS Service provides a rich suite of Domain Name System Services directly
to branch users and devices. The DNS service responds to DNS queries from a local cache, or
forwards queries to upstream DNS servers. It retains the host details to ensure that local host
names do not appear in the global DNS. The Prisma SD-WAN DNS service acts as a caching or
authoritative server on devices in an assigned state for a branch site.
To access the DNS service, administrators must have support, super, network admin, security
admin, and view only permissions. Navigate to the DNS service from the Prisma SD-WAN web
interface.
STEP 1 | Select Manage > Resources > Configuration Profiles > DNS > DNS Service Roles and click
Create DNS Role.

STEP 2 | Enter the Name, (Optional) Description, and (Optional) Tags for the DNS Service role.

STEP 3 | Click Save.

The DNS Role screen displays the name of the DNS service, the number of DNS services, and
DNS profiles using this role.

Configure DNS Profiles

Create a DNS Profile from the Prisma SD-WAN web interface.

Prisma SD-WAN Administrator’s Guide 232 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

STEP 1 | Select Manage > Resources > Configuration Profiles > DNS > DNS Service Roles and click
Create DNS Profile.

STEP 2 | Enter Basic information for the profile, select to retain strict domain names and DNS loop
detection, and add a DNS server.
1. Enter the Name, (Optional) Description, and (Optional) Tags for the DNS service profile.
2. Select to Enable strict domain name and to Enable DNS loop detection.
3. (Optional) Enter the Max EDNS Packets size.
The default size is 4096.
4. (Optional) Choose a Listen DNS Role from the drop-down and enter the Listen Port
number.
The default value is 53. The optional value must be between 1 to 65535.
Roles created as part of the DNS service are listed in the Listen DNS Role field.
5. (Optional) Select the option Send to all DNS Servers.
6. Add a DNS server, by specifying the DNS Server IP and (Optional) DNS Server Port.
7. Select either IP Prefix or Domain and enter the required information.
Configuring the IP Prefix forwards PTR (reverse lookups) for the specified subnet to the
DNS server.
Configuring the Domain Name option forwards name resolution request for the
specified domain(s) to the DNS server.
8. (Optional) Choose a Forward DNS Role from the drop-down and enter the Source Port.
Roles created as part of the DNS service are listed in the Forward DNS Role field.

STEP 3 | Map Domain to Address to enable you to specify DNS responses with the configured
mapping.
The Domain to Address mapping and the IP address must be unique.
1. Click Add to add a domain address.
2. Specify the Domain Name and the IP Prefix.

Prisma SD-WAN Administrator’s Guide 233 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

STEP 4 | Specify the Queries and Responses parameters to append the client metadata to the DNS
query as it is sent to the upstream DNS server.
DNS responses can also be overridden or can block specific responses entirely.
1. Select Add a Client and specify the Mac Encoding Format.
2. Enter a Custom Text and an Identifier, or choose the Element ID/Element from the
drop-down.
3. Add a new Subnet by entering the (Optional) IP Address and the Prefix Length.
4. Select to Disable private IP lookups.
If required, enter Max TTL and Local TTL values in seconds.
5. (Optional) Enter IP addresses that can be identified as Bogus NX Domains and Ignore IP
Addresses.
6. Create new Aliases by replacing the IP address.
This can be done by either choosing to replace the Original IP Prefix or retaining the
Original IP Range by entering the original start IP and original end IP.

STEP 5 | Specify the Cache and DNSSec proxy configurations.

1. Select to Disable Negative Caching option.
If required, include values in seconds for Min Cache TTL, Max Cache TTL, Cache Size,
and Negative Cache TTL.
2. Select to Stop dns rebind for private ip and to Enable localhost rebind.
3. (Optional) Enter the names of the Rebind Domains.
4. Select to enable the DNSSEC Proxy and DNSSEC Config options.
5. Enter information on Class, Domain, Key Tag, and Algorithm to Add a new Trust
Anchor.

STEP 6 | Add a record by entering basic information in Authoritative Config or enter secondary server
details.
1. (Optional) Enter Secondary Server details, Peers, and TTL value in seconds.
2. To Add a record, enter the Name (record names are listed in the drop-down), Flags, Tag,
and Value.

STEP 7 | Complete all configuration requirements and Submit.

Configure DNS Service on the ION Device

After you configure the DNS Service Roles and DNS Service Profiles, enable the DNS Service at
the device-level. Only a single instance is allowed per ION device. You can map a DNS Service
Profile to a DNS Service, assign interfaces to the DNS service role mappings, and specify device-
specific attributes. The DNS service can be enabled or disabled as required. To configure the DNS
service on the ION device:

Prisma SD-WAN Administrator’s Guide 234 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

STEP 1 | Select Workflows > Devices > Claimed Devices > Select the device > Configure the device
> DNS Service. The ION devices on version 6.2.1 and later support IPv6 servers.

STEP 2 | Configure the Service Info tab.

1. Enable the DNS service to ensure that the DNS profile selected is not optional. Once the
DNS service is enabled, it would be activated for both IPv4 and IPv6 addresses.
2. Enter a Name, (Optional) Description, and include (Optional) Tags for the DNS Service.
3. Select to maintain strict domain name and enable DNS loop detection options.
4. Select a DNS Profile from the drop-down.
These will include profiles that are created at the user interface level.
5. (Optional) Include values for Max Concurrent DNS Queries and the Cache Size.
The default value is 150.
6. Click Add to bind a role to the DNS Service.
7. In the Add New Record dialog, choose the DNS Role, select the Interface or enter the
Interface IP. The ION devices on version 6.2.1 and later support IPv6 servers.

STEP 3 | Configure the Queries Metadata tab.

1. (Optional) Configure the metadata under Customer Premises Equipment.
If the entered values differ from the DNS Service Profile, the DNS Service values is
considered.
2. In the Add New Record dialog, enter the (Optional) IP Address and the Prefix Length.
This option is configured at both the user interface level and the device level.

STEP 4 | Configure the Domain Mapping tab.

1. (Optional) Add the domain names to the configured IP address and the configured
interfaces.
If the entered values differ from the DNS Service Profile, the DNS Service values is
considered.
2. In the Domain to Interface section, click Add to enter the Domain Names and choose an
Interface from the drop-down.

STEP 5 | Complete all configuration requirements and Submit.

Prisma SD-WAN Administrator’s Guide 235 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

Prisma SD-WAN DNS Use Cases

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

The following sections provide details and examples of some common Prisma SD-WAN DNS
Service use cases.
• DNS Caching
• Augmentation of Enterprise DNS System
• DNS System for Small Deployments
• Internet-Local Resolution
• Secure DNS (DNSSEC)
• IoT DNS
• DNS Accounting
• Configure System for DNS Survivability

DNS Caching
DNS Service can provide almost instant DNS resolution to client machines. This serves to increase
perceived application response and improve the overall user experience.
By default, the maximum number of cached domains is 150. You may increase this number by
editing the DNS profile or with local DNS service overrides at the element to a maximum of
10,000 cached DNS records. If you specify the cache size as 0, DNS caching will be disabled. DNS
caching consumes minimal memory overhead, and you can safely configure the maximum cache
value on all Prisma SD-WAN device models.

Augmentation of Enterprise DNS System

The Prisma SD-WAN DNS Service does not replace an existing enterprise DNS system but can
work in conjunction to provide local control through centralized management. The Prisma SD-
WAN DNS service can easily augment the enterprise DNS system by providing site-specific (local)
DNS resolution. For example, the same domain used across the enterprise can be resolved to a
different IP address depending on the client's location performing the lookup. This allows for a
simple yet scalable way to provide granular control for local resolution.

DNS System for Small Deployments

Acting as an authoritative DNS server, you may configure the Prisma SD-WAN DNS Service to
meet a small network's needs. The Prisma SD-WAN DNS Service can support multiple zones
acting as an authoritative server while providing support for all DNS record types.

Internet-Local Resolution
SaaS applications rely upon local DNS resolution to connect an end user with the closest node
for any given application. In most cases, you can configure the private network machines to use

Prisma SD-WAN Administrator’s Guide 236 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

private centralized DNS servers in a data center or other central locations. These centralized DNS
servers rely on DNS systems upstream for authoritative information for zones outside of their
responsibility.

Consuming SaaS applications can result in resolution for nodes (local nodes to the central
DNS servers and not the branch office users).

Since Prisma SD-WAN can configure the DNS Service to send domain name resolution requests
to one set of servers and other domain name resolution requests to a different set of servers, this
solves the local DNS resolution. This is particularly useful for SaaS applications that rely on local
DNS resolution for optimal node selection.

Secure DNS (DNSSEC)

Secure DNS (DNSSEC) attacks are a standard method to facilitate the interception of traffic. You
may deploy the Secure DNS (DNSSEC) to mitigate the threat of a DNS-based attack. DNSSEC
adds a layer of trust to DNS by enforcing authentication through the use of digital signatures.
These signatures use public-key cryptography.
The Prisma SD-WAN DNS Service can act in one of two DNSSEC modes:
• DNSSEC Proxy—In this operation mode, the Prisma SD-WAN DNS Service will proxy secure
DNS requests received from a client to DNS servers configured for lookup. When the
upstream DNS server generates responses, the AD (Authenticated DNS) flag in the responses
is proxied by the Prisma SD-WAN DNS Service to the client.
• DNSSEC Server—In this operation mode, the Prisma SD-WAN DNS Service will validate DNS
replies and cache DNSSEC data. You must add appropriate trust anchors to the configuration
to enable this service, and any upstream DNS servers must be capable of handling DNSSEC
requests.

IoT DNS
In many cases, outside vendors manage IoT (Internet of Things) devices and not by the network or
application owners. The Prisma SD-WAN DNS service can control domain name resolution on a
source address basis. This is further secure by combining the Prisma SD-WAN DNS Services with
the Prisma SD-WAN ZBFW.

DNS Accounting
In some environments, both enterprise and carrier, it must pass specific client metadata to the
DNS server for accounting purposes. You may configure the Prisma SD-WAN DNS Service to
send specific client attributes to the DNS server, including client MAC address, element name,
element ID, and other custom text.

Configure System for DNS Survivability

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Prisma SD-WAN Administrator’s Guide 237 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

In the modern branch, most systems rely heavily on SaaS solutions for most day to day tasks.
These include productivity tools such as Office 365, credit card processing systems such as
Square, and POS (point-of-sale) systems such as Aloha; all delivered from the public internet.
Besides DNS resolution, these systems have no dependency on private networks.
Using the Prisma SD-WAN DNS service, the system can be configured to use public internet
DNS systems by default while sending internal domain name resolution requests to private DNS
servers in the network. The majority of site services remain active and functional if the branch is
unable to connect with the centralized, private DNS servers.
DNS and Trusted SaaS App Traffic Flow before Prisma SD-WAN
When the branch PC sends a DNS resolution request to the DNS server located in the central
data center, the data center DNS server receives the request and responds, if known or cached.
Else, forwards the request to the upstream DNS server.
The branch PC receives the DNS response with the IP address information for the trusted SaaS
application. The connection request is sent to the destination server. The data center firewall
receives the inbound connection request from the WAN edge MPLS router and forwards it to the
internet.
The SaaS service receives the TCP connection request and sends an acknowledgment back to the
data center firewall. The branch PC receives the TCP connection acknowledgment.
DNS and Trusted SaaS App Traffic Flow After Prisma SD-WAN
When the branch PC sends the DNS resolution request to the local branch ION, configured as the
primary DNS server, the ION DNS service receives the request and responds if the domain record
is cached. Else, it forwards the request to the upstream DNS server based on the configuration.
The internet DNS server receives the request and responds to the branch ION. The branch ION
forwards the response to the branch PC.
The branch PC receives the DNS response with the IP address information for the trusted SaaS
application, and the connection request is sent to the destination server. The branch ION receives
a connection request for the trusted SaaS application and sends it directly onto the internet path
per policy.
The SaaS service receives the TCP connection request and sends an acknowledgment back to the
branch ION. The branch PC receives the TCP connection acknowledgment.
Configure the system to facilitate the DNS survivability use case.
STEP 1 | From the Prisma SD-WAN web interface, select Manage > Resources > Configuration
Profiles > DNS > DNS Service > DNS Service Roles and create a new service role called
Listen and Forward.

STEP 2 | Navigate to DNS Service > DNS Service Profiles and click to Create a new DNS service
profile.

Prisma SD-WAN Administrator’s Guide 238 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

STEP 3 | On the Basic screen, enter a name for the DNS profile and add a DNS Server.
1. Specify the internal DNS server IP address.
2. Select Domain Names and define all internal top-level domain names. For example,
internal.com.
3. Specify the Listen and Forward DNS Service Roles created in Step 1.
4. Click Save.
Repeat the procedure per internal DNS server system.

STEP 4 | Add a DNS Server from DNS Servers.

1. Specify the internet DNS Server IP address.
2. Specify the DNS Service Roles, Listen and Forward, created in Step 1.
Do not enter the Domain Name.
3. Click Save.
Repeat the procedure per internet DNS server system.
4. Click Save and Submit.

STEP 5 | Configure the ION device to use the DNS service.

1. Navigate to the ION configuration page and select DNS Service.
2. Enter a name for the DNS service and select the DNS Profile created in Step 2.
3. In DNS Service Role Bindings, click Add.
4. Select the DNS Role, Listen and Forward from the drop-down.
5. Select all relevant LAN interfaces that will receive and forward the requests and Enable
the service.
6. Click Save.
The DNS service configuration is now enabled on the ION device and will answer DNS
queries on the selected interfaces. After testing that the Prisma SD-WAN DNS service is
configured per requirements, the DNS server IP addresses can be changed in the DHCP
scope to the respective default gateway (ION LAN interfaces), the branch subnets, or
specified manually on systems with static IP configuration.
With the Prisma SD-WAN system deployed and the DNS service enabled, the branch
systems utilizing SaaS services no longer rely on the centralized data center resources to
function. In the event of a data center failure, none of the SaaS application services will
be affected. This is due to all necessary functions delivered by the ION device through
the DNS service and the ability to put trusted SaaS application traffic directly onto the
internet with a scalable and straightforward path policy rule.

Syslog Server Support in Prisma SD-WAN

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Prisma SD-WAN Administrator’s Guide 239 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

Prisma SD-WAN ION devices provide Syslog support to log and export flow and event
information to Syslog servers.
Syslog is a protocol through which network devices send event messages over User Datagram
Protocol (UDP) /Transmission Control Protocol (TCP) to a Syslog server. As a wide range of
devices support the protocol, you may use it to log different events. For example, device user
session logins or access-denied events are some of the events you may send to a Syslog server.
A Syslog server can reside inside or outside of a branch or a data center or in the cloud. The
maximum number of Syslog servers supported per ION device is 16. The ION devices use the
Syslog protocol to:
• Forward device events such as alerts and alarms to a remote Syslog server(s).
• Forward device Authentication logs to a remote Syslog server(s).
• Forward flow logs to a remote Syslog server(s).

Event Logs
Event logs are generated in response to alerts and alarms in the device. Below is a sample event
log message sent to a Syslog server.

Feb 14 10:38:11 172.20.75.186 alert: CLOUDGENIX_HOST="ion7k-

Hub" DEVICE_TIME="2018-02-14T10:36:49.000" STATUS="Not cleared"
CODE="DEVICESW_GENERAL_PROCESSRESTART"SEVERITY="minor"
PROCESS_NAME="event_forward" ELEMENT_ID="15174644824510129"Feb
14 10:38:11 172.20.75.186 alert: CLOUDGENIX_HOST="ion7k-Hub"
DEVICE_TIME="2018-02-14T10:37:22.000" STATUS="Not cleared"
CODE="DEVICESW_GENERAL_PROCESSRESTART"SEVERITY="minor"
PROCESS_NAME="scm" ELEMENT_ID="15174644824510129"

Authentication Logs
Authentication logs are generated when a user is authenticated to login to the device. Below is a
sample Auth log message sent to a Syslog server.

Feb 14 10:44:58 172.20.75.186 log: CLOUDGENIX_HOST="ion7k-Hub"

DEVICE_TIME="2018-02-14T10:44:58.881Z" MSG="sshd-login keyboard-
interactive/pam" SEVERITY="minor"PROCESS_NAME="sshd" FACILITY="auth"
USER="elem-admin" ELEMENT_ID="15174644824510129"

While configuring Syslog export on the device, you can filter using severity levels for logs/events
to export to the Syslog server. You may configure severity levels as critical, major, or minor. The
default severity level is minor.
When you set a severity level for a device, logs and events for the selected severity level and
higher are exported to the Syslog server. For example, if the chosen severity level is major, then
all major and critical events and logs will be forwarded to the Syslog server.

Prisma SD-WAN Administrator’s Guide 240 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

Syslog Flow Export

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Generate Syslog messages on initial flow-rule classification and end-of-flow for all flows handled
by the ION device. These Syslog messages are in RFC 5424 format. You may configure to export
flow logs from an ION device to one or more Syslog servers.

The minimum device software version required for flow logging is Release 5.1.17 or
Release 5.2.3.

The Format of the flow log and description of the different fields exported in the flow logs are
listed below:

Some of the fields are reserved for future use, and therefore, will not be populated in the
flow log.

Field Name Description

event time Time event occurred on the ION device

src ip Source IP address

dst ip Destination IP address

dst port Destination port

protocol name Protocol name

reserved for future use Field will be always blank in cgxFlowLogV1

reserved for future use Field will be always blank in cgxFlowLogV1

pkts sent Number of packets sent from src ip to dst ip

pkts recvd Number of packets received from dst ip by src ip

bytes sent Total bytes sent from src ip to dst ip

bytes recvd Total bytes received from dst ip by src ip

src interface Interface from which traffic originated

dst interface Interface from which traffic egressed

path id Prisma SD-WAN Path ID of the WAN Path

Prisma SD-WAN Administrator’s Guide 241 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

Field Name Description

app name Name of Prisma SD-WAN-matched Application

flow event Event that triggered flow export:

• New Flow
• Flow Update
• Delete Flow

zbfw classification rules One or more ZBFW classification rules separated by a semi-
colon(;). ZBFW classification rules include:
Rule Name: Source Zone Name: Destination Zone Name: Action:
Action Code
• ALLOW—Flow was Allowed
• DENY—Flow was Denied
• REJECT—Flow was rejected (Deny + Send TCP RST)
• UNK_SOURCE_ZONE_DENY—Flow was Denied due to
Unknown Source Zone
• UNK_DESTINATION_ZONE_DENY—Flow was Denied due to
Unknown Destination Zone
• UNK_SOURCE_DESTINATION_ZONE_DENY—Flow was
Denied due to Unknown Source and Destination Zone
Possible Action Code Values:
• 1 = ALLOW
• 2 = DENY
• 3 = REJECT
• 4 = UNK_SOURCE_ZONE_DENY
• 5 = UNK_DESTINATION_ZONE_DENY
• 6 = UNK_SOURCE_DESTINATION_ZONE_DENY

Sample flow log in RFC 5424 format as shown below:

<13>1 2020-01-28T23:46:17.000035+00:00 T1S3_SPOKE1 cgxFlowLogV1 13593

-
-2020-01-28T23:46:17,10.2.53.102,52520,10.2.13.100,80,tcp,,,0,0,0,0,,LondonPriW
http,New Flow,Allow-All:allow:1

The above Syslog message has a header and a body. The Syslog message values populated for the
header and the body are:

Prisma SD-WAN Administrator’s Guide 242 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

Syslog Message Header Header Component Sample Values

Priority <13>

Version 1

Syslog export time in UTC 2020-01-28T23:46:17.000035+00:00

Element device name T1S3_SPOKE1

App name to identify flow cgxFlowLogV1

event logs

Process id of log generator 13593

Message id (empty) Message id field is not populated by the ION device at this time.

Structured data (empty) Structured data field is not populated by the ION device at this
time.

Syslog Message Body Syslog Message Sample Body

Flow event log in CSV 2020-01-28T23:46:17,10.2.53.102,52520,10.2.13.100,80,tcp,,,0,0,0,0,,LondonP

format http,New Flow,Allow-All:allow:1

Syslog message body shown above in CSV format can be interpreted as:

Headers Sample Values

Time event happened 2020-01-28T23:46:17

src ip 10.2.53.102

src port 52520

dst ip 10.2.13.100

dst port 80

protocol name tcp

pkts sent 0

pkts recvd 0

bytes sent 0

bytes recvd 0

Prisma SD-WAN Administrator’s Guide 243 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

Headers Sample Values

dst interface LondonPriWI1

path id 15796434157670062

app name enterprise-http

flow event New Flow

zbfw classification rules Allow-All:self:unknown:allow:1

Configure Syslog Server Support

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Prisma SD-WAN allows to configure the Syslog Server Support. From release 5.6.1, you can
create or attach a Syslog Profile from the Prisma SD-WAN web interface for forwarding the Log
Collector logs as syslog messages to a syslog server.
STEP 1 | Select Workflows > Devices > Claimed Devices.

STEP 2 | Select the ION device to export the logs to a Syslog server and click Configure the device.

STEP 3 | On the Device Configuration page, select the Syslog Export.

STEP 4 | Click Create Syslog Server to create a new Syslog Server.

Prisma SD-WAN Administrator’s Guide 244 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

STEP 5 | Create a Syslog Exporter from the Add Syslog Server screen.
1. Select Enable this Syslog Server field to enable the Syslog server.
2. Enter a Name for the Syslog server.
This is a mandatory field.
3. (Optional) Enter a Description for the Syslog server.
4. (Optional) Enter Tags to enhance the search mechanism while querying common
attributes.
Tags are used for reporting purposes and can help search for Syslog exporters with
certain common attributes. For example, you can use the UDP_EXPORTER tag to search
for Syslog exporters using UDP Protocol.
5. Select Use Syslog Profile to choose an existing syslog profile from the list.

6. (Optional) Enter a Source Interface for the Syslog server. You can now select the
associated VRF interface (global or custom).
If no value is entered for this field, then the controller port is considered as the default
source interface.

A bypass pair cannot be considered as a source interface.

7. Select a syslog profile from the Syslog Profile list.

8. Select Custom Configuration to override all the created syslog profiles.
You can either choose Use Syslog Profile or Custom Configuration. Selecting one of
them is mandatory.

Prisma SD-WAN Administrator’s Guide 245 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

The Prefill values from a preset Syslog Profile? allows to create or choosing a
profile to prefill values from the existing syslog profile list and make changes if
required.

9. Select Enable Flow Logging to export flow logs to the Syslog server.
10. Select the Severity Level from a severity level of critical, major, or minor.
When a severity level is set for a device, logs and events for the selected severity level
and a higher level are exported to the Syslog profile.
11. Select the protocol type as TCP, or UDP, or TLS for the Protocol field.
The default protocol is UDP.
If you select TLS as the protocol type, the Import Certificate option is enabled. Click
Import Certificate to upload the certificate.
Click View Certificate to view the selected certificate and Clear to remove the
certificate.
Beginning with Release 6.2.1, ION devices utilize OpenSSL 1.1.1g. As a result,
certificates generated using older OpenSSL versions (1.0.x) may not work due to
deprecated or unsupported algorithms. To ensure successful TLS connections with ION

Prisma SD-WAN Administrator’s Guide 246 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

devices, it is recommended to use newer software stacks such as OpenSSL 1.1.1, Ubuntu
18.x, or certtool from the GnuTLS package on Syslog collector machines.
Note that ION devices will no longer support OpenSSL 1.0.x as of Release 6.2.1.

• Syslog connection fails if Self Signed certificate is uploaded.

• If the FQDN server selects as a server, FQDN should match the subject
alternate name (SAN) in the peer certificate.
• Prisma SD-WAN supports only TLS version 1.2.
12. If you select Server IP, enter the Syslog Server IP address. Or, if you choose Server
FQDN (fully qualified domain name), enter the Syslog Server FQDN domain name.
This field is mandatory. You must provide either a Server IP address or an Server FQDN
address.
13. Enter the Syslog Server port number in the Server Port field.
The default port is 514 for TCP or UDP and 6514 for TLS.

STEP 6 | Click Save to save the Syslog export configuration.

Configure SNMP
Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

SNMP Agents and Traps are disabled by default. To enable and configure SNMP Agent and Traps:
STEP 1 | Select Workflows > Devices > Claimed Devices, select the device you want to configure.

STEP 2 | From the device configuration screen, select SNMP Config.

The Agents/Traps screen displays.

Prisma SD-WAN Administrator’s Guide 247 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

STEP 3 | Configure an SNMP Agent. An SNMP Agent has read-only access.

1. Click the Agent tab.
2. Enter a Description and add (Optional) Tags.
3. Select Enable V2 or Enable V3.
Both may be enabled, but at least one must be enabled.
4. Select Enable V2 to configure Community.
If V2 is enabled, community can be configured. If community is not configured, then
public will be set as the default community.
5. Select Enable V3 to configure the User. If V3 is enabled, use the Add User option to add
a user and define the user attributes.
Enter a Username (Optional) Engine ID to identify the device, and select a Security Level
from the drop-down.
The security level NOAUTH indicates that no authentication is required, AUTH indicates
the authentication type, and Private indicates the security level.
Auth Type may be MD5, SHA, or None. If you select an authentication type, enter an
authentication phrase of 8 to 25 characters. Encryption Type may be AES, DES, or None.
If you select an encryption type, enter an encryption phrase of 8 to 25 characters.

6. Click Save.

STEP 4 | Configure SNMP Traps.

1. Click on the Traps tab and select Add Trap.
To enable SNMP Trap, make sure the Disabled option is unchecked.
2. Enter the SNMP server or manager’s IP address.
3. Select a Source Interface from the drop-down. You can now select associated VRF
(global or custom).
4. Enter a Description and add (Optional) Tags.
5. Toggle Version to enable V2 for community or V3 for users.
One of the options must be enabled at all times. V2 is enabled by default. A maximum of
16 unique servers may be configured per version (V2 and V3).
If V2 is enabled, Community may be configured. If community is not configured, then
public is set as the default community. If V3 is enabled, user attributes can be defined,
including the Name, Engine ID, and the Security Level.
6. Select Author Private as the security level and enter the authentication type and phrase.

Prisma SD-WAN Administrator’s Guide 248 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

STEP 5 | Click Save.

Prisma SD-WAN Administrator’s Guide 249 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

Returned Merchandise Authorization (RMA)

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Returned Merchandise Authorization (RMA) process allows users to replace either failed
or malfunctioning ION devices with new or reused, functional ION devices at a branch or a
data center site. A device can fail or malfunction for a number of reasons, such as a device
chip failure, device misconfiguration, or from daily wear and tear. If the device is unusable
due to a malfunction or overall failure, the RMA process can be used to replace the failed or
malfunctioning device.
Before you begin the RMA process:
• Make sure that the replacement device is able to connect to the Prisma SD-WAN controller.
This may require you to have access to the device through the web interface or have the
device connected to an out of band management network.
• If the device is able to get an IP through DHCP on the Internet / Used for Public port which
allows it to connect to the Prisma SD-WAN controller, then no action is required and the
device should come online automatically.
• If the device is able to get an IP through DHCP on the Controller port which allows it to
connect to the Prisma SD-WAN controller, then no action is required and the device should
come online automatically.
• If the device needs to have an IP configured statically on the Internet / Used for Public or
Controller port, then you must console into the device and configure the IP address.
• Make sure that you have out-of-band access available for the replacement device to connect
to the Prisma SD-WAN controller.
• If the out-of-band access is using DHCP to acquire IP addresses, connect the circuit to the
internet port and wait till the replacement device comes online, before replacing the failed
device.
• If the IP address needs to be statically configured, console into the device and configure the
IP address for the controller or the internet port.
• Ensure the following with the replacement device:
• It is in a claimed and online state, and visible under Manage > Setup > Devices > Claimed.
• It is the same device model and has matching bypass pairs as that of the failed device.
• It has the same software version as that of the failed device.
• The RMA wizard attempts to transfer all configurations from the failed device to the
replacement device. However, there are a few conditions that requires manual intervention.
The RMA wizard transfers all configurations with the exception of the particular configuration
items listed in the scenarios below.
• Public/Internet Interface—If the replacement device internet or used-for-public interface
is pre-configured with Static IP configuration, the RMA wizard will not overwrite this

Prisma SD-WAN Administrator’s Guide 250 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

configuration in the replacement device. In addition, if this interface is a potential member

of a bypass pair or a virtual interface, then the bypass pair or the virtual interface will not be
created in the replacement device.
• PPPoE—If the replacement device is pre-configured with PPPoE interfaces, the RMA wizard
will not update or remove any existing PPPoE interfaces from the replacement device.
• Bypass Pairs—If the WAN port of a decoupled hardware bypass pair and the controller
port on the failed device is DHCP-configured, then any matching bypass pairs on the
replacement device will not be decoupled and the configuration of its member ports will not
be transferred over to the replacement device. In such an event, the bypass pair will have to
be decoupled and its member ports configured manually after the RMA process.
• IPv6 Interface—If the existing device has IPv6 configured, then IPv6 interface address
configurations will not be active on the replacement device. To activate the IPv6 interface
address configurations on the replacement device, Admin Up/Down the interface for the
replacement device and a new alarm DEVICEIF_IPV6_ADDRESS_DUPLICATE triggers
as a reminder. In non-RMA scenarios DEVICEIF_IPV6_ADDRESS_DUPLICATE indicates
duplicate address.
• Advanced UI (Extension API)—If any of the Prisma SD-WAN Advanced UI features
reference a VPN ID, settings for the following features will not be transferred over
automatically. Contact Prisma SD-WAN Customer Support for assistance with properly
transferring over the settings to the replacement device.
• Bi-directional Forwarding Detection (BFD).
• Link Quality Monitoring (LQM)—Type (namespace) 'thresholds/lqm/media'.
• Application Performance Thresholds that reference an optional VPN path ID.

RMA Wizard
Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

The RMA Wizard is a tool on the web interface that simplifies and automates the process of
replacing unusable devices. To facilitate the device replacement, the RMA Wizard copies the
device configuration of the old unused device and applies it to the new replacement device,
thereby automatically configuring the new device.
When the RMA wizard is initiated, it prompts the user through the necessary steps to replace
the device. As part of the RMA process, when the device to be replaced is selected, the system
will take a snapshot of the current device configuration. The RMA Wizard will then unassign the
device from the site, add a new device to the same site, and copy the configuration over to the
new device.

Prisma SD-WAN Administrator’s Guide 251 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

Replace a Prisma SD-WAN ION Device

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

STEP 1 | Select Workflows > Devices > Claimed Devices, select the device you want to configure.

STEP 2 | From the ellipsis menu, select Replace the device to begin the RMA process.

STEP 3 | Select a replacement device.

There may be multiple replacement devices, so make sure to select the correct device.
Confirm that the devices are of the same model. For example, an ION 3000 device can only
be replaced by another ION 3000 device, or a virtual device can only be replaced by another
virtual device that consists of the same bypass pairs.

STEP 4 | Click Next to choose a Snapshot for the new device.

The replacement device must be online and claimed for the Snapshot to be applied.

STEP 5 | After the snapshot is created, click Download Snapshot Before Continuing.
Select Download to File or Copy to Clipboard as required.

STEP 6 | Click Next to continue after you have downloaded the snapshot.

STEP 7 | Assign the replacement device to the site.

The RMA Wizard will take the site information from the failed device and transfer it to
the replacement device. When the replacement device is assigned to the site and the
faulty device is unassigned, the service may be affected temporarily.

STEP 8 | Click Next to proceed to configuring the device.

STEP 9 | Click Done when you have copied the manual configurations to complete the replacement
process.
The RMA Replacement Wizard automatically transfers the configuration from the old device
to the new device. There may be flags for the functions that need to be manually configured.
Configurations that are not copied will be listed in a text box.
A final screen displays when the device is successfully configured. In case of any warnings,
download the warnings before you exit the wizard.

STEP 10 | Click Done to finish the device replacement process.

Prisma SD-WAN Administrator’s Guide 252 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

Return the ION Device to Prisma SD-WAN

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

You can return an ION device to Prisma SD-WAN. Before you remove a device from a
site, you need to remove the configuration from the device first, you need to specifically
remove the circuits attached to interfaces. These checks are for protection against accidental
misconfiguration.
STEP 1 | Select Workflows > Devices > Claimed Devices.
Confirm that the replacement device is assigned to the site and is Online. Also, confirm that
the RMA device is assigned but Offline.

STEP 2 | Click the ellipsis menu for the RMA device and select Unassign device from site.

STEP 3 | Click OK to confirm removal of the device from the site.

The state of the device displays Unassigning.

STEP 4 | (Optional) Remove circuits attached to interfaces.

If you see a message Site WAN interface id exists in this element, then go to the interface
configuration and remove each of the circuits labels attached to any WAN interface of the
device.

STEP 5 | Click the ellipsis menu and select Put back in inventory.

STEP 6 | Click Ok to confirm unclaiming of the device.

STEP 7 | Click the Unclaimed tab to view the device.

The device is offline and the State changes To return.

STEP 8 | Click the ellipsis menu and select Return to Prisma SD-WAN.

Prisma SD-WAN Administrator’s Guide 253 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

STEP 9 | Click Return to confirm returning the device to Prisma SD-WAN.

The device is then removed from your inventory.

The device is visible under Unclaimed with status To Return.

Remove circuits attached to interfaces

STEP 1 | Select Workflows > Devices > Claimed Devices.

STEP 2 | Click the ellipsis menu for a device and select Configure the device.

STEP 3 | Click Interfaces.

STEP 4 | Select an interface.

STEP 5 | For Circuit Label, click update.

When you click update, the device removes the circuits attached to the interface.

STEP 6 | Click Save Port.

STEP 7 | Repeat these steps for all interfaces—ports or bypass pairs which have circuits attached.

Prisma SD-WAN Administrator’s Guide 254 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

Upgrade ION Device Software

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

You can schedule ION device software downloads and upgrades in a staged manner, allowing
multiple attempts within a specific period of time while eliminating interruption to the network.

Software scheduling is not available for pre-release 5.1.1 devices. Upgrade your device to
version 5.1.1 to take advantage of scheduling downloads and upgrades.

Schedule downloads and upgrades to start at a designated time. If you do not provide download
and upgrade time, the upgrade immediately follows the download. If you provide only the
download time, the upgrade does not immediately follow the download, and needs to be
scheduled. The download interval and the upgrade interval serves as a limit until download or
upgrade attempts are performed respectively.
If you specify interface IDs, the device uses the specified interface to perform the software
download. If you do not specify the interface, the ION device uses the controller interface or any
interface that is marked as use for internet. If you specify multiple interfaces, then any available
interface provided in the list is used in random order. No interfaces outside of the manually-
specified list are used.
You can schedule upgrades and downgrades as follows:
• Upgrade without Max Upgrade Time—The ION device automatically performs the download
and the upgrade sequentially at the scheduled time. If the ION device experiences an upgrade
failure, it retries the download or upgrade three times before it indicates a failure.
• Upgrade with Max Upgrade Time—The ION device starts the download and the upgrade
sequentially at the scheduled time. Max Upgrade Time serves as an upper limit until which the
download or upgrade is tried by the ION device. If the ION device experiences an upgrade
failure, it retries the download or upgrade three times before it indicates a failure. The default
Max Upgrade Time is 30 minutes.
• Download without Max Download Time—The ION device performs the download at the
scheduled time. If the ION device experiences a download failure, the device retries the
download or upgrade three time before it indicates a failure. If there is a download failure, the
device does not perform a software upgrade.
• Download with Max Download Time—The ION device performs the download at the
scheduled time. The Max Download Time serves as the upper time limit until which the
download is tried by the device. If the device experiences a download failure, it retries the
download three times before it indicates a failure. If there is a download failure, the device
does not perform a software upgrade. The default Max Download Time is 30 minutes.
• No Download and Upgrade Time Provided—The ION device performs the download and
upgrade automatically.

Prisma SD-WAN Administrator’s Guide 255 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

You can cancel a software download, abort a software download, abort a software upgrade,
perform an upgrade on already downloaded software, or retry download on software download
failures. You can also perform rollbacks to older software versions if required.

Schedule Software Upgrade

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

You can schedule software upgrades depending on the device software version. For devices on
pre-Release 5.1.1 software version, the Prisma SD-WAN web interface only displays the following
Upgrade Software screen. Select the required software version from the Software Version drop-
down and click Upgrade.

Follow the steps below to upgrade devices to Release 5.1.1.

STEP 1 | Select Workflows > Devices > Claimed Devices.

STEP 2 | Select a device and from the ellipsis menu, select Schedule Software Upgrade.

STEP 3 | On the Schedule an Upgrade screen, select Upgrade Type.

Select to either upgrade the software or download only to download the device software
upgrade.

STEP 4 | Choose a Software Version for the upgrade.

The current version of the device is displayed in the current version field.

Prisma SD-WAN Administrator’s Guide 256 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

STEP 5 | Select the Schedule Type.

Select immediately to upgrade your device software or choose custom to upgrade your device
software later.
1. Select a Download Date and Upgrade Date from the calendar.
2. (Optional) On Advanced to configure Interfaces, select an interface through which the
device upgrade should be downloaded. You can select up to four interfaces. A blank
value indicates that any available interface can be used.

If an interface is selected, but is not accessible for some reason, then the
download proceeds through the controller interface or any other interface that
is marked as use for internet.
3. (Optional) Enter values between 5 and 59 minutes for Max Download Time and Max
Upgrade Time.
By default, the system attempts to download or upload three times until a successful
download or upload. However, if a time is specified for maximum download time and
maximum upgrade time, multiple attempts are made within the specified time until a
successful download or upgrade.
If the time set for Max Download Time and Max Upgrade Time elapses while the
download is in progress, the device proceeds with the download until the operation is
complete. If there is a failure of any type, the upgrade process need to be rescheduled.

View Device Software Upgrade Status

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

You can view the status of active and pending device software upgrades and troubleshoot
software upgrades using device CLI commands.
Device software download and upgrades can be viewed for all ION devices running Release 5.1.1.
To view pending and active device software downloads and upgrades for 5.1.1 devices:
STEP 1 | Select Workflows > Devices > Claimed Devices.

STEP 2 | Select Claimed and select Device Options at the bottom left of the screen.

Prisma SD-WAN Administrator’s Guide 257 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

STEP 3 | On the Device Software Upgrade screen, device software details such as name of the
device, current version, target version, download time, upgrade time and status of the
software upgrade displays.
• Current version indicates the current device version.
• Target version indicates the software version to which you wish to upgrade.
• Status allows you to filter and display the status of devices. You may check more than one
box to view the varied status of selected devices.
• Download Scheduled—Displays a list of devices for which software downloads have
been scheduled. An upgrade is not scheduled for these devices.
• Download Complete—Displays a list of devices for which software download has been
completed. An upgrade can now be scheduled for these devices.
• Upgrade Scheduled—Displays a list of devices for which software upgrades have been
scheduled. The list will display a temporary download completed state and then the
scheduled upgrade.
• Other—Displays a list of devices that may be in an interim state, with a download or
upgrade operation in progress.

Note that the status of all pre-Release 5.1.1 devices will only display under
Other.

STEP 4 | Select Retry Upgrade if there is an issue with the upgrade.

Retry Upgrade displays the Schedule an Upgrade screen. View the History to view the last five
operations on the software upgrade. Click Edit or Abort to edit or abort a scheduled upgrade.
Run the device CLI command dump software status to verify the version of the ION
device software.

Bulk Upgrade ION Device Image Software

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

You can upgrade the device image software of multiple ION devices at a time to a target version
by using the bulk software upgrade feature.

Prisma SD-WAN Administrator’s Guide 258 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

Upgrade ION device image software for multiple ION devices.

1. Select Workflows > Prisma SD-WAN Setup > Devices > Claimed Devices.
Alternatively, you can select claimed devices from the Monitor tab.
2. Select Bulk Software Upgrades from the ellipsis menu.

3. Select the software version to upgrade your device.

4. Select the devices that you want to upgrade.

You can select a maximum of 50 devices at a time. You will not be able to
select devices which are incompatible with the target version. If a device
is incompatible with the target version, you may have to upgrade it to an
intermediate version first.
5. Click Submit.

Prisma SD-WAN Administrator’s Guide 259 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Sites and Devices

Schedule bulk upgrade of ION device image software.

You can schedule image software upgrades for multiple ION devices.
1. Select Workflows > Prisma SD-WAN Setup > Devices > Claimed Devices.
2. Select Bulk Software Upgrades from the ellipsis menu.
3. Select Configure Schedule in Step 3: Schedule devices for upgrade on the Bulk Software
Upgrade screen after completing Step1: Select a target software version and Step2:
Select up to 50 devices to upgrade.
4. Select the devices to schedule for upgrade.
5. Select Upgrade Type as Upgrade to either upgrade the software or Download to only
download the device software image.
6. Choose a Software Version for the upgrade.
7. Select the Schedule Type.
Select immediately to upgrade your device software immediately or choose custom to
upgrade your device software later.
1. Select a Download Date and Upgrade Date from the calendar.
2. (Optional) Enter values between 5 and 59 minutes for Max Download Time and Max
Upgrade Time.
By default, the system attempts to download or upload three times until a successful
download or upload. However, if a time is specified for maximum download time and
maximum upgrade time, multiple attempts are made within the specified time until a
successful download or upgrade.
If the time set for Max Download Time and Max Upgrade Time elapses while the
download is in progress, the device proceeds with the download until the operation
is complete. If there is a failure of any type, the upgrade process needs to be
rescheduled.
8. Click Schedule and accept the confirmation.

Prisma SD-WAN Administrator’s Guide 260 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Administrator
Authorization and Authentication
Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Manage and monitor users and permissions using the Prisma SD-WAN web interface.
Customize role-based administrative access to delegate specific tasks or permissions to certain
administrators.
• Role Based Access Control
Prisma SD-WAN supports role based access control (RBAC) to execute network and security
administration of enterprise networks through the Prisma SD-WAN web interface.
If you're accessing Prisma SD-WAN from the Strata Cloud Manager, learn about managing
identity and access through Common Services.
• Single Sign On Access using SAML
Security Assertion Markup Language (SAML) provides the ability to use customer specific
authentication and authorization schemes to allow or deny end users access to the Prisma SD-
WAN web interface.
If you're accessing Prisma SD-WAN from the Strata Cloud Manager, learn how to configure
Single Sign On Access using SAML through Common Services.
• Client Authentication using 802.1x/MAC
802.1X is an IEEE standard for port-based network access control (PNAC). 802.1x defines
authentication controls for a user or a device accessing a LAN or WLAN. It authenticates a
client-server model facilitating network access only to authorized clients.
• Audit Logs
Audit logs are available through the Prisma SD-WAN web interface and provide records of
administrators' configuration changes in a system. You can use these logs for compliance and
troubleshooting purposes.

261
Prisma SD-WAN Administrator Authorization and Authentication

Role Based Access Control

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Prisma SD-WAN supports role based access control (RBAC) to execute network and security
administration of enterprise networks through the Prisma SD-WAN web interface. Using RBAC,
manage end users and their access to various resources within the Prisma SD-WAN system.
Assign roles and permissions to end users to execute specific functions within a network.
Roles can be system or custom roles, which are enabled for Single Sign-On (SSO) access through
an enterprise Identity Provider (IdP).

Roles
System roles are a pre-defined set of permissions for each role. Use the system roles as is or map
to existing user groups as defined within a customer IdP. These roles include a collection of one or
more system permissions.
Custom roles are assembled set of permissions from the available roles in the system. You create
them by adding or removing permissions from a system role or creating them without inheriting
any properties from a system defined role. For example, you can create a network administrator
role with a few permissions or modify the existing security administrator role by adding a few
more system permissions to the role.

Permissions
Permissions are allowed actions in the system. Permissions represent a specific set of application
programming interface (API) calls that you use to read, write, or delete objects within the system.
All permissions in the system are spread across a set of system roles.
However, with the introduction of custom roles, as an administrator, you selectively allow or
disallow permissions for a custom role, thereby, creating a unique set of permissions for a custom
role.

System Roles
Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Prisma SD-WAN provides system roles with a pre-defined set of permissions. The table below
describes Prisma SD-WAN system roles and responsibilities.

Prisma SD-WAN Administrator’s Guide 262 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Administrator Authorization and Authentication

Prisma SD-WAN Roles Prisma SD-WAN Groups Responsibilities

defined in a Customer IdP
System

Root (tenant_root) cloudgenix_tenant_root Role assigned to a single user who

has complete control over all aspects
of a customer account. A root user
is a fall back user account and not
used for regular day-to-day access,
administration, or management.

Super Administrator cloudgenix_tenant_super A user with super administrator

(tenant_super_admin) privileges to manage other user
accounts and all aspects of the
network. A Super administrator
performs all the configuration tasks
allowed by the IAM Administrator,
Network Administrator, and Security
Administrator roles.

IAM Administrator cloudgenix_tenant_iam_admin A user with IAM privileges to

(tenant_iam_admin) manage other user accounts. An IAM
Administrator creates, deletes, edits
users and/or roles.

Network Administrator cloudgenix_tenant_network_admin

A user with network administrator
(tenant_network_admin) privileges to manage all aspects of
the network. A network administrator
does not have permissions to manage
security features or functions. A
network administrator performs
the following configuration and
monitoring functions:
• Create, delete, edit sites.
• Claim, declaim, assign device.
• Configure the interface.
• Create, delete, edit network
policies.
• Assign or un-assign network
policies to sites.
• Create, delete, edit network policy
rules.
• Create, delete, edit custom
application definitions.
• Create, delete, edit prefix filters.

Prisma SD-WAN Administrator’s Guide 263 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Administrator Authorization and Authentication

Prisma SD-WAN Roles Prisma SD-WAN Groups Responsibilities

defined in a Customer IdP
System
• Configure BGP and other routing
objects like route maps, AS path
lists, prefix filters.
• Configure SNMP, Syslog, DNS
service, IPFIX, and IP community
lists on data center and branch
device,
• Monitor security flows.
• Monitor traffic utilization
through network and application
performance activity charts.

Security Administrator cloudgenix_tenant_security_admin

A user with security administrator
(tenant_security_admin) privileges to manage security
aspects of the network. A security
administrator does not have
permissions to manage a network.A
security administrator performs
the following configuration and
monitoring functions:
• Create, delete, edit security zones.
• Bind or unbind zones to sites.
• Create, delete, edit security rules.
• Bind or unbind security policies to
sites.
• Monitor security flows.
• Monitor traffic utilization
through network and application
performance activity charts.

View-only User cloudgenix_tenant_viewonly One or more user accounts with

(tenant_viewonly) read-only privilege to view network
configuration and analytics. This user
cannot edit or create any features
and functions in the network. A view-
only user may view the following:
• View device/interface
configuration.
• View network policies.
• View security policies.

Prisma SD-WAN Administrator’s Guide 264 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Administrator Authorization and Authentication

Prisma SD-WAN Roles Prisma SD-WAN Groups Responsibilities

defined in a Customer IdP
System
• View system and custom
applications.
• View prefix filters.
• Monitor security flows.
• Monitor traffic utilization
through network and application
performance activity chart.

Add a New User on Prisma SD-WAN

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Add a new user with system role as per the requirements of your enterprise. An IAM
administrator assigns roles to users responsible for administering the network in your enterprise.
Use the following links to add users based on your web interface.
• Migrated to Strata Cloud Manager.
• Using the Prisma SD-WAN stand-alone web interface.

Migrated to Strata Cloud Manager

If your Prisma SD-WAN tenant has migrated to Strata Cloud Manager (SCM), your users are
now a part of the Tenant Service group (TSG). As part of the migration, you now manage, add,
and edit users through the Strata Cloud Manager Identity and Access settings.
However, you will continue to see the migrated users in Strata Cloud Manager under Manage
> Prisma SD-WAN > System > Access Management > Tenant Access > Auth Token Session
Lock.

You cannot add or edit users here, you can only modify the IP session lock for users
for API access.

Prisma SD-WAN Administrator’s Guide 265 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Administrator Authorization and Authentication

Using the stand-alone Prisma SD-WAN web interface (Non-TSG Tenants)

1. Select Manage > System > Access Management > User Access > User Management >
Add User.
2. For Create New User, enter the First Name and optionally the Last Name of the user.
3. Toggle Access to allow the user to access the Prisma SD-WAN web interface.
By default, access is disabled.
4. Add the Email/Login ID.
5. Enter a New Password and confirm the password for the user.
6. Choose a Role for the user.
Assign one or more roles to the user. Select from the available system or custom roles.
Or create custom roles.
7. Select the IP Session Lock.
IP Session Lock checks the client source IP address from where a login request
originates. By default it is enabled.
• If IP session lock is enabled, the auth tokens generated from this user is locked to the
user's IP address.
• If auth tokens are generated and IP session lock for a user is left as Default or
Enabled, the auth token is usable only from the source IP address from which it was
generated.
• If auth tokens from this user is only used on machines that they are generated on,
and the source IP address used to connect to the API remains the same, then you can
choose the Enabled or Default.
• If the auth tokens are intended to be used on different systems and/or systems that
may connect to the API from different IP Addresses, choose Disabled.
8. (Optional) Enter the IP/Prefix Access List.
IP/Prefix Access List enables the login for the entered IP addresses. Add multiple IP
addresses by selecting Add Another IP to the list.
(Optional) Add Mobile Phone and Secondary Email to the user profile.

9. Save to add the user details.

Prisma SD-WAN Administrator’s Guide 266 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Administrator Authorization and Authentication

Custom Roles
Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

You can build custom roles by combining existing system roles and permissions in different
ways. You can create them by assembling a set of system permissions or by adding or removing
permissions from system roles. Custom roles only include allowed system roles and permissions
for the respective enterprise.
An IAM administrator or a Super Administrator creates, updates, and deletes custom roles for an
enterprise, or assigns system and custom roles to an end user. However, Super Administrator or
IAM administrator cannot delete a custom role in use.
As an administrator, you can view all the permissions and system roles in the system on the
Prisma SD-WAN web interface. You can associate custom roles with multiple system roles,
multiple system permissions, or multiple system permissions and disallowed system permissions.
However, you cannot create a custom role with Root as the base system role.
Construct custom roles by selecting and assembling:
• A set of system permissions.
• A set of system roles and system permissions.
• A set of system roles and disallowed system permissions.
• A set of system roles, system permissions, and disallowed system permissions.
If a custom role includes more than one system permission, then additional permissions become
a part of the overall set of permissions, even if independently specified at different times and a
disallowed permission overrides an allowed permission included through system roles or through
explicit means.

Create Custom Roles

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Create custom roles before assigning the role to an administrator using the System
Administration screen. You can create them by assembling a set of system permissions or by
adding or removing permissions from system roles.
STEP 1 | Select Manage > System > Access Management > User Access > Custom Roles > Create
Custom Roles.

STEP 2 | Enter a name and description for the new custom role.

Prisma SD-WAN Administrator’s Guide 267 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Administrator Authorization and Authentication

STEP 3 | Drag permissions from Base Permissions you want to add for this role and drop into Allowed
Permissions.
Base permissions are predefined permissions in the system. You may add multiple permissions
for this role.

STEP 4 | Drag predefined system roles from Base Roles and drop into Selected Roles.
If a system role is selected, the allowed or disallowed roles are added or subtracted from the
predefined set of permissions associated with the system role.

Disallowed permissions override any permission that is associated with the permissions
defined for a system role.

STEP 5 | Create the new custom role.

A message confirms the creation of the custom role. The new custom role is available in the
system to associate with users in the enterprise.

Make sure appropriate GET permissions are available to your role. If not, some of the
functions and workflows within the web interface may fail to work.

Assign System or Custom Role

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Assign a system or custom role to an existing user from the System screen.
STEP 1 | Select Manage > System > Access Management > User Access > User Management.

STEP 2 | Select from the available list of users to assign a role or add a new user.

STEP 3 | Choose a Role for the user.

You may add one or more roles to the user.

STEP 4 | Make sure to toggle to Access Allowed to grant access to the user.

STEP 5 | Save to assign the role to the end user.

A message confirms that the role is assigned to the user.

Prisma SD-WAN Administrator’s Guide 268 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Administrator Authorization and Authentication

Add a Device User on Prisma SD-WAN

Add tenant or device-level access to users and define user roles to use the Prisma SD-WAN
Device Toolkit.
STEP 1 | Select Manage > System > Access Management > Device Access > Device Toolkit User
Access > Add Device Access.

STEP 2 | Enter the Login ID, Username, Password, and Confirm Password on the Add Device Access
User screen.

STEP 3 | Choose the Role of the user—Super, Read Only, or Monitor.

• Super user has read and write access to the device.
• Read Only user can only read the device information.
• Monitor user has restricted read access and can view only certain information.

STEP 4 | On the Tenant level, switch to Yes to create tenant-level user and give the user access to all
the devices.
Select No to create device-level users and give access to specific devices to the user.
You can create a maximum of 10 tenant-level toolkit users. You can create any number of
device-level users, but only 40 device-level toolkit users can be assigned devices. It can be a
combination of tenant or device-level users.

STEP 5 | Save to add the user.

Add Device Access to User on Prisma SD-WAN

You can assign multiple devices to a user and configure each device with a different user role.
STEP 1 | Select Manage > System > Access Management > Device Access.

STEP 2 | Select the user to Add device access by selecting the Edit icon against the user name.

STEP 3 | On the Device Accessible by user, select Add Device Access.

STEP 4 | On the available Available Devices, select the device and then select the Role for the user.
There is no restriction on the number of devices that can be added to the device-level toolkit
user.

STEP 5 | Save to add the device access to the user.

Prisma SD-WAN Administrator’s Guide 269 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Administrator Authorization and Authentication

Single Sign On Access using SAML

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Security Assertion Markup Language (SAML) provides the ability to use customer specific
authentication and authorization schemes to allow or deny end users access to the Prisma SD-
WAN web interface. Identity Provider (IdP) authenticates and authorizes the administrators to
access the Prisma SD-WAN web interface, instead of Prisma SD-WAN based authentication and
authorization.
Prisma SD-WAN supports SAML 2.0-compliant IdP authorities such as ADFS, Okta, PingFederate,
and Salesforce.
SAML involves the Service Provider (SP), the Identity Provider (IdP), and the end user.
• Service Provider—Palo Alto Networks is the Service Provider who owns the Prisma SD-WAN
web interface.
• Customer IdP—The authority that authenticates and authorizes the end user for logging into
the Prisma SD-WAN web interface.
• User—Administrator who accesses the Prisma SD-WAN web interface.
The images below illustrates the SAML process:

Figure 1: SAML Process

Contact Palo Alto Networks Customer Support to initiate a request for SAML access.
Proceed to request SAML access from Palo Alto Networks Customer Support, followed by
Exchange SAML Metadata, configure user groups or map user groups to Prisma SD-WAN roles in
the your IdP system, and verify and enable SAML access to end users to the Prisma SD-WAN web
interface.

Prisma SD-WAN Administrator’s Guide 270 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Administrator Authorization and Authentication

Request SAML Access

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Request for SAML Single Sign On (SSO) access from Palo Alto Networks Customer Support.
STEP 1 | Submit a request to enable SAML access to the Prisma SD-WAN web interface.

STEP 2 | Palo Alto Networks Customer Support receives the request.

STEP 3 | Palo Alto Networks Customer Support confirms that the account for the administrator exists
in the system.
The next step is to exchange metadata between Palo Alto Networks Service Provider (SP) and
your IdP.

Exchange SAML Metadata

Metadata exchange between Palo Alto Networks Service Provider (SP) and your IdP occurs prior
to enabling SAML. Palo Alto Networks requires contact information of the person responsible for
authorizing SAML setup.

Only support_admin or support_super users can set up SSO using SAML. Ensure you have
the required set of permissions and privileges to initiate the SAML setup.

STEP 1 | Palo Alto Networks provides Service Provider (SP) metadata <sp_meta_data_file> to
configure within your IdP system.

The communication between the Service Provider and the IdP is part of the pre-setup
configuration outside of the Prisma SD-WAN web interface using emails.

STEP 2 | Import the Palo Alto Networks Customer Support provided SP metadata into your IdP
system.

STEP 3 | Generate your IdP metadata <idp_meta_data_file> and provide it to Palo Alto Networks
Customer Support.

STEP 4 | Provide custom role-mapping instructions to Palo Alto Networks, if any.

If you require custom role mapping, you must provide group names and role mapping
instructions to Palo Alto Networks.
If you decide to use Palo Alto Networks groups, you must tag your end users with Palo Alto
Networks groups in your IdP system. Create Palo Alto Networks suggested groups within your
IdP system and add end users to the groups to access the Prisma SD-WAN web interface. Or
provide group-to-role mapping instructions to Palo Alto Networks to configure in the Prisma
SD-WAN web interface.

Prisma SD-WAN Administrator’s Guide 271 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Administrator Authorization and Authentication

STEP 5 | Palo Alto Networks receives and configures the IdP metadata in the Prisma SD-WAN web
interface.
After the above process is complete, SAML is enabled. See Palo Alto Networks and IdP
metadata to view sample Palo Alto Networks and IdP metadata.

Only an IAM Admin, Super, or Root user, whose email domain matches the SAML
domain, can modify AAA Configuration using the Prisma SD-WAN web interface,
other than Palo Alto Networks Customer Support.

Configure SAML Users and Groups

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Configure SAML users and groups that includes configuring Palo Alto Networks groups, adding
users to these groups, or mapping existing user groups to Palo Alto Networks roles.

Palo Alto Networks Customer Support performs the SAML pre-configuration. SAML
access is available to all users except root users. The root user is only allowed to log in
using a password.

STEP 1 | Select Manage > System > Access Management > Tenant Access > SAML Configurations.

STEP 2 | Enter the Session Timeout duration for a session in seconds.

The default value is 3600 seconds.
By default, Auto Create Operators and Auto Create Operator Roles are set to Yes. Users and
roles are created automatically or modified as per IdP user groups.
Mapping of custom role is optional. Refer Map Roles and Permissions to map roles for the end
users.
• If you choose to use Palo Alto Networks groups in your system, custom role mapping is not
required. For example, Palo Alto Networks groups that may be used in your IdP system are
cloudgenix_tenant_super, cloudgenix tenant_iam_admin, or cloudgenix
tenant_network_admin. Palo Alto Networks groups are mapped to Palo Alto Networks
roles, such as tenant_<rolename>. For example, cloudgenix_tenant_super is
mapped to tenant_super, and cloudgenix_tenant_ iam_admin is mapped to
tenant_iam_admin.
• If you prefer to use your own user groups, then you must provide Palo Alto Networks
mapping between Palo Alto Networks roles and your user groups. For example, tenant_
super = admin, tenant_viewonly = user, and so on.
ID Provider Metadata automatically displays the configured IdP metadata and CloudGenix
Metadata displays the configured Palo Alto Networks metadata.

Prisma SD-WAN Administrator’s Guide 272 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Administrator Authorization and Authentication

STEP 3 | Save to make the configuration changes.

The table below describes some of the error messages you may receive during SAML setup:

Error Messages Resolution

Single Sign On is denied because operator Map the appropriate roles to the user. See Map
does not belong to any relevant roles. Roles and Permissions.

Invalid SAML response sent by IdP. The SAML response format must be in the
specified format. See Sample Response.

Not Empty Message first_name. First name of the user cannot be left blank.
Add a first name for the user. See Exchange
SAML Metadata.

Map Roles and Permissions

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Mapping roles and permissions are a critical part of the SAML enabled authorization process.
Before you can access the Prisma SD-WAN web interface as an authorized user, your role must
be mapped to a Palo Alto Networks role in the system. Through role mapping as defined in the IdP
system, user group memberships are mapped to Palo Alto Networks authorized roles.
Your IdP administrator must include the following information in the SAML response.
• Name ID—The Name ID of the end user. This attribute is required.
• Role—The end user role or group membership. This attribute is required.
• First Name or Last Name—The first name is required, the last name is optional.
The format of the SAML response can be transient, persistent, email, or unspecified.
Ensure that the SAML assertions sent to Palo Alto Networks contain either the
cloudgenix_groups or memberOf attributes that Palo Alto Networks uses to map users
to Palo Alto Networks roles. After a user is authenticated, assertions containing either
cloudgenix_groups or memberOf is automatically sent to Palo Alto Networks with various
attributes such as email ID, the first and last name of the end user. Palo Alto Networks uses these
assertions to map the end user to the corresponding Palo Alto Networks role in the Palo Alto
Networks system.
The SAML response shows the assertions that include cloudgenix_groups , and memberOf
attributes, and a custom role.
Sample SAML Response with cloudgenix_groups

</Attribute><Attribute
Name="cloudgenix_groups"><AttributeValue>cloudgenix_tenant_network_admin</

Prisma SD-WAN Administrator’s Guide 273 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Administrator Authorization and Authentication

AttributeValue><AttributeValue>cloudgenix_tenant_viewonly</
AttributeValue></Attribute>

Sample SAML Response with memberOf

<Attribute Name="memberOf"
NameFormatt="urn:oasis:names:tc:SAML:2.0:attrname-
format:unspecified"><AttributeValue xmlns:xs="http://www.w3.org/2001/
XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:-type="xs:anyType">cloudgenix_tenant_super</AttributeValue></
Attribute>

Sample SAML Response with a Custom Role

<Attribute Name="memberOf"
NameFormatt="urn:oasis:names:tc:SAML:2.0:attrname-
format:unspecified"><AttributeValue xmlns:xs="http://www.w3.org/2001/
XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:-type="xs:anyType">admin</AttributeValue></Attribute>

After successful authentication, the end user is authorized to access the Prisma SD-WAN web
interface.

Map Roles for Identity Provider Administrators

Map your IdP roles to Palo Alto Networks roles using the Active Directory Federation
Services (ADFS) as an identity provider (IdP). This process varies for each IdP. For example, an
administrator is mapped to a Palo Alto Networks role called cloudgenix_tenant_super and
another is mapped to a customer-specific role called network-admin.
The outgoing claim from the IdP must be in the following format:
• The User-Principal-Name should be mapped to Name ID. Palo Alto Networks requires this
name to be the person’s email ID.
• The given name should be mapped to firstname and the surname to lastname.
• The Outgoing Claim Type should be CloudGenix_groups.
• The Outgoing Claim Value can be either a Palo Alto Networks role defined as
cloudgenix_tenant_<role> or a customer specific role.
If the Outgoing Claim Value is a customer specific role, make sure to map that role with a Palo
Alto Networks role in the AAA Configuration screen.

Enable SAML Access to End Users

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

SAML access is automatically enabled for new SAML users. When a SAML user logs in for the first
time, the account is created and by default the user type is set to SAML.

Prisma SD-WAN Administrator’s Guide 274 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Administrator Authorization and Authentication

STEP 1 | Navigate to Workflows > Prisma SD-WAN Setup > Devices > Claimed Devices > AAA.

STEP 2 | Confirm that Auto Create Operators and Auto Create Operator Roles are toggled to Yes.
• If Auto Create Operators and Auto Create Operator Roles are selected:
• New operator is not created if system role is not assigned to the operator.
• System role is already assigned to an existing end user, no changes are made to the
existing end user.
• If Auto Create Operators is selected but the Auto Create Operator Roles is not selected:
• A new operator is created, but will not be able to log in due to insufficient roles or
permissions. An IAM administrator has to manually assign roles to the operator using
User Management on the Prisma SD-WAN web interface.
• An existing end user can log in, if the correct role was assigned earlier, or else receives an
error due to insufficient roles and permissions. For more information on groups and role
assignments, refer Map Roles and Permissions.
Verify SAML access by ensuring that user-to-role mapping is accurate and test SAML-based
login and authentication.

Authentication fails if the name ID and user role are not provided. The SAML response
must include the user’s name ID, first name, last name, and group membership. If
authentication fails, the SSO page displays an error message and prompt the user for
re-authentication.

Enable SAML Access for Existing Users

You can enable SAML access for existing users. You can change the existing local type user to
SAML on the User Administration page. The user account must be added in your IdP server to
allow the user to login as a SAML user.
STEP 1 | Navigate to Manage > System > Access Management > User Access > User Management.

STEP 2 | Select the user to enable SAML access and Edit the user attributes.

STEP 3 | Change the user Type to SAML.

STEP 4 | Save your changes.

Prisma SD-WAN Administrator’s Guide 275 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Administrator Authorization and Authentication

Client Authentication using 802.1x/MAC

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Starting with the Prisma SD-WAN Release 6.0.2, end devices like ATM machines, IP Phones,
Laptops, connected to ION device switch ports, can access the network only after a successful
client authentication to enhance security. Supported authentication modes are IEEE 802.1X and
Mac authentication.
802.1X is an IEEE standard for port-based network access control (PNAC). 802.1x defines
authentication controls for a user or a device accessing a LAN or WLAN. It authenticates a client-
server model facilitating network access only to authorized clients.
When enabled, before the ION device can provide services to a client, the client (connected to the
switch port) has to be authenticated by the Remote Authentication Dial In User Service (RADIUS)
authentication server. Clients that do not support 802.1X can access the network by using MAC
authentication by applying the user policies in the RADIUS server. Only closed mode and single
host authentication is supported.
IEEE 802.1X and MAC authentication are supported on all ports on the L2 LAN Switch of the new
ION 1200-S and its variants.
• Add the RADIUS Server
• Supported RADIUS Attribute Value Pairs (AVPs)
• Monitor RADIUS Server Stats and Activity

Add the RADIUS Server

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Two RADIUS servers are supported on an ION device. If you configure only one RADIUS server,
then the server is used as the primary RADIUS server. If you have configured two RADIUS
servers, then the Priority value of the RADIUS server decides the primary server—lower the
priority value, higher the priority.
RADIUS server with lower priority value is set as primary RADIUS server and the other server
as the secondary server. If the priority value is the same for both the servers or not configured,
then the first server in the received server list is set as primary and the other server as secondary
server.
STEP 1 | Navigate to Workflows > Prisma SD-WAN Setup > Devices > Claimed Devices > Configure
the Device > AAA > Stats tab.

STEP 2 | Select Configure the device.

Prisma SD-WAN Administrator’s Guide 276 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Administrator Authorization and Authentication

STEP 3 | Select AAA > Edit > Add to add the RADIUS servers.
You can add a maximum of two servers.

STEP 4 | Update the following information:

• Enter a valid IP address (IPv4).
• Enter a Authentication Port Number between 1-65535. Default port is 1812.
• Enter a Accounting Port Number between 1-65535. Default port is 1813.
• Enter a Priority value between 1-255. Lower the priority number, higher is the priority.
• Enter a Shared secret, the length of the secret must be between 8-64 characters.
• If there is one only server added, then you can Add one more RADIUS server and/or Delete
the existing server details.

STEP 5 | Select the Source Interface by selecting the port. Source Interface is a global configuration.

STEP 6 | Save your updates.

Monitor RADIUS Server Stats and Activity

The RADIUS page displays the current active RADIUS server details where you can monitor the
statistics.
STEP 1 | Navigate from Workflows > Prisma SD-WAN Setup > Devices > Claimed Devices >
Configure the Device > AAA > Stats to view the device RADIUS Server status.

STEP 2 | Select the Auth Clients to view the status of authorized clients and details.

Prisma SD-WAN Administrator’s Guide 277 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Administrator Authorization and Authentication

STEP 3 | To view the RADIUS server activity charts, navigate to Monitor > ION Devices, select a
device to view the charts.

Prisma SD-WAN Administrator’s Guide 278 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Administrator Authorization and Authentication

Supported RADIUS Attribute Value Pairs (AVPs)

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

RADIUS packets include a set of AVPs to identify information about the user and other attributes.
You can override certain configurations from RADIUS server using the user policy. Supported
AVPs are:
• Dynamic VLAN
You can choose to place different clients on different VLANs to limit the broadcast domain by
configuring appropriate VLAN in each user profile. RFC 3580 defines the following Attribute
Value Pairs (AVPs) to support dynamic VLAN.

Tunnel-Type=VLAN (13)
Tunnel-Medium-Type=802
Tunnel-Private-Group-ID=VLANID

The VLAN ID must be pre-programmed on the ION device prior to receiving the AVP by
creating the corresponding SVI. If the received dynamic VLAN is pre-configured, the switch
port allows the traffic. If the received dynamic VLAN is not pre-configured, then the ION
device raises an alarm. Until the issue is resolved, the port remains unauthorized and client
traffic is blocked.
• Re-authentication Timeout
• The ION device authenticates or reinitializes the client after a session timeout based on the
value of the Termination-Action.
• The value RADIUS-Request (1) indicates that authentication occurs on expiration of the
Session-Time.
• The value Default (0) indicates that the session will terminate.
• Idle Timeout
On receiving the Idle Timeout AVP from the RADIUS server, the ION device does one of the
following:
• If the timeout value in the received Idle Timeout AVP is 0, then ION device adds the client as
a static client, that is, the client will never age. If re-auth timer is configured, then the client
is forced to re-authenticate when the timer expires.
• If the timeout value is non-zero, then the ION device adds the client as a dynamic entry
which will age based on the switch global aging timer. The Idle Timeout AVP value is
discarded due to the switch limitation which cannot age clients differently.
• If the Idle Timeout AVP is not present, then the ION device adds the client as a static client
and the client will never age. If re-auth timer is configured, then the client is forced to re-
authenticate when the timer expires.

Prisma SD-WAN Administrator’s Guide 279 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Administrator Authorization and Authentication

Audit Logs
Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Audit logs are available through the Prisma SD-WAN web interface and provide records of
administrators' configuration changes in a system. You can use these logs for compliance and
troubleshooting purposes. They provide logs on changes made, owner of the change, time of
change, and the scope of the change at a site, system, or a subset of sites.
You may filter the audit logs by time range with the capability to go back in time by at least six
months, by site, device, and type such as security, network policy, system administration, and
users. The Audit logs provide details on the number of attempted logins to an enterprise portal by
a specific user from a particular IP address with information on all successful and failed attempts.
Users will have a view of all system changes and access attempts.
Audit logs auto-expire after two years, although the last two actions carried out on any resource
are kept forever. They are accessible to the ROOT, SUPER, and IAM ADMIN user roles. Custom
roles with GET and POST permissions for the audit log resource may access these logs.
Audit logs support Regex queries and compare versions by rewinding or fast-forwarding to earlier
or later versions and keeping a version static while changing the other version. You can access
the audit logs from the System tab on the Prisma SD-WAN web interface as well as directly from
resources, such as sites, devices, SNMP traps, Syslog exports, NTP clients, server, BGP, static
route, interface configuration, policy rule, policy set, stacked policy prefix, custom application,
application override configuration, network contexts, circuit categories, IPSec profiles, Policies
(Original), zones, and prefix filters. You can export audit logs CSV files through the Audit log
menu.

Work with Audit Logs

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Use Audit Log to access the audit logs, filter the query parameters, compare different versions of
the logs, and view audit logs for error scenarios.
STEP 1 | Select Manage > System > Audit Logs.
You can also access audit logs for a resource by clicking on a resource or selecting Audit Logs
from the ellipsis menu.

Prisma SD-WAN Administrator’s Guide 280 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Administrator Authorization and Authentication

STEP 2 | Use the filter criteria to narrow down the audit logs search.
Enter values in any of the filter fields and click Query. You can enter partial text or a regular
expression (Regex) for fields marked with a *. Filters can be set for a field by entering values or
selecting an option from the drop-down. The following table describes the query parameters:

Field Name Description

Resource Key Identifies the resource for querying. The resource key is
inside square brackets with the event name outside the
brackets. For example, select Devices [elements] to filter
operations on devices.

Resource ID Uses the ID of the resource.

Type Uses the type of operation for filtering. You can select
either GET, POST, PUT, PATCH or DELETE.

Status Uses the status of the operation for filtering. For example,
a 200 in the Status field will filter actions with the Status
Code 200 or successfully carried out actions.

Resource Ver Uses the resource version for filtering. The resource version
is updated whenever you perform an operation on the
resource.

URI Ver Uses the API version of the resource for filtering.

URI Uses the request URI for filtering. The complete URI needs
to be entered. For example, /v2.0/api/login

Session Key Uses the session tag of the operator performing the
operations on the resource.

Source IP Uses the client IP address for filtering.

Operator ID Sets the filter based on the operator performing the

operations on the resource.

Start Date Sets the filter based on a start date selected from the
calendar drop-down. Start date corresponds to the time of
the request. Records are filtered between the start date and
the end date.

End Date Sets the filter based on an end date selected from the
calendar drop-down. End date corresponds to the time of
the response. Records are filtered between the start date
and the end date.

Prisma SD-WAN Administrator’s Guide 281 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Administrator Authorization and Authentication

STEP 3 | Compare the audit log versions.

Choose versions to compare by clicking the back and forward icons under Response
Compared. The responses compared display changes between versions in different colors.
You can also compare audit versions at the resource. Click the resource icon or select Audit
Log from the ellipsis menu and then click the Compare icon.

STEP 4 | View the audit logs by clicking the Audit Log Record for details on bad requests or requests
with response status 400.
Audit logs support nested IDs, which when clicked, provide access to a specific resource. To
return to the resources screen, click the breadcrumb navigation on the Compare Audit Log
Versions screen.

Prisma SD-WAN Administrator’s Guide 282 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Branch and Data
Center Routing
Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Prisma SD-WAN supports both static and dynamic routing in a branch on internet, private WAN
underlays, and Standard Virtual Private Network (VPN) tunnels in a branch, and private WAN
underlays and Standard VPNs in a data center. You can configure routing on branch and data
center ION devices. Based on the deployment, WAN routing behavior differs between branch and
data center sites.
• Prisma SD-WAN Branch Routing
• Prisma SD-WAN Data Center Routing
• Configure Static Routing
• Configure Dynamic Routing
• Prisma SD-WAN Multicast Routing
• Prisma SD-WAN VRF
• Configure a VRF Profile in Prisma SD-WAN
• Prisma SD-WAN Branch Routing
• Prisma SD-WAN Data Center Routing

283
Prisma SD-WAN Branch and Data Center Routing

Prisma SD-WAN Branch Routing

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

You can configure static and dynamic routing in a branch for internet, private WAN underlays, and
standard VPN tunnels.
Configure static routing on a branch ION device to support topologies with one or more LAN-
side Layer 3 devices to forward traffic destined for subnets that are more than one hop away.
Use static routes to configure next hops to subnets behind a Layer 3 switch on the LAN-side
or destinations reachable over a WAN network underlay or a standard VPN. You can add static
routes on an ION device that point to the standard VPN interface or the standard VPN peer IP
address.
Configure dynamic Border Gateway Protocol (BGP) routing on a branch ION device for internet,
private WAN underlays, and standard VPNs. The ION device learns routes dynamically over the
internet, private WAN, and standard VPNs and advertises global branch prefixes on these routes.
By default, ION devices use a bypass pair for private WAN underlay traffic. If you use a Layer 3
interface, you must explicitly enable L3 Direct Private WAN Forwarding for the private WAN
underlay. The ION device uses the bypass pair only to bridge traffic.
Starting with device software version 5.2.1, ION devices support dynamic LAN routing in branch
sites. To use LAN routing, you must explicitly enable L3 Direct Private WAN Forwarding and
L3 LAN forwarding. You can enable L3 LAN Forwarding only when there are no Private Layer 2
bypass pairs associated with any of the interfaces on the device. Starting with device software
version 5.2.3, if there are Private Layer 2 interfaces on the device, the device displays a message
to first remove any Private Layer 2 interfaces associated with the device and then enable L3 LAN
Forwarding.
A branch ION device supports only classic peers. It can support multiple BGP peers and also peer
with multiple BGP peers on the same interface. The device treats each underlay and Standard
VPN as a separate domain. The routes learned from one domain are not advertised to another
domain, thus preventing the branch ION device from dynamically becoming a transit point.
At a branch site, configure the routing for a link or a routing instance per link. The following
topologies illustrate private WAN and third-party routing in a branch.
• Private WAN Dynamic Border Gateway Protocol (BGP) Routing
In this scenario, the branch ION device participates in dynamic BGP routing by peering with
a private WAN peer edge router or an internet router, or standard VPNs. There maybe more
than one link, and you can enable dynamic routing on each.
• Private WAN Static Routing
In this scenario, the branch ION device has a default static route pointing to the peer edge
router. On behalf of the ION device, the peer edge router will advertise routes for branch
prefixes. There may be more than one private WAN link.

Prisma SD-WAN Administrator’s Guide 284 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Branch and Data Center Routing

• Standard VPNs to Cloud Security Services or Data Centers

In this scenario, the branch ION has a standard VPN connection to a cloud security service.
This VPN has a static default route, or optionally, can have a BGP adjacency configured with
the standard endpoint.
You can deploy the ION at a branch site as follows:
• Layer 2-only Deployment Model—You do not need to configure routing when the ION is
deployed in-line between the switch and a branch router. In this deployment, the internet links
terminate on the branch ION device and the private wide area network (WAN) link terminates
on the WAN router.
The branch ION device dynamically steers traffic directly to the private WAN via the WAN
router it is connected to, or to a public WAN or VPN on public WAN for each application based
on path policies and network and application performance characteristics.
• Layer 2 / Layer 3 Deployment Model—Deploy the Prisma SD-WAN ION device in-line
between the switch and a branch router, with the added facility of routing via a separate Layer
3 WAN interface on the ION device. In this deployment, you can configure an Layer 3 WAN
interface (WAN 2) as the source for a private WAN VPN to another Prisma SD-WAN branch or
data center site.
For example, configure LAN 1 and WAN 1 as an Layer 3 bypass pair, but configure WAN 2 to
BGP peer with the router. The ION device then advertises prefixes to the router and learns
routes from the router.
• Router Replacement Model—In this model, the branch ION device terminates both private
WAN and internet links. When terminating the private WAN links, the branch ION device
participates in dynamic routing with the peer edge router. The device advertises prefixes
present in the branch and learns the prefixes reachable through the MPLS core.
• LAN-Side BGP Routing—On the LAN side, the ION device can be the default gateway for
all branch subnets or can participate in static or dynamic routing with an Layer 3 device. The
branch ION device in conjunction with the Layer 3 switch participates in routing as follows:
• Learns the prefixes behind the Layer 3 device and forwards traffic to those prefixes.
• Advertises BGP learned prefixes from the WAN side (e.g. MPLS peer edge router) or a
default route to the LAN Layer 3 device.
• Advertises prefixes learned from the Layer 3 device to other branches and data centers.

Prisma SD-WAN Administrator’s Guide 285 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Branch and Data Center Routing

Prisma SD-WAN Data Center Routing

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Configure static and dynamic routing on data center ION devices. The ION device supports static
routing on all its interfaces. You may configure dynamic routing only on those interfaces of the
ION device, which are configured as—Peer with a Network or a standard VPN interface. ION
devices in data centers do not support routing on interfaces configured as Use to Connect to
Internet. Device interfaces configured as standard VPN interfaces in data centers learn routes
dynamically from standard VPNs and advertise data center prefixes on standard VPNs.
When you deploy the ION device in a data center, you place the device off-path for a seamless
integration with the existing environment. The data center ION device connects with the data
center core router, and optionally, the WAN edge router. The data center ION device only
attracts the traffic destined to branches where Prisma SD-WAN ION devices are deployed and
where there is an active VPN tunnel to that remote ION device. The data center ION device
accomplishes this by injecting more specific or preferred routes via BGP towards the core router
for Prisma SD-WAN-deployed site prefixes.
The data center ION device supports three types of peers—core, edge, and classic. These BGP
peers are contained in a single routing domain. At a data center, configure routing per peer.
You can configure an ION device in the data center for core and edge peering. You have to
configure BGP peering information, such as local and remote AS #, peer IP, and options like MD5
and timers on the device. The device automatically takes care of other configurations, such as
route-map generation, updates, and filtering.
You can configure an ION device to perform classic BGP peering, just like any other Layer 3
networking device for more complex topologies or scenarios.
The following topologies illustrate private WAN and third-party routing in a data center.
• Edge and Core
In this scenario, the data center ION device peers with one or more edge BGP peers and with
one or more core BGP peers.

• Core only
In this scenario, the data center ION device peers only with core peers. No private WAN
underlay path exists for traffic to exit from the data center.

Prisma SD-WAN Administrator’s Guide 286 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Branch and Data Center Routing

• Core and Data Center ION Device as the WAN Edge

In this scenario, data center ION device becomes the WAN edge, and peers with the core and
the PE in the provider cloud. This is equivalent to router replacement in the branch.

• Core and Standard VPN Peers

In this scenario, the data center ION device peers with core and third-party peers.

Prisma SD-WAN Administrator’s Guide 287 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Branch and Data Center Routing

Configure a Static Route

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

You can configure a static route for a branch site or a data center site. Starting from release 6.0.1,
we are supporting global and link-local IPv6 addresses.
STEP 1 | Select Workflows > Devices > Claimed Devices > Configure the device > Routing > Static.

STEP 2 | Click +Static Route to create a new static route.

STEP 3 | For VRF, by default Global will be selected. VRF Global is enabled only when the associated
device supports VRF.

In ION Device version 6.2.3, Global VRF supports IPv6 address.

STEP 4 | Enter an IPv4 or IPv6 address mask for next hop Destination Prefix (IPv4 or IPv6).
The following IPv6 addressing formats are supported:
• Eight groups of four hexadecimal digits: xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx
• Suppressed leading zeros in each 16-bit field: xxxx:xxx::x:x represents xxxx:xxxx::xxxx:xxxx
• Two colons to represent longest sequence of consecutive all-zero fields: xxxx:xxx::x:x:x:x
represents xxxx:xxx:x:x:x:x:x:x

As part of release 6.0.1, global IPv6 address is supported.

STEP 5 | (Optional) Enable NextHop Reachability Probe for the device to probe the next hop.
By enabling the NextHop reachability probe, the device checks if the next hop configured on
the static route is reachable via ICMP probes.

Prisma SD-WAN Administrator’s Guide 288 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Branch and Data Center Routing

STEP 6 | Toggle Scope as Local or Global.

• If scope is local, the device does not advertise the route to other sites.
• If scope is global, the device advertises the route to other sites.

When you configure a global static route, the device advertises the destination IP/
prefix to other sites automatically.

STEP 7 | Enter the next hop IPv4 or IPv6 Address for the traffic.
You can configure next hop as Global IPv6 address or as Link-Local address along with
required interface on the ION device.

STEP 8 | Enter the Admin Distance for this specific route.

The default value for Admin Distance is 1.
• To configure a list of next hops, specify the IP address with the administrative distance for
the next hop, or specify the interface. The reachability check for the next hop is performed
through ICMP echo requests and for IPv6 the next hop is performed through ICMP6 echo
requests.
• When you specify more than one next hop with different administrative (admin) distances,
the device prefers a next hop with a lower admin distance over that with a higher admin
distance.
• When you specify more than one next hop with the same admin distance, and they are all
reachable, the device forwards traffic to only one of the next hops.
• When a next hop fails, alternate next hops if available, will be used for new and existing
flows to the destination prefixes. When the last next hop to a set of prefixes fails, existing
and new flows will be dropped.
• Flows dropped due to a next hop being unreachable are indicated in the analytics charts.

STEP 9 | Select an Interface.

You can select an interface on the ION device with a defined IP address or a bypass pair
interface that contains attached LAN networks, since these interfaces can forward packets
to a next hop. When you specify an interface without a gateway as the next hop, the device
generates an ARP entry for the destination IP directly on the specified interface.

You may configure either a next hop IPv4 address or an interface, but not both.

STEP 10 | For Self, select True to indicate that traffic is destined for the ION device.
By default, Self is set to False.

STEP 11 | Enter a name and optionally enter tags and description for the static route and Save.

Prisma SD-WAN Administrator’s Guide 289 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Branch and Data Center Routing

Configure NextHop Reachability Probe

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

The ION device checks if the next hop configured on the static route is reachable when you
enable the NextHop Reachability Probe. To check if the next hop is reachable, the ION device
initiates ICMP probes every second and waits 100 ms for a reply from the next hop. Failure to
receive 3 consecutive ICMP responses causes the device to mark the next hop as unreachable
and the device removes the static route. As a result, the device forwards traffic to the destination
prefix via an alternate path and does not drop traffic due to an unreachable next hop.
The device decides the number of probes dynamically based on the next hops. If multiple static
routes have the same next hop, then the device configures only one probe. If there are multiple
next hops, the device configures multiple probes.
Enable the NextHop Reachability probe when configuring a static route.
STEP 1 | Select Workflows > Devices > Claimed Devices > Configure the device > Routing > Static.

STEP 2 | Create or edit a static route and toggle the Next Hop Reachability Probe to True.

You will not be able to enable the Next Hop Reachability probe if:
• The next hop is an interface on the ION device.
• If Self is True for the next hop.
• If recursive next hop is configured on a data center ION device.

STEP 3 | To check the status of the NextHop Reachability Probe, click the ellipsis menu for a static
route and then select Status.

View the reachability status of the next hop along with the next hop address on the Nexthop
Reachability Status screen.

Prisma SD-WAN Administrator’s Guide 290 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Branch and Data Center Routing

Configure Dynamic Routing

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

You can configure dynamic routing using BGP for a branch or data center. The configuration
on a branch ION device is identical to a data center ION device with the exception of prefix
advertisement in a branch and additional core and edge peers in a data center. This configuration
is for a branch ION device. Note the differences in configuration between a branch ION device
and a data center ION device in the relevant sections.

Use the following steps to configure dynamic routing using BGP:

Enable layer 3 forwarding.

Configure global BGP parameters.

Configure a BGP peer.

(Optional) Configure a route map.

(Optional) Configure a prefix list.

Prisma SD-WAN Administrator’s Guide 291 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Branch and Data Center Routing

(Optional) Configure an AS path list.

(Optional) Configure an IP community list.

Configure an OSPF in Prisma SD-WAN

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Physical and virtual ION devices running
software versions 6.4.1 or higher

Prisma SD-WAN supports the Open Shortest Path First routing protocol with the Layer 3
switches toward the Branch sites and Aggregation Layer at the campus and data center sites.
OSPF is an interior gateway protocol (IGP) often used to manage network routes dynamically
in large enterprise networks. It dynamically determines routes by obtaining information from
other routers and advertising routes to other routers through Link State Advertisements (LSAs).
The information gathered from the LSAs is used to construct a network topology map. This
topology map is shared across routers in the network and used to populate the IP routing table
with available routes.
Changes in the network topology are detected dynamically and used to generate a new topology
map within seconds. A shortest path tree is computed for each route. Metrics associated with
each routing interface are used to calculate the best route. These can include distance, network
throughput, link availability, etc. Additionally, these metrics can be configured statically to direct
the outcome of the OSPF topology map.
The Palo Alto Networks implementation of OSPF fully supports the following RFCs:
• RFC 2328 (for IPv4)

Enable Layer 3 Direct Private WAN Forwarding to allow the ION device to peer with an OSPF
router via the private WAN interface.
Enable Layer 3 Direct Private WAN Forwarding and Layer 3 LAN Forwarding to use dynamic LAN
routing.
STEP 1 | Log in to Strata Cloud Manager.

Prisma SD-WAN Administrator’s Guide 292 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Branch and Data Center Routing

STEP 2 | Select Workflows > Devices > Claimed Devices > Configure the device > Basic Info.

STEP 3 | Enable L3 Direct Private WAN Forwarding to allow the ION device to send underlay MPLS
traffic or peer with an OSPF router on a private WAN interface. You don't need to enable
this field to run OSPF on the internet or standard VPNs.

STEP 4 | Enable L3 LAN Forwarding to use dynamic LAN routing.

You can enable Layer 3 LAN Forwarding only when no Private Layer 2 bypass pairs are
associated with any device's interfaces. If a device has Private Layer 2 interfaces, you will see a
message to remove them and then enable Layer 3 LAN Forwarding.

For the ION device to use dynamic LAN routing, you must enable both L3 Private
WAN Forwarding and L3 LAN Forwarding.

Prisma SD-WAN Administrator’s Guide 293 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Branch and Data Center Routing

STEP 5 | Select Workflows > Devices > Claimed Devices > Configure the device > Routing > OSPF
> OSPF Infra Settings for ION device > Edit to configure and manage the Route Maps and
Prefix Lists.

1. (Optional) Enter the ION device's IP address for Router ID. The router ID is an IPv4
address and the ION device's OSPF ID.
2. (Optional) Enter an MD5 Key ID between 1 and 255 and an MD5 Secret of up to 16
characters. The MD5 password you specify will be applied to the messages exchanged
with the peer.
3. Configure LAN Prefix Advertisement in the following ways:
• Default—The device advertises only the default prefix (0.0.0.0/0). This is the default
setting for LAN prefix advertisement.
• Unaggregated—The device advertises prefixes as is.
• Auto-Aggregated—The device summarizes the unaggregated prefixes into the most
significant possible blocks and advertises the prefixes.

The device advertises only as default, unaggregated, or auto-aggregated to the

LAN.
4. (Optional) Enter the Cost range, which is 1 - 65535.
5. The Hello Interval (sec) is the interval in seconds at which the OSPF process sends hello
packets to its directly connected neighbors (the range is 1 - 65535; the default is 10).
6. The Dead Counts (sec)—The number of seconds that a neighbor router waits for a hello
packet from the device before declaring the router down. The range is 1-65535. Default
is 40.
7. The Retransmit Interval (sec) is the length of time, in seconds, that OSPF waits to
receive a Link State Advertisement (LSA) from a neighbor before retransmitting it (the
range is 1 - 65535; the default is 5).
8. The Transit Delay (sec) is the length of time an LSA is delayed seconds before being sent
out of an interface (range is 1 - 65535; default is 1).

Prisma SD-WAN Administrator’s Guide 294 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Branch and Data Center Routing

STEP 6 | Select Create OSPF Configuration to create or add a new OSPF configuration.

1. Enter a unique OSPF configuration Name and VRF (global or custom VRF) in the General
tab. (Optionally) enter a description and tags for the OSPF.

The VRF will be enabled only when the associated device supports VRF. By
default, it's Global.

1. (Optional) Enter the Router ID, an IPv4 address, and the ION device's OSPF ID.
2. Select LAN Prefix Advertisement. The device advertises only the default prefix
(0.0.0.0/0), the default setting for LAN prefix advertisement. (Optional) LAN
Advertisement Route Map: select the Route Map to advertise the LAN (Only
Unaggregated and Auto-Aggregated Prefixes have this setting.).
3. Select Redistribute BGP to advertise all the BGP Prefixes into OSPF.
4. Toggle Scope to Local or Global. Local indicates that prefixes won't be advertised.
5. Select the Shutdown check box if you don't need to use the created peer. The
Shutdown check box is deselected by default.
2. Configure Area ID and Type with Interfaces on the Area & Interfaces tab.
1. Area ID: Configure the area over which the OSPF parameters can be applied. Enter
an identifier for the area in the x.x.x.x format. This is the identifier that each neighbor
must accept to be part of the same area.
2. Type: Select one of the following options:
• Normal—There are no restrictions; the area can carry all routes.
• Stub—There is no outlet from the area. To reach a destination outside of the area,
one must go through the border, which connects to other areas.
• NSSA (Not-So-Stubby Area)—it's possible to leave the area directly, but only by
routes other than OSPF routes.
3. Associate Area with Interfaces—Choose the interface.
4. Select Override Global Config to override the global configurations for the selected
Interface and click Apply.
3. Review the OSPF configuration. The Summary tab displays the OSPF configuration.
Make changes if needed and Submit.

Prisma SD-WAN Administrator’s Guide 295 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Branch and Data Center Routing

Discovered Neighbors
Two OSPF-enabled routers connected by a shared network and in the same OSPF area form a
relationship and are OSPF neighbors. The connection between these routers can be through a
common broadcast domain or a point-to-point connection. This connection is made through the
exchange of hello OSPF protocol packets. These neighbor relationships are used to exchange
routing updates between routers.

Config Name: Displays the name of the configured OSPF.

Status: Displays the status of the configuration.

Neighbor ID: Displays the router ID of the router (neighbor) on the other side of the virtual
link.

Interface Name: Displays the Interface name selected for this interface.

VRF: Displays the attached VRF.

Area ID: Displays the Area ID associated with the OSPF.

Enable BGP for Private WAN and LAN

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Enable L3 Direct Private WAN Forwarding to allow the ION device to peer with a BGP router via
the private WAN interface.
Enable L3 Direct Private WAN Forwarding and L3 LAN Forwarding to use dynamic LAN routing.
STEP 1 | Select Workflows > Devices > Claimed Devices > Configure the device > Basic Info.

STEP 2 | Enable L3 Direct Private WAN Forwarding to allow the ION device to send underlay MPLS
traffic or peer with a BGP router on a private WAN interface.
You do not need to enable this field if you intend to run BGP on the internet or standard
VPNs.

STEP 3 | Enable L3 LAN Forwarding to use dynamic LAN routing.

You can enable Layer 3 LAN Forwarding only when there are no Private Layer 2 bypass pairs
associated with any of the interfaces on the device. Starting with Release 5.2.3, if there are

Prisma SD-WAN Administrator’s Guide 296 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Branch and Data Center Routing

Private Layer 2 interfaces on the device, you will see a message to remove the Private Layer 2
interfaces associated with the device and then enable Layer 3 LAN Forwarding.

You must enable both Enable L3 Direct Private WAN Forwarding and L3 LAN
Forwarding for the ION device to use dynamic LAN routing.

Configure BGP Global Parameters

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Prisma SD-WAN license

Configure BGP global attributes before creating BGP peers. You can configure the local AS #,
optional MD5 secret and router ID, prefix advertisements, and BGP timers.

Prisma SD-WAN Administrator’s Guide 297 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Branch and Data Center Routing

STEP 1 | Configure local AS number.

1. Select Workflows > Devices > Claimed Devices > Configure the device > Routing >
BGP/Peers > BGP Global Config for ION device > Edit.

2. On the Info tab, enter a Local AS Number between 1 and 4294967295 or as A.B, where
A and B are both numbers between 1 and 4294967295.
The web interface displays converted values of the AS number entered. If the number
entered is an A.B format, the web interface displays the corresponding 32-bit conversion
below the entered value. If the number entered is a 32-bit format, the web interface
displays the corresponding A.B value below the entered value. The Local AS Number is
mandatory.
3. (Optional) Enter an MD5 Secret between 1 and 32 characters.
The default value is 0.
4. (Optional) For Router ID, enter the IP address of the ION device.
The router ID is an IPv4 address and is the BGP ID of the ION device.

The router ID must be the same for BGP peers within the same VRF. However,
it can differ if the BGP peers are in separate VRFs. Configuring different router
IDs for BGP peers within the same VRF can lead to issues such as BGP session
flapping.

Prisma SD-WAN Administrator’s Guide 298 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Branch and Data Center Routing

STEP 2 | (Optional) Configure prefixes to advertise to WAN and LAN.

Branch ION devices can learn or advertise prefixes based on the scope configured. A
branch ION device does not advertise routes learned on one BGP peer to another BGP
peer. The device advertises only LAN networks, static routes, and interface addresses.
To advertise any of these prefixes, set the Scope to Global when configuring a BGP
peer.

1. Configure Prefix Advertisement to LAN in any of the following ways:

• Default—The device advertises only the default prefix (0.0.0.0/0) and (::/0). This is the
default setting for LAN prefix advertisement.
• Unaggregated—The device advertises prefixes as is.
• Auto-Aggregated—The device summarizes the unaggregated prefixes into the largest
possible blocks and advertises the prefixes.

The device advertises only Default, Unaggregated or Auto-Aggregated to the

LAN.
2. Configure Prefix Advertisement to WAN in any of the following ways:
• None (--)—The device does not advertise prefixes. This is the default setting for WAN
prefix advertisement.
• Unaggregated—The device advertises prefixes as is.
• Auto-Aggregated—The device summarizes the unaggregated prefixes into the largest
possible blocks and advertises the prefixes.
• Manually Aggregated—You can configure a set of prefixes which the device
aggregates and advertises.
• Manual Summary Aggregate Only—You can configure a set of prefixes which the
device summarizes into the largest possible blocks and advertises these prefixes.
3. Check the IP Prefix to Advertise to WAN IP Addresses displayed.

Prisma SD-WAN Administrator’s Guide 299 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Branch and Data Center Routing

STEP 3 | (Optional) Configure advanced options.

• Keepalive Time—Enter a keep-alive time between 3 - 200 seconds. If you have configured
a BGP peer, the device uses the value specified in the BGP peer configuration. If you do not
configure a BGP peer or do not specify a value in the BGP global configuration, the keep-
alive time defaults to 30 seconds.
• Hold Time—Enter a hold time between 3 - 600 seconds. The hold time needs to be three
times greater than the keep-alive time. If you have configured a BGP peer, the device uses
the value specified in the BGP peer configuration. If you have not configured a BGP peer,
the device uses the value from the BGP global configuration. If you do not configure a BGP

Prisma SD-WAN Administrator’s Guide 300 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Branch and Data Center Routing

peer or do not specify a value in the BGP global configuration, the Hold Time defaults to 90
seconds.
• Multihop Limit—Enter a multi-hop limit between 1 - 255 hops. The default is 1 hop.
• Max Paths—Enter a max path between 1 - 255. The default is 1.
• Advertise Interval— Enter an advertisement interval between 0 - 300 seconds. The default
is 1 second.
• Peer Retry Time—Enter a peer retry time between 0 - 65535 seconds. The default is 120
seconds.
• Graceful Restart—By default graceful restart is Off. Select Onto change the default setting.
• StalePath Time—Enter a stalepath time between 1 - 3600 seconds. The default is 120
seconds.
• Admin Distance—Enter a value between 1 - 255. The device sets the default Admin
Distance of all learned prefixes to 20. The Admin Distance configured for a static route
overrides the Admin Distance configured for a BGP route.

STEP 4 | View the Summary to review BGP global configuration and then Save & Exit.

Global or Local Scope for BGP Peers

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

You can configure global or local scope only for BGP peers at branch sites. The following table
explains the learning and advertisement of routes based on global or local scope configured for
LAN and WAN peers.

Scope WAN-side Peer LAN-side Peer

Local Advertisement Advertisement

• Global scope connected subnets.

Prisma SD-WAN Administrator’s Guide 301 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Branch and Data Center Routing

Scope WAN-side Peer LAN-side Peer

• Global scope static routes. • Only default route is advertised to
• Routes learned from global scope peer.
LAN BGP peer.

Learning Learning
• Learned routes will not be • Learned routes will not be
advertised to other peers or to the advertised to other peers or to the
controller. controller.

Global Advertisement Advertisement

• Global scope connected subnets. • Global scope connected subnets.
• Global scope static routes. • Global scope static routes.
• Routes learned from global scope • Routes learned from global scope
LAN BGP peer. WAN BGP peer.
• Routes learned from global scope
LAN BGP peer.

Learning Learning
• Learned routes will be considered • Learned routes will be considered
for advertisement to global LAN-side for advertisement to all other WAN-
BGP peers only. side BGP peers.
• Learned routes will not be • Learned routes will be advertised to
advertised to other WAN-side BGP other global scope LAN-side BGP
peers. peers only.
• Learned routes will not be • Learned routes will be advertised to
advertised to the controller. the controller (i.e. to a remote site).

Configure a BGP Peer

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Prisma SD-WAN license

A branch or a data center ION device can exchange routing information via BGP. A branch ION
device supports only classic peers, whereas a data center ION device supports core, edge, and
classic peers. Irrespective of the type of peers configured, the ION device installs the learned
routes.

Prisma SD-WAN Administrator’s Guide 302 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Branch and Data Center Routing

STEP 1 | Configure the remote AS number and type of BGP peer.

1. Select Workflows > Devices > Claimed Devices > Configure the device > Routing >
Create Peer.
2. On the Info tab, enter a name and optionally description and tags.

3. The VRF will be enabled only when the associated device supports VRF. By default, its
Global.
4. Specify the Peer IP Address (IPv4 or IPv6) to show the Address Family section displaying
the route prefix type selected while creating a peer.
5. Enter the Remote AS Number.
The web interface displays converted values of the AS number entered. If the number
entered is an A.B format, the web interface displays the corresponding 32-bit conversion
below the entered value. If the number entered is a 32-bit format, the web interface
displays the corresponding A.B value below the entered value.
6. From the Peer Type drop-down, select Classic.

The Peer Type option is available only for data center ION devices.

When you configure a core or edge peer, the device automatically generates a route map
for the peer. You can leave the route map as is or clone and modify it for your peer.
7. (Optional) Specify the Update Source IP Address.
You need to specify the Update Source IP Address (IPv4 or IPv6) only if there is more
than one multi-hop.
8. Toggle Scope to Local or Global.
Local indicates that prefixes will not be advertised.
9. Select the Shutdown check box if you do not need to use the created peer.
The Shutdown check box is deselected by default.
10. Select Route Prefix Type, IPv4, or IPv6, or IPv4 & IPv6. By default, IPv4 is selected.

STEP 2 | On the Route Maps tab, select a route map from the Route Map In and Route Map Out
drop-downs to filter incoming or outgoing routes.

Prisma SD-WAN Administrator’s Guide 303 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Branch and Data Center Routing

STEP 3 | Configure overrides for global options or inherit device global configuration.
1. On the Advanced Options tab, select Yes to inherit device global configuration or select
No to configure global configuration overrides.
2. Configure overrides for global options.
• (Optional) Keepalive Time—Enter a keep-alive time between 3 - 60 seconds. If you
have configured a BGP peer, the device uses the value specified in the BGP peer
configuration. If you do not configure a BGP peer or do not specify a value in the BGP
global configuration, the keep-alive time defaults to 30 seconds.
• (Optional) Hold Time—Enter a hold time between 3 - 600 seconds. The hold time
needs to be three times greater than the keep-alive time. If you have configured
a BGP peer, the device uses the value specified in the BGP peer configuration. If
you have not configured a BGP peer, the device uses the value from the BGP global
configuration. If you do not configure a BGP peer or do not specify a value in the BGP
global configuration, the Hold Time defaults to 90 seconds.
• (Optional) Advertise Interval— Enter an advertisement interval between 0 - 600
seconds. The default is 1 second.
• (Optional) Peer Retry Time—Enter a peer retry time between 0 - 65535 seconds. The
default is 120 seconds.
• (Optional) Multihop Limit—Enter a multi-hop limit between 1 - 255 hops. The default
is 1 hop.
• (Optional) MD5 Secret—Enter a password of 1 - 32 characters. The default is 0. MD5
password specified shall be applied to the messages exchanged with the peer.
• (Optional) Local AS Number—Enter a number between 1 and 4294967295 or as A.B,
where A and B are both numbers between 1 and 4294967295. The web interface
displays converted values of the AS number entered. If the number entered is an A.B
format, the web interface displays the corresponding 32-bit conversion below the

Prisma SD-WAN Administrator’s Guide 304 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Branch and Data Center Routing

entered value. If the number entered is a 32-bit format, the web interface displays the
corresponding A.B value below the entered value.

STEP 4 | Review the BGP peer configuration.

The Summary tab displays the BGP peer configuration. Make changes if needed and Save &
Exit.

Configure a Route Map

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Prisma SD-WAN license

You can optionally configure a route map to filter and update routes. Associate the route map
with a BGP peer to filter routes. You can configure multiple route maps but you can apply only
one route map to a peer. If filtering needs are identical, you can use the same route map for
inbound and outbound traffic.
The branch ION device filters received routes based on the route map. Filters may be based on
a prefix list, AS path list, or community list. For example, a peer may advertise 1000 routes, but
you may be interested in only 20 routes from this peer. You can apply conditions to filter the 20
routes of interest to the ION device.
Route maps are auto-generated for core and edge peers. You need to create route maps for a
classic peer in a branch or a data center. Using match and set criteria and permit and deny clauses,
the ION device accepts or denies routes that are advertised.

Prisma SD-WAN Administrator’s Guide 305 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Branch and Data Center Routing

STEP 1 | Select Workflows > Devices > Claimed Devices > Configure the device > Routing > BGP/
Peers > Route Maps.

STEP 2 | Select Create Route Map to create a new route map.

STEP 3 | On the Info screen, enter a name and optionally enter a description and tags for the route
map.

Prisma SD-WAN Administrator’s Guide 306 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Branch and Data Center Routing

STEP 4 | (Optional) On the Entries screen, click Add an Entry to add entries to a route map.

You must create two route map entries using the continue option to filter IPv4 and
IPv6 routes for the same peer, as we support a single route map per peer.

You can either configure IPv4 or IPv6 prefix, not both.

1. Enter an order number from 1 to 65535 to define the order in which this route map will
be used.

Order numbers from 99 to 103 are reserved for auto-generated route maps;
hence, an order number excluding 99-103 to define the order in which this route
map will be used.
2. Select Permit to allow routes to be advertised or Deny to block the routes from being
advertised.
3. (Optional) Select Continue to use the rule that the route matches.
For example, if a route matches order #10, go to the rule with order #10.
4. (Optional) For Match, choose from the Prefix List, IP Community List, AS Path List, or IP
Next Hop.

If you have a match criteria for a route map with a set IP-next-hop peer address
that needs to be present for both IPv4 and IPv6 prefixes, you must add one more
entry with a continue option, and IP-next-hop set as the IPv6 peer address for
IPv6 filtering to work.
5. (Optional) For Set, enter values for AS Path Prepend, Weight, Local Preference,
Community, and Additive Community.

Where you want to create a customized or autogenerated route map with a set
clause as peer-address, you must set peer-address and ipv6-peer-address (with
continue entry for both) based on the address-family.
6. (Optional) For IP Next Hop, select peer-address, or IPv6-peer-address, or enter an IPv4
or IPv6 address of the next hop.

STEP 5 | Click Create to create the route map.

Prisma SD-WAN Administrator’s Guide 307 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Branch and Data Center Routing

Redistribute
Route redistribution is the process of making learned routes from one routing protocol (or a static
or connected route) available to a different routing protocol, thereby increasing the accessibility
of network traffic. Without route redistribution, a router or virtual router advertises and shares
routes only with other routers that run the same routing protocol. You can redistribute IPv4 BGP,
connected, or static routes into the OSPF and redistribute OSPF, connected, or static routes into
the BGP.

Configure a Prefix List

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Use prefix lists to filter routes based on prefixes. By defining an order number and IP prefixes,
a branch or a data center ION device can permit or deny routes. The dynamic, auto-generated
prefix list is based on what the ION device advertises. Prefixes can be split or non-split.
STEP 1 | Select Workflows > Prisma SD-WAN Setup > Devices > Claimed Devices > Select a device
> Routing > BGP/Peers > Prefix Lists > Create Prefix List.

STEP 2 | On the Info screen, enter a name, optional description, and tags for the route map.

STEP 3 | On the Entries screen, enter an Order number, IP Prefix, and then select Permit or Deny.

STEP 4 | Click Save & Exit.

Configure an AS Path List

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Use AS Path Lists to filter route maps based on the AS path. A branch or data center ION device
permits or denies routes based on the order number and AS path regex expressions.
STEP 1 | Select Workflows > Devices > Claimed Devices > Configure the device > Routing > BGP/
Peers > AS Path Lists > Create AS Path List.

STEP 2 | On the Info screen, enter a name, optional description, and tags for the AS path list.

Prisma SD-WAN Administrator’s Guide 308 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Branch and Data Center Routing

STEP 3 | On the Regexes screen, enter an Order, AS Path Regex expression, and then select Permit
or Deny.

STEP 4 | Click Save & Exit.

Configure an IP Community List

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Use IP community lists to filter route maps based on community settings. Based on the
community string, a branch or data center ION device permits or denies routes.
STEP 1 | Select Workflows > Devices > Claimed Devices > Configure the device > Routing > BGP/
Peers > IP Community Lists > Create IP Community List.

STEP 2 | On the Info screen, enter a name, optional description, and tags for the IP Community list.

STEP 3 | On the Entries screen, specify a Community String and then select Permit or Deny.

STEP 4 | Click Save & Exit.

View Routing Status and Statistics

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

You can view routing status and statistics for an ION device.
STEP 1 | Select Workflows > Devices > Claimed Devices > Configure the device > Routing > BGP/
Peers.

STEP 2 | View routing status by clicking the ellipsis menu for a BGP peer and selecting Status.
Peer Status which includes IP address of the peer, State, Uptime and Downtime is displayed.

STEP 3 | View peer statistics by clicking the ellipsis menu for a BGP peer and selecting Statistics.
Packet statistics which include type of packet, number of packets sent and received are
displayed. Other statistics such as prefixes accepted, connections dropped, and connections
established are also displayed.

STEP 4 | View received prefixes by clicking the ellipsis menu for a BGP peer and selecting Received
Prefixes.
Reachable prefixes for a peer along with Network, AS Path, and Next Hop details are
displayed.

Prisma SD-WAN Administrator’s Guide 309 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Branch and Data Center Routing

STEP 5 | View advertised prefixes by clicking the ellipsis menu for a BGP peer and selecting
Advertised Prefixes.

STEP 6 | View discovered prefixes by clicking the ellipsis menu for a BGP peer and selecting
Discovered Prefixes.

STEP 7 | Reset a peer.

1. Click the ellipsis menu for a BGP peer and select Reset.
2. Choose the type of reset needed—Hard Reset or Soft Reset.
A hard reset will tear down the TCP session to the peer and remove all route table
entries learned from that peer and force a new TCP session to be re-established.
A soft reset will update BGP routing tables without tearing down the TCP session.

The Reset option is not valid for classic peers.

Prisma SD-WAN Administrator’s Guide 310 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Branch and Data Center Routing

Prisma SD-WAN Multicast Routing

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

IP multicast is a set of protocols that network appliances use to send multicast IP datagrams to a
group of interested receivers using one transmission rather than unicasting the traffic to multiple
receivers, thereby saving bandwidth. IP multicast is suitable for communication from one source
(or many sources) to many receivers, such as audio or video streaming, IPTV, video conferencing,
and distribution of other communication, such as news and financial data.A multicast address
identifies a group of receivers that want to receive the traffic going to that address. You should
not use the multicast addresses reserved for special uses, such as the range 224.0.0.0 through
224.0.0.255 or 239.0.0.0 through 239.255.255.255. Multicast traffic uses UDP, which does not
resend missed packets.
Starting with Release 6.0.1, Prisma SD-WAN ION devices support multicast over WAN and LAN.
A branch site supports LAN multicast senders and receivers, although it can only receive WAN
multicast traffic. A data center site transmits multicast traffic to connected branch sites over
VPNs that are established over WAN underlay interfaces. A data center site does not support
receivers connected to it.
For device software versions greater than or equal to 6.2.1:
• A data center site supports a maximum of 400 branch sites for multicast traffic.
• For a specific multicast group, a data center site supports a maximum of 400 branch sites
subscribing to that multicast group.
For device software versions between 6.0.1 and 6.2.1:
• A data center site supports a maximum of 250 branch sites.
• For a specific multicast group, a data center site supports a maximum of 64 branch sites
subscribing to that multicast group.

For Release 6.0.1, Prisma SD-WAN supports WAN multicast on VPN over public only.
Ensure that you have modified the cost of your LTE circuit so as to avoid receiving
multicast traffic on your LTE/Metered circuit.

Data center ION devices running software versions lower than 6.0.1 do not support multicast.
Use the following table to view the multicast support per device type and software version.

Prisma SD-WAN Administrator’s Guide 311 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Branch and Data Center Routing

ION Device Software Type of Site Type of Multicast Supported

Version

Lower than 6.0.x but Branch Site Supports multicast on LAN interfaces
higher than or equal to only.
5.6.1

Lower than 6.0.x Data Center Site Does not support multicast.

6.0.1 and higher Branch Site Supports multicast on LAN and Prisma
SD-WAN VPN (public only) interfaces.

6.0.1 and higher Data Center Site Receives multicast from peers and
transmits to branch sites over Prisma SD-
WAN VPN (public only).

6.1.1 and higher Data Center Site Receives multicast from peers and
branch sites and transmits to branch sites
over public and private Prisma SD-WAN
VPNs.

Interfaces Supporting LAN and WAN Multicast

A branch ION device supports multicast on a maximum of 30 PIM interfaces, including VLAN sub-
interfaces. Multicast is not supported with secondary addresses on an interface; that is, only the
primary address is considered and secondary addresses are not sent in a PIM HELLO packet to a
neighbor.

ION Device Type of Multicast Support Can Multicast be

Interface/Used configured on the
For Interface?

Branch Site Port (LAN) Yes (Transmit + Receive) Yes

Branch Site Sub-interface Yes (Transmit + Receive) Yes

(VLAN)

Branch Site Port (WAN) Yes (Receive only over No (Only global
Prisma SD-WAN VPN configuration is possible)
(public only))

Branch Site/ Virtual Interface No No

Data Center Site

Branch Site Secondary IP No No

address on an
interface

Prisma SD-WAN Administrator’s Guide 312 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Branch and Data Center Routing

ION Device Type of Multicast Support Can Multicast be

Interface/Used configured on the
For Interface?

Data Center Site Port (Peer with a Yes, only if a Private With a Private WAN
Network for Use WAN circuit label is not circuit label attached—
This Port For) attached. Can receive You cannot configure an
multicast traffic from interface for multicast,
peers and transmit to if you have assigned a
branch sites over public Private WAN circuit label.
and private Prisma SD-
Without a Private WAN
WAN VPNs.
circuit label—You can
configure an interface,
but this interface can
only source multicast
traffic from an upstream
multicast router.

Data Center Site Port (Use This No. Can receive multicast No
Port For — traffic from peers and
Public) transmit to branch sites
over public and private
Prisma SD-WAN VPNs.

You can enable LAN interfaces on the ION device for multicast only if you:
• Enable L3 Direct Private WAN Forwarding on the branch ION device.
• Enable L3 LAN Forwarding on the branch ION device.

Starting with Release 6.1.1, Prisma SD-WAN supports Branch Side Source (BSS) multicast. This
allows receivers at a branch site to receive multicast traffic from another branch site over the
WAN. The receiver at a branch site sends a Join request for the BSS groups to the data center

Prisma SD-WAN Administrator’s Guide 313 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Branch and Data Center Routing

site. The data center site then forwards this Join request to the transmitting branch site. Multicast
traffic is replicated to the branch sites only via the corresponding data center sites.

In order to configure LAN multicast routing, you need to configure a Rendezvous Point (RP) and
enable multicast on at least one layer 3 LAN interface in the network.
In order to configure WAN multicast routing, you have to create a WAN multicast configuration
profile and associate it with a branch site. You have to enable multicast on the data center ION
device. You can either create a static RP or learn RPs dynamically.
To receive multicast traffic from a sourcing branch site:
• Enable Receive traffic from branch side sources in the WAN multicast configuration profile.
• Configure the source address and multicast group details in the sender branch site’s
configuration details.
Use the following links to configure multicast.
• Enable multicast on interfaces.
• Configure global multicast parameters.
• For WAN multicast, create a WAN multicast configuration profile.
• For WAN multicast, associate a WAN multicast configuration profile with a branch site.
• Configure a multicast static Rendezvous Point (RP).
• Learn Rendezvous Points (RPs) Dynamically
• (Optional)View multicast interface statistics.
• (Optional)View Routing Statistics

Configure Multicast
Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Prisma SD-WAN extends the capabilities of the Layer 3 LAN interface to include multicast.
Multicasting is a well-known one-to-many or many-to-many distributed form of network
communication. It allows the sender to send single examples of the data packet as streams and
distribute those packets only to the hosts interested in receiving that traffic.
Configure LAN multicast on branch site devices running versions 5.6.1 or higher than 5.6.1 but
lower than 6.0.1. Configure LAN and/or WAN multicast on devices running 6.0.1 or later versions.

Prisma SD-WAN Administrator’s Guide 314 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Branch and Data Center Routing

• Configure multicast on branch ION devices.

• Configure multicast on data center ION devices.

Configure multicast on branch ION devices.

1. Select Workflows > Devices > Claimed Devices > Configure the device.
2. On the Basic Info screen, toggle Yes for Enable L3 Direct Private WAN Forwarding and
Enable L3 LAN Forwarding then Save.
3. Select the Interfaces tab.
4. Select a port that connects to LAN.
5. Select Yes for Admin Up.
6. (Optional) Enter a Description and add Tags.
7. Select Port as the Interface type.
8. For Use This Port For, select LAN.
9. Toggle Scope as either Global or Local.
10. Select IPv4 Configuration as either DHCP or Static.
11. (Optional) In Advanced Options, select Yes for MULTICAST and select an IGMP
VERSION from the list.
Internet group management protocol (IGMP) version, the routers regularly send queries
to determine which groups are active/inactive in an appropriate LAN segment.

Prisma SD-WAN ION devices support only IGMPv2 and IGMPv3 receivers.

12. (Optional) Enter a value for the Interface DR Priority.

You can enter a value for Interface DR Priority at the interface level to override the
device DR Priority. The default value of Interface DR Priority is 1 which indicates that
the ION device has an equal chance of being elected as the Designated Router (DR).
Increase the value to increase the possibility of the ION device being elected as a DR.

You can configure Interface DR Priority for devices running software versions
6.0.1 or higher.
13. (Optional) For IGMP Static Joins, enter the multicast stream source IP address and the
multicast group address.

You can configure IGMP Static Joins for devices running software versions 6.0.1
or higher.
14. Save Port.

Prisma SD-WAN Administrator’s Guide 315 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Branch and Data Center Routing

Configure multicast on data center ION devices.

1. Select Workflows > Devices > Claimed Devices > Configure the device.
2. Select the Interfaces tab.
3. Select Port as the Interface type.
4. Select Peer with a Network for Use this Port For.
5. Expand Advanced Options.
6. Select Yes for Multicast.
7. (Optional) Enter a value for the Interface DR Priority.
You can enter a value for Interface DR Priority at the interface level to override the
device DR Priority. The default value of Interface DR Priority is 1 which indicates that
the ION device has an equal chance of being elected as the Designated Router (DR).
Increase the value to increase the possibility of the ION device being elected as a DR.
8. Click Save Port.

Create a WAN Multicast Configuration Profile

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Create a global WAN multicast configuration profile. Specify the data center site which will be the
source for the multicast traffic.
STEP 1 | Select Manage > Resources > Configuration Profiles > Multicast > Create Peer Group
Profile.

STEP 2 | Enter a Name for the multicast profile.

STEP 3 | (Optional) Enter Tags and Description.

STEP 4 | For Source Site Selection, select a data center site as the multicast source from the list of
sites.

You can view data center sites having devices with a software version 6.0.1 or later by
clicking the View sites with device software version 6.0.1 or newer check box.

STEP 5 | (Optional) Select Receive traffic from branch side sources to receive multicast traffic from
another branch site.
This option is available only for sites using device versions 6.1.1 or later.

A branch site can receive multicast traffic sourced by another branch site only through
a connected data center site. Prisma SD-WAN does not support direct branch-to-
branch VPNs for multicast traffic.

STEP 6 | Click Save.

Prisma SD-WAN Administrator’s Guide 316 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Branch and Data Center Routing

STEP 7 | (Optional) View the multicast profiles associated with a data center site by selecting Manage
or Monitor, then Sites > Select a Data Center Site > Configurations > WAN.

Assign WAN Multicast Configuration Profiles to Branch Sites

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Associate a WAN multicast profile with a branch site to specify the source for multicast traffic.
STEP 1 | Select Workflows > Sites.

STEP 2 | Select a site and click Configurations.

STEP 3 | Select a profile from the WAN Multicast drop-down.

(Optional) Select No profile (multicast disabled), if you want to disable multicast for the site.

Configure a Multicast Source at a Branch Site

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Configure a source for multicast traffic at a branch site.

STEP 1 | Select Workflows > Sites > Select a Site > WAN Multicast Configurations.

STEP 2 | On the Site Multicast Configuration screen, click Add Entry.

You can add a maximum of 64 entries.

STEP 3 | Enter the Multicast Group Prefix.

These are the multicast group prefixes for which the site sources multicast traffic.

STEP 4 | Enter the Source Address for multicast traffic.

This is the address which sources the multicast traffic.

STEP 5 | Click Save.

Configure Global Multicast Parameters

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Prisma SD-WAN Administrator’s Guide 317 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Branch and Data Center Routing

Configure global multicast parameters after you enable multicast for a Layer 3 LAN interface on a
branch ION device or a WAN interface on a data center ION device.
• Configure global multicast parameters for a branch ION device.
• Configure global multicast parameters for a data center ION device.

Configure global multicast parameters for a branch ION device.

Configure global multicast parameters on your branch ION device after you enable multicast
for a Layer 3 LAN interface on a branch ION device.
1. Select Workflows > Devices > Claimed Devices > Configure the device > Routing >
Multicast > Global Configuration.

You can view the Multicast tab only after you enable multicast for a Layer 3
LAN interface.
2. Select SPT Switchover to enable Shortest Path Tree (SPT) switchover.
SPT Switchover is enabled by default. This indicates that once the first multicast packet
is received, that is, when the receiver receives the source address, the Designated

Prisma SD-WAN Administrator’s Guide 318 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Branch and Data Center Routing

Router (DR) at the receiver’s end and the Rendezvous Point (RP) choose the optimal path
to relay information from the source to the receiver.

It is a good practice to always enable SPT.

You can edit the global multicast parameters only for devices running software versions
6.0.1 or later.
ION devices running software versions lower than 6.0.1

ION devices running software versions 6.0.1 or higher

The descriptions for the global multicast parameters are based on the PIM-SM
specification outlined in RFC 4601 (https://datatracker.ietf.org/doc/html/rfc4601).

Prisma SD-WAN Administrator’s Guide 319 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Branch and Data Center Routing

The multicast parameters are read-only for devices running versions lower than
6.0.1.

Field Description Default Value

SPT Switchover Select to enable shortest path tree (SPT) Enabled

switchover. This indicates that once
the first multicast packet is received i.e.
the source address is received by the
receiver, the DR at the receiver’s end
and the RP choose the optimal path to
relay information from the source to the
receiver.

Enable BSM Select to enable receiving and

forwarding of BSM on multicast
enabled interfaces. BSM is a protocol
by which the device learns RPs
dynamically.Available only for ION
devices running software versions 6.0.1
or later.

DR Priority Indicates the probability of a PIM 1

interface being elected as a Designated
Router (DR). For Static RP, the DR
Priority advertised in a PIM Hello is 1.

PIM Hello Interval Indicates the time interval between two 30 s

PIM Hello packets.

PIM Hello Hold Time Indicates the time interval for which 105 s
a neighbor should wait for a Hello
message from a sender neighbor before
pruning the neighbor.

PIM Join/Prune Indicates the time interval between two 60 s

Interval Join/Prune messages sent to a neighbor.

PIM Join/Hold Indicates the time interval for which 210 s

Interval a receiver should wait for the next
Join/Prune message from the neighbor
before pruning the neighbor.

PIM Triggered Hello Indicates the value of the Hello timer 4s

Delay for delay between triggered Hello
messages. Available only for ION
devices running software versions
earlier than 6.0.1.

Prisma SD-WAN Administrator’s Guide 320 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Branch and Data Center Routing

Field Description Default Value

PIM TTL Threshold Packets with a lower TTL than the PIM 1
TTL Threshold are discarded. Available
only for ION devices running software
versions earlier than 6.0.1.

PIM SPT Threshold Indicates the cut-over time from 100 s

Rendezvous Point Tree (RPT) to SPT.
Available only for ION devices running
software versions earlier than 6.0.1.

IGMP Query Interval Indicates the time interval between 125 s

successive IGMP queries.

IGMP Query Indicates the maximum response time 10 s

Response Interval advertised in the IGMP query.

IGMP Last Member Indicates the number of times the ION 3

Query Count device sent IGMP queries to the last
known active host on the subnet.

IGMP Last Member Indicates the time interval for the ION 1s
Query Response device to respond to the IGMP query
Interval from the last known active host on the
subnet.

IGMP Querier Indicates the timeout interval to wait 380 s

Timeout before becoming a Querier. Available
only for ION devices running software
versions earlier than 6.0.1.

IGMP Query Max Indicates the maximum response time to 100 s

Response Time the IGMP query. Available only for ION
devices running software versions 6.0.1
or later.

Multicast Site Profile Displays the multicast site profile

associated with the branch
site.(Optional) Click Edit in Site
Summary Configuration to change the
associated multicast site profile.

Prisma SD-WAN Administrator’s Guide 321 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Branch and Data Center Routing

Configure global multicast parameters for a data center ION device.

Configure global multicast parameters on your data center ION device after you enable
multicast for a WAN interface on a data center ION device. You can configure multicast for
data center ION devices running softwares versions 6.0.1 or later only.
1. Select Workflows > Devices > Claimed Devices > Configure the device > Routing >
Multicast > Global Configuration.

Field Description Default Value

SPT Switchover Select to enable shortest path tree (SPT) Enabled

switchover. This indicates that once
the first multicast packet is received i.e.
the source address is received by the
receiver, the DR at the receiver’s end
and the RP choose the optimal path to
relay information from the source to the
receiver.

Enable BSM Select to enable receiving and

forwarding of BSM on multicast enabled
interfaces. BSM is a protocol by which
the device learns RPs dynamically.

DR Priority Indicates the probability of a PIM 1

interface being elected as a Designated
Router (DR). For Static RP, the DR
Priority advertised in a PIM Hello is 1.

PIM Hello Interval Indicates the time interval between two 30 s

PIM Hello packets.

PIM Hello Hold Time Indicates the time interval for which 105 s
a neighbor should wait for a Hello
message from a sender neighbor before
pruning the neighbor.

PIM Join/Prune Indicates the time interval between two 60 s

Interval Join/Prune messages sent to a neighbor.

WAN multicast peer Displays the multicast site profiles

group profiles created with the data center site as
the multicast source. (Optional) Click
View in Site Summary Configuration

Prisma SD-WAN Administrator’s Guide 322 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Branch and Data Center Routing

Field Description Default Value

to change the associated multicast site
profile.

Configure a Multicast Static Rendezvous Point (RP)

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

A Rendezvous Point (RP) is a multicast-enabled device or node in the network that serves as a
meeting point for multicast traffic in the network. An RP receives multicast traffic from a source
and forwards the traffic to receivers interested in receiving the multicast traffic.
Prisma SD-WAN supports static RP addressing, wherein you must configure the same RP address
for all the routers in the multicast network. The ION device can act as an RP or there can be an
external RP. Prisma SD-WAN supports a maximum of 8 Static RPs and 240 groups. The groups
must be unique among the RPs, that is, you cannot configure two RPs which support the same
group.
Prisma SD-WAN does not support Auto RP and BSR protocols for dynamic RP advertisement.
STEP 1 | Select Workflows > Devices > Claimed Devices > Configure the device > Routing >
Multicast > RP Configuration.

STEP 2 | Click Create Static RP.

STEP 3 | Enter a Name for the RP.

STEP 4 | Enter an RP Address.

This address must be consistent across all routers in the multicast network.

STEP 5 | (Optional) Enter a description and tags.

STEP 6 | (Optional) For Group Addresses, enter a group name and a multicast address for the group.
This is a list of multicast group addresses that the RP serves.
(Optional) Click Add Entry to create additional multicast groups and group addresses.You can
enter a maximum of 240 group addresses.

STEP 7 | Click Save.

Click View All for an RP to view the group addresses configured for the RP.

Prisma SD-WAN Administrator’s Guide 323 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Branch and Data Center Routing

Learn Rendezvous Points (RPs) Dynamically

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Enable BSM for the ION device to learn RPs dynamically. Use this feature for ION devices running
software versions 6.0.1 or higher.
STEP 1 | Select Workflows > Devices > Claimed Devices > Configure the device > Routing >
Multicast > Global Configuration.

STEP 2 | Select Enable BSM.

Ensure that the RP and the multicast source are reachable via specific routes (learned
via static or dynamic routes) as they cannot be resolved using default routes.

STEP 3 | (Optional) Select Multicast > RP Configuration to check the RP addresses.

A static RP configured on a branch site takes precedence over a static RP configured at

a data center site.

Field Description

RP Address Displays the IP address of the static RP or the

dynamically learnt RP.

Type BSR—Indicates that the RP is learnt dynamically via

BSM.
Static—Indicates that the RP is configured statically.

Name Displays the name given to a static RP. This field will be
blank for a dynamically learnt RP.

Address Displays the multicast group IP addresses to which the

RP caters.

Prisma SD-WAN Administrator’s Guide 324 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Branch and Data Center Routing

View LAN Statistics for Multicast

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

View LAN multicast statistics for interfaces with multicast enabled.

STEP 1 | Select Manage > Setup > Devices > Claimed Devices > Configure the device > Routing >
Multicast > LAN Statistics.

STEP 2 | Select an interface to view the neighbor information for the interface.
The neighbor information table displays information about the PIM neighbors discovered by
the ION device for an interface across all multicast enabled interfaces in the network.

Field Description

Port Number Displays the neighbor information for the selected

interface.

State Displays the state of the selected interface—up or down.

Address Displays the address of the selected interface.

PIM Neighbor Displays a PIM neighbor’s IP address.

DR Indicates if the neighbor is a designated router.

DR Priority Indicates the priority associated with the interface on the

device for DR election.

Uptime Indicates the time for which the neighbor has been up.

Expires Indicates the time remaining before a neighbor is timed

out and the next PIM Hello message is received.

STEP 3 | Click Statistics to view detailed multicast traffic, IGMP, and PIM statistics for the interface.
The descriptions for the fields are based on descriptions outlined in RFC 2362 (https://
www.rfc-editor.org/rfc/rfc2362.html) and RFC 2236 (https://datatracker.ietf.org/doc/html/
rfc2236)
Multicast Traffic Statistics

Field Description

RX PKTS Indicates the number of multicast traffic packets received

at the interface.

Prisma SD-WAN Administrator’s Guide 325 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Branch and Data Center Routing

Field Description

RX BYTES Indicates the volume of multicast traffic received in bytes

at the interface.

TX PKTS Indicates the number of multicast traffic packets

transmitted from the interface.

TX BYTES Indicates the volume of multicast traffic sent in bytes at

the interface.

PIM Statistics

Message Type Description Received Packets (RX Transmitted Packets

(MSG TYPE) PKTS) (TX PKTS)

Hello Periodic messages sent Displays the packets Displays the packets
between PIM neighbors aid received for a PIM sent for a PIM Hello
in discovery of neighbors Hello message. message.
and maintaining the
relationship with neighbors.

Register A DR sends a message to Displays the packets Displays the packets

an RP indicating interest in received for a PIM sent for a PIM
receiving multicast traffic Register message. Register message.
meant for a group.

Register Stop The ION device acting Displays the packets Displays the packets
as an RP indicates to the received for a sent for a PIM
DR when either of the PIM Register Stop Register Stop
following conditions are message. message.
met:
• There are no active
listeners, so receivers
have stopped requesting
multicast information
from the RP.
• The RP stops serving a
multicast group.
• Multicast traffic has
switched from a
Rendezvous Point Tree
(RPT) to the Shortest
Path Tree (SPT).

Join/Prune Routers send Join/Prune Displays the join Displays the join and
messages to join a branch and prune packets prune packets sent
or prune off a branch from

Prisma SD-WAN Administrator’s Guide 326 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Branch and Data Center Routing

Message Type Description Received Packets (RX Transmitted Packets

(MSG TYPE) PKTS) (TX PKTS)
the multicast distribution received for a PIM for a PIM Join/Prune
tree. A single message Join/Prune message. message.
contains a join listas well as
a prune list.
Join messages are sent by:
• DRs (near receivers)
to RPs indicating an
interest in receiving
multicast traffic via RPT.
• DRs to source when
triggering SPT
switchovers.
• RPs to source when
triggering SPT
switchovers.
Prune messages are sent by
PIM devices to upstream
devices to stop forwarding
multicast traffic to the
network segment in which
the PIM device resides.

Assert PIM elects a single Displays the number Displays the

forwarding router to of packets received number of packets
forward messages to avoid for Assert messages. transmitted for
duplication of messages. Assert messages.

BSM PIM routers in the network Displays the number Displays the
will communicate with of packets received number of packets
each other using Bootstrap for Bootstrap transmitted for
messages (BSM). messages. Bootstrap messages.

IGMP Statistics
IGMP statistics indicate the number of messages exchanged between individual hosts in a LAN
and multicast routers to dynamically register with or unregister from a multicast group. Routers
periodically send out IGMP queries to check which multicast groups are active or inactive in

Prisma SD-WAN Administrator’s Guide 327 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Branch and Data Center Routing

their subnet. Hosts send out IGMP membership reports for a particular multicast group to
indicate their interest in joining that group.

Message Type Description Received Packets (RX Transmitted Packets

(MSG TYPE) PKTS) (TX PKTS)

IGMP v1 Used by IGMP v1 multicast Displays the packets Displays the packets
Membership routers to learn which received for an IGMP sent in response
query multicast groups are being v1 membership to an IGMP v1
used by the hosts on the query. membership query.
local network.

IGMP v1 Identifies this message as Displays the packets Displays the packets
Membership an IGMPv1 membership received for an IGMP sent in response
report report. v1 membership to an IGMP v1
report. membership report.

IGMP v2 Used by IGMP v2 multicast Displays the packets Displays the packets
Membership routers to learn which received for an IGMP sent in response
query multicast groups are being v2 membership to an IGMP v2
used by the hosts on the query. membership query.
local network.

IGMP v2 Identifies this message as Displays the packets Displays the packets
Membership an IGMP v2 membership received for an IGMP sent in response
report report. v2 membership to an IGMP v2
report. membership report.

IGMP v3 Used by IGMP v3 multicast Displays the packets Displays the packets
Membership routers to learn which received for an IGMP sent in response
query multicast groups are being v3 membership to an IGMP v3
used by the hosts on the query. membership query.
local network.

IGMP v3 Identifies this message as Displays the packets Displays the packets
Membership an IGMP v3 membership received for an IGMP sent in response
report report. v3 membership to an IGMP v3
report. membership report.

IGMP v2 Leave Used by IGMP v2 hosts Displays the packets Displays the packets
report to indicate that they are received for an IGMP sent in response to
leaving the multicast group. v2 leave report. an IGMP v2 leave
report.

Prisma SD-WAN Administrator’s Guide 328 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Branch and Data Center Routing

View WAN Statistics for Multicast

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

View WAN statistics for multicast traffic between a branch site ION device and a connected
data center ION device for devices running software version 6.0.1 or higher. You can view WAN
statistics for the past hour on different links between the branch site and the data center site.
STEP 1 | Select Manage > Setup > Devices > Claimed Devices > Configure the device > Routing >
Multicast > WAN Statistics.

STEP 2 | Expand a data center site (for a branch device) or a branch site (for a data center device) to
view the WAN statistics.

Since the branch site is a multicast receiver, it will not transmit information. The
value for TX PKTS and TX BYTES is NA. Similarly, a data center site will only transmit
information.

Field Description

State Indicates if the neighborship is active between the data

center ION device and the branch ION device.

Uptime Indicates the time for which neighborship is active between

the data center ION device and the branch ION device.

Secure Fabric Indicates the VPNs used for multicast traffic between the
branch site and the data center site.

RX PKTS Indicates the number of multicast traffic packets received at

the device interface.

RX BYTES Indicates the multicast traffic in terms of bytes received at

the device interface.

TX PKTS Indicates the number of multicast traffic packets transmitted

from the device interface.

TX BYTES Indicates the multicast traffic in terms of bytes transmitted

from the device interface.

STEP 3 | (Optional) Click Statistics to view the detailed statistics for the interface.

You will be able to view WAN multicast statistics only after your tenant has been
migrated to the new data lake infrastructure. If you cannot view statistics, contact the
Palo Alto Networks Accounts Team.

Prisma SD-WAN Administrator’s Guide 329 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Branch and Data Center Routing

View IGMP Membership

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

View the IGMP membership for your branch ION devices running software versions higher than
6.0.1.
STEP 1 | Select Manage > Devices > Claimed Devices > Configure the device > Routing > Multicast >
IGMP Membership.

STEP 2 | Expand an interface to view the IGMP membership details.

Field Description

Port Number Displays information about the interface on the ION

device connected to hosts in the LAN network along
with multicast group membership details.

Source Displays information about the hosts in the LAN

network interested in receiving information from a
specific multicast group.

Group Displays the multicast group from which hosts want to

receive multicast information.

Forward Indicates if the multicast information should be

forwarded to the receiver in the LAN network.

Uptime Displays the period for which the host has been a part
of the multicast group.

Timeout This indicates the period within which the ION device
determines if there are receivers interested in receiving
multicast traffic for a specific multicast group.

View the Multicast Route Table

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

The multicast route table entries indicate how multicast traffic is routed to hosts in the network.
You can view the multicast route table either through the device configuration or through View
Routing Statistics. View the LAN multicast route table for branch ION devices running version

Prisma SD-WAN Administrator’s Guide 330 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Branch and Data Center Routing

5.6.1 or higher. View the WAN multicast route table for branch and data center ION devices
running version 6.0.1 or higher.
• View the LAN multicast route table.
• View the WAN multicast route table.

View the LAN multicast route table.

1. Select Manage > Setup > Devices > Claimed Devices > Configure the device > Routing
> Multicast > LAN Multicast Route Table.
The field descriptions in the multicast route table are based on the PIM-SM protocol
outlined in https://datatracker.ietf.org/doc/html/rfc2362.

Field Description

Source Displays the source address of multicast traffic in the

network.

Group Displays the multicast group address.

RP Address Displays the address of the Rendezvous Point (RP) in the

network.

Am I RP? Indicates if the interface or router is configured as an

RP in the network. Available only for devices running
versions higher than 5.6.1 but lower than 6.0.1.

Flags For device versions lower • RP—Indicates Join/Prune messages propagated

than 6.0.1 towards a shared RP tree.
• WC—Indicates a Wild card entry (*, G).
• SPT—Indicates Join/Prune messages propagated
towards a source.
• NEW—Indicates a new route entry.
• CACHE—Indicates an entry cached in the kernel.
• NULL—Indicates that information received should not
be forwarded.

Flags For device versions 6.0.1 • S: Sparse—Indicates that PIM Sparse mode is in use.
and higher
• C: Connected—Indicates that a multicast receiver is
directly connected to the branch ION device.
• P: Pruned—Indicates Join/Prune messages propagated
towards a source.
• R: SGRpt Pruned—Indicates that traffic is being
forwarded using the RP tree.
• F: Register Flag—Indicates the traffic is arriving and set
on a (*, G).

Prisma SD-WAN Administrator’s Guide 331 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Branch and Data Center Routing

Field Description
• T: SPT—bit set—Indicates that at least one packet was
received via the SPT.

Incoming Interface Indicates the interface on which multicast traffic is

received.

Outgoing Interfaces Indicates the interfaces on which multicast traffic needs

to be replicated.

View the WAN multicast route table.

1. Select Manage > Setup > Devices > Claimed Devices > Configure the device > Routing
> Multicast > WAN Multicast Route Table.
The field descriptions in the multicast route table are based on the PIM-SM protocol
outlined in https://datatracker.ietf.org/doc/html/rfc2362.

Field Description

Source Displays the source address of multicast traffic in the

network.

Group Displays the multicast group address.

RP Address Displays the address of the Rendezvous Point (RP) in the

network.

Flags • S: Sparse—Indicates that PIM Sparse mode is in use.

• C: Connected—Indicates that a multicast receiver is
directly connected.
• P: Pruned—Indicates Join/Prune messages propagated
towards a source.
• R: SGRpt Pruned—Indicates that traffic is being
forwarded using the RP tree.
• F: Register Flag—Indicates the traffic is arriving and set
on a (*, G).
• T: SPT—bit set—Indicates that at least one packet was
received via the SPT.

Incoming Site/Interface Indicates the interface or the site from which multicast
traffic is received.

Outgoing Sites/Interfaces Indicates the interfaces or sites on which multicast traffic

needs to be replicated.

Prisma SD-WAN Administrator’s Guide 332 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Branch and Data Center Routing

View Multicast Flow Statistics

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Prisma SD-WAN branch ION devices provide statistics for multicast traffic by detecting custom
applications configured for multicast. You must configure custom applications based on L3/L4
characteristics for multicast traffic statistics to be displayed under Activity > Flows.
You can view multicast traffic under Activity > Flows for a custom application, only if you create
the custom application for a multicast group before there is any multicast traffic for the group.
If multicast traffic is already flowing for a multicast group, and you create a custom application
for the multicast group, you have to restart the traffic flow to view the traffic for the custom
application under Activity > Flows.
Prisma SD-WAN data center ION devices do not support flow processing and application
detection.
To view multicast flow statistics:
STEP 1 | Create a global prefix filter for multicast.
1. Select Manage > Resources > Prefix Filters > Global.
2. Enter a Name, an optional Description, and an IP Prefix.

Ensure that the IP Prefix points to the multicast host route.

STEP 2 | Define a custom application based on L3/L4 characteristics.

1. Select Manage > Resources > Applications.
2. Click Add Application.
3. Add a Display Name and an Abbreviation.
4. Under Application Configuration, select Network (L3/L4).
5. Click Add a new UDP rule.
6. Add a Port Range and Prefix Filter and an (optional) DSCP value between 0 to 63.
7. Click Submit.

STEP 3 | View multicast flow statistics under Activity > Flows.

Prisma SD-WAN Administrator’s Guide 333 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Branch and Data Center Routing

View Routing Statistics

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

The Routing tab provides Border Gateway Protocol (BGP) peering status for an ION device at a
branch site or a data center. It includes information on BGP peer types, including classic, core, and
edge peers depending on the type of site, namely a branch or a data center.
In addition, it displays information on the BGP peering state and advertised and reachable
prefixes. While the classic and core peers display advertised and reachable prefixes, the edge peer
will display only reachable prefixes. Reachable prefixes are prefixes that the ION device learns
from the peer, whereas advertised prefixes are prefixes that the ION device advertises to the
classic and core peers.
You may filter individual routes or prefixes from received and advertised prefixes along with
network, Autonomous System (AS) path, and next-hop information. From advertised, reachable, or
discoverable prefixes, you can search for specific routes or prefixes.
Use routing to troubleshoot BGP connections and check if routes are learned from or advertised
to the BGP peers. For example, you can verify whether a peer is connected by checking the peer's
BGP state. If the peer is not connected, the State field will provide information on the peer's
status, dropped connections, duration of BGP peer uptime and downtime, and notifications. If any
prefix id is not reachable, check if the route is learned from the WAN edge or is advertised to the
core or classic peer.
To view the routing statistics, navigate to Monitor > Activity > Routing, select a site by searching
its Name, Address, Admin State or, Site Type. When done, the selected site routing information is
displayed.
BGP
The routing information for the selected site displays the following:
• Device—ION device name. Click to view the routing configuration of the device.
• Peer IP—IP address of the BGP peer (WAN edge router, core router, or classic router).
• Remote AS#—Remote AS number (defined on the WAN edge router or core router).
• Local AS#—Prisma SD-WAN Data Center or Branch AS number.
• Peer Type—Core router, WAN edge router, or classic router.
• State—Information on BGP peer states. Status displays Uptime, indicating the time frame the
peer is active and Downtime, indicating the time frame the peer is inactive, and the connection
State of the BGP peer.
Stats displays the statistics Sent and Received packets for each packet type. It also shows the
number of prefixes accepted by the BGP peer, the dropped BGP connections, and established
connections with the BGP peer.
• Advertised Prefixes—Number of prefixes advertised to the BGP peers by the ION device. The
data center ION advertises branch prefixes to classic and core peers but not the edge peers.

Prisma SD-WAN Administrator’s Guide 334 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Branch and Data Center Routing

• Reachable Prefixes—Number of prefixes that the ION device learns from the BGP peers,
namely classic, core, or edge peer
LAN Multicast
The multicast routing information for the selected site displays the following:
• Device—ION device name. Click to view the routing configuration of the device.
• Source—Displays the source address of multicast traffic in the network.
• Group—Displays the multicast group address.
• RP Address—Displays the address of the Rendezvous Point (RP) in the network.
• Flags—Indicate multicast message information.
For device versions lower than 6.0.1
• RP—Indicates Join/Prune messages propagated towards a shared RP tree.
• WC—Indicates a Wild card entry (*, G).
• SPT—Indicates Join/Prune messages propagated towards a source.
• NEW—Indicates a new route entry.
• CACHE—Indicates an entry cached in the kernel.
• NULL—Indicates that information received should not be forwarded.
For device versions 6.0.1 and higher
• S: Sparse—Indicates that PIM Sparse mode is in use.
• C: Connected—Indicates that a multicast receiver is directly connected to the branch ION
device.
• P: Pruned—Indicates Join/Prune messages propagated towards a source.
• R: SGRpt Pruned—Indicates that traffic is being forwarded using the RP tree.
• F: Register Flag—Indicates the traffic is arriving and set on a (*, G).
• T: SPT—bit set—Indicates that at least one packet was received via the SPT.
• Incoming Interface—Indicates the interface on which multicast traffic is received.
• Outgoing Interfaces—Indicates the interfaces on which multicast traffic needs to be replicated.
WAN Multicast
The multicast routing information for the selected site displays the following:

WAN Multicast is available from device version 6.0.1. You will be able to view WAN
multicast statistics only after your tenant has been migrated to the new data lake
infrastructure. If you cannot view statistics, contact the Palo Alto Networks Accounts
Team.

• Device—ION device name. Click to view the routing configuration of the device.
• Source—Displays the source address of multicast traffic in the network.
• Group—Displays the multicast group address.

Prisma SD-WAN Administrator’s Guide 335 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Branch and Data Center Routing

• Flags—Indicate multicast message information.

• S: Sparse—Indicates that PIM Sparse mode is in use.
• C: Connected—Indicates that a multicast receiver is directly connected to the branch ION
device.
• P: Pruned—Indicates Join/Prune messages propagated towards a source.
• R: SGRpt Pruned—Indicates that traffic is being forwarded using the RP tree.
• F: Register Flag—Indicates the traffic is arriving and set on a (*, G).
• T: SPT—bit set—Indicates that at least one packet was received via the SPT.
• Incoming Site/Interface—Indicates the interface on which multicast traffic is received.
• Packets—Indicates the packet routing multicast module details.
• Bytes—Indicates the byte routing multicast module details.
• Outgoing Sites/Interfaces—Indicates the interfaces on which multicast traffic needs to be
replicated.
For Data center devices, the Outgoing Sites/Interfaces provides all the site information. Click
View All to see the below details:
• SECURE FABRIC LINK—Indicates the VPNs used between a branch and data center sites.
• LAST ACTIVE AT—Indicates the last active date and time the multicast traffic was active.
• TX PKTS—Indicates the number of multicast traffic packets transmitted from the site/
interface.
• TX BYTES—Indicates the volume of multicast traffic sent in bytes at the site/interface.

Prisma SD-WAN Administrator’s Guide 336 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Branch and Data Center Routing

Prisma SD-WAN VRF

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Prisma SD-WAN supports Virtual Routing and Forwarding tables (VRFs) for Network (aka WAN)
segmentation of application traffic. Network segmentation is a design strategy that divides a
WAN into smaller, isolated networks, or segments. This approach helps to improve network
security, optimize network traffic, and ensure high availability of network resources.

By segmenting the network, you can isolate different departments, locations, or types of traffic
onto separate network segments. It reduces the risk of unauthorized access, limits the impact of
security breaches, and provides better control over network resources.
WAN Segments are first defined in global VRF profiles. These VRF profiles are then bound
to sites. After that, interfaces are configured with the appropriate VRF. When traffic enters
the interface, it only considers destinations with the same VRF locally or across the fabric. If
the traffic is destined to go across the fabric, it gets automatically encapsulated with a unique
identifier specific to that VRF. Once the traffic reaches the remote ION, it can egress onto the
VRF that is appropriately configured.

Prisma SD-WAN Administrator’s Guide 337 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Branch and Data Center Routing

Network segmentation will help achieve isolation of application traffic for you who share the
same WAN infrastructure by carrying the segment identifier over the WAN overlay. There are
many applications and services on the network, each with various levels of security posture.
A multi-segment solution is required to maximize control and separation between network
segments.

Configure a VRF Profile in Prisma SD-WAN

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Prisma SD-WAN creates and associates the Global (default) Virtual Routing and Forwarding tables
(VRF) Profile and assigns it to all branch and data centers sites. You can modify the default VRF
Profile according to your requirements or create a new profile and assign it to a branch or data
center site. Specify the data center or branch site that will be the source of the VRF traffic.
STEP 1 | Select Manage > Resources > Configuration Profiles > VRF to create VRF Definition and
Profiles.

Prisma SD-WAN Administrator’s Guide 338 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Branch and Data Center Routing

STEP 2 | You can also create the VRF Profile from Monitor > Data Centers. Select a Data Centers
site. On the Configuration tab, click Create Profile and follow the steps below.

STEP 3 | You can also create the VRF Profile from Monitor > Branch Sites. Select a Branch Sites site.
On the Configuration tab, click Create Profile and follow the steps below.

STEP 4 | Click Add VRF Definitions to add a VRF Definition to attach it to the VRF Profiles.
The system generates a Global VRF Context by default, and it does not allow updating or
deleting the Global VRF Context. VRF contexts segment network traffic to apply different
rules for the same profile. Note that a rule with a VRF context will always take precedence
over one without a VRF context.
When the associated VRF definitions of the new profile match the default VRF context, you
can switch from a default VRF Profile to a newly created one. Otherwise, you are not allowed
to make changes.
1. Enter a Name and optional a Description for VRF Definition.
2. You can update or delete the created VRF Definition under the Action column (if you
have not attached it to any of the VRF Profiles).

Prisma SD-WAN Administrator’s Guide 339 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Branch and Data Center Routing

STEP 5 | On the Profiles tab, select Create Profile to add a new VRF Profile. On the Create VRF
Profile screen:

1. Enter a Name, optional a Description, and Select VRF Definitions for the VRF Profile.
Click Next to continue adding the Route Leak Rules or click Submit to stop the further
configurations.
2. On the Route Leak Rules, you can see the Route table with the existing rules if available.
Click Add Route Leak Rules to create a new rule. Enter a Name, optional a Description,
Source VRF, Destination VRF, and IPv4 Prefix. Click Next.

The leaked IPv4 prefix in the route leak rule must match the prefix configured on
the interface.

3. View Summary to see the detailed information before submitting the new VRF Profile.

Prisma SD-WAN Administrator’s Guide 340 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Stacked Policies
Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Prisma SD-WAN supports stacked policies for flow forwarding operations. Using centrally-defined
policies, each ION device performs actions such as automatic path selection, traffic shaping, or
active-active load balancing between links, while the Prisma SD-WAN controller provides full
visibility into application performance and response times across all WAN links.
• Migrate Original Policy Sets to Stacked Policy Sets
• Simple Path and QoS Stacks
• Advanced Path and QoS Stacks
• Add a Path Policy Set
• Add a Path Policy Rule
• Custom Applications and System Application Overrides
• Service and Data Center Groups
• Configure Network Contexts
• Configure Circuit Capacities
• Configure DSCP
• Prefixes
• Configure Syslog Profiles

341
Prisma SD-WAN Stacked Policies

Migrate Original Policy Sets to Stacked Policy Sets

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Prisma SD-WAN supports stacked network and security policies. If you are a new user starting
with Release 6.0.1, you can configure only stacked network and security policies. If you have
configured original or legacy policies, you have to convert these legacy policies to stacked policies
before you can upgrade your device to Release 6.0.1.

If you try to upgrade your device to version 6.0.1 or higher using original policies, you will
get an error and the device upgrade will fail.

Stacked Policies provide a common administrative domain for a set of sites, contain policy rules,
and are stacked and attached to a site. With stacked policies you can enable, disable, update, or
manage policies, including performance, priority, path selection, and security without configuring
individual ION devices at a branch or a data center.
STEP 1 | Select Manage > Policies > Stacked Policies > Bindings/Path/QoS/Security/NAT.

STEP 2 | Select Security > Security Stacks > Advanced > Security Sets > Add Set.
The example shows how to convert an original security policy set to a stacked security policy
set. You can extend this to converting Path and QoS sets also.

To migrate from original network policies to stacked network policies, you can clone
an original network policy set into two types of stacked policy sets—stacked path
policy set (for original network policies) and stacked QoS policy set (for original priority
policies) and bind them separately to a site.

STEP 3 | On the Add Security Policy Set screen, enter a Name for the security policy set, and
optionally enter description and tags.
While adding a name, ensure that there is no stacked policy set having the same name as the
original policy set.

STEP 4 | Select the Clone From an Original Policy Set check box to clone a policy set created under
original policies and select a policy set to clone from the Choose an Original Policy Set drop-
down.

Prisma SD-WAN Administrator’s Guide 342 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Stacked Policies

STEP 5 | Click Done to submit your changes.

The clone operation creates a new policy set stack for the original security policy set. As part
of the clone operation, a policy set containing custom rules from the original policy set and a
Default Rule Policy set from the default rules in the original policies is created. The Default
Rule Policy set contains three different rules—default-deny, intra-zone-allow, self-zone-allow.

In order for stacked security policy rules to be active, bind security policy set stacks
to a site.

Prisma SD-WAN Administrator’s Guide 343 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Stacked Policies

Simple Path and QoS Stacks

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

You can create a simple path stack and/or a Quality of Service (QoS) stack where there is only
one policy set. This simplifies the management of policy stacks if you do not need to leverage the
stacking capabilities.
A simple Path Stack is a collection of path policy rules in a single policy set. A simple QoS Stack is
a collection of QoS policy rules in a single policy set.
A simple path or QoS Stack, at a minimum, consists of one policy set with two default policy rules:
• Default Rule
• Enterprise Default Rule
You can add more policy rules if needed. You can edit a simple stack under the Advanced view to
convert a simple stack to an advanced stack.
Use the following steps to create a simple path or QoS stack and bind it to a site.
• Add a simple path or QoS stack
• Add path or QoS rules to a simple path or QoS stack
• Bind the simple path or QoS stack to a site

Add Simple Path or QoS Stacks

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

A simple path stack is a collection of path policy rules in a single policy set, while a simple QoS
stack is a collection of QoS policy rules in a single policy set.

Add a simple path stack.

1. Select Manage > Policies > Path > Path Stacks > Simple > Add Stack.
2. On the Add Stack screen, enter a Name for the stack, and optionally description and
tags.
3. (Optional) Select the Make Default Path Stack check box to make this stack a default
stack.
4. (Optional) Select the Clone from Simple Path Stack check box to create a path stack
similar to an existing simple path stack.
Select a stack to clone from the Choose a simple path stack drop-down.
5. Save your changes.

Prisma SD-WAN Administrator’s Guide 344 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Stacked Policies

Add a simple QoS stack.

1. Select Manage > Policies > QoS > QoS Stacks > Simple > Add Stack.
2. On the Add Stackscreen, enter a Name for the stack, and optionally description and tags.
3. (Optional) Select the Make Default QoS Stack check box to make this stack a default
stack.
4. (Optional) Select the Create from template check box to create a stack based on a
template.
A stack created from a template has 37 policy rules and two default policy rules.
5. (Optional) Select the Clone from Simple QoS Stack check box to create a QoS stack
similar to an existing simple QoS stack.
Select a stack to clone from the Choose a simple QoS stack drop-down.
6. Save your changes.

Prisma SD-WAN Administrator’s Guide 345 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Stacked Policies

Advanced Path and QoS Stacks

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Advanced Path and QoS Set Stacks comprise Path Policy Sets and Quality of Service (QoS) Policy
Sets. Path policy sets specify traffic engineering while QoS policy sets specify business priority.
These policy sets contain policy rules.
An Advanced path or a QoS Stack consists of a minimum of two default policy rules—Default Rule
and Enterprise Default Rule. Additional policy rules can be added as required. A site can have a
single Path or QoS Stack attached to it at a time. An Advanced Path or QoS Stack is a collection of
Path or QoS policy sets that are stacked in the order in which they are evaluated by a site.
• A Path or QoS Stack can accommodate a maximum of four policy sets and one default rule
policy set. The policy sets in a stack are ordered from left to right, with the left-most policy set
designated as the highest priority.
• At any given time, only one Path or QoS Stack can be attached to a site. You can add, change,
or delete a policy set or a Path or QoS stack at any time.
The relationship among Advanced Path Stacks, Policy Sets, and Policy Rules is shown below.

Path and QoS policies simplify policy management. For example, all applications may have the
same priority across an entire enterprise, but based on geographical regions, path policies may
differ between sites.

Add Advanced Path or QoS Stacks

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Advanced Path and QoS Set Stacks comprise Path Policy Sets and Quality of Service (QoS) Policy
Sets which in turn comprise Policy Rules.

Prisma SD-WAN Administrator’s Guide 346 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Stacked Policies

STEP 1 | Select Manage > Policies > Path (or QoS) > Path Stacks (or QoS Stacks) > Advanced.

STEP 2 | Add Stack.

STEP 3 | Enter a Name for the stack.

STEP 4 | Assign the policy sets to the stack by selecting from the Policy Set drop-down.

STEP 5 | Save to add the stacks.

Add QoS Policy Sets

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

A QoS or Priority policy set specifies application business priority. The policy sets are ordered
from left to right in a stack, with the left-most policy set designated as the highest priority. You
can create a new blank QoS policy set for a site, clone from an existing stacked policy set or
classic policy set, or create a policy set from a template. You can also create a Default Rule QoS
policy set. A QoS Policy Set comes with two default rules—Default and Enterprise Default.
STEP 1 | Select Manage > Policies > QoS > QoS Stacks > Advanced > QoS Sets.

STEP 2 | Select Add Set and then Add QoS Policy Set.

STEP 3 | Choose the following options on Add QoS Policy Set to create a new policy set:
• Default Rule Policy Set—This creates a policy set with two default rules—Default Rule and
Enterprise Default Rule.
• Create from Template—Select a template for cloning. The template option creates a set of
rules from a template that is defined by Palo Alto Networks. You can customize these rules
after creation.
• Clone from Policy Set—Select an existing policy from Stacked Policies for cloning.
• Clone from Original Policy Set—Select an existing policy from Policies (Original) for cloning.

You can create a blank policy set with no rules, if you don't choose any of the above
options.

STEP 4 | Enter a Name and optionally a Description and Tags for the policy set.

STEP 5 | Click Done.

Next, Add QoS Policy Rules to QoS policy sets.

Prisma SD-WAN Administrator’s Guide 347 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Stacked Policies

Add QoS Policy Rules

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

QoS or Priority Policy Rules are contained within a QoS set. QoS policy rules determine
application priority within a network. They include attributes such as network context, QoS
prefixes, application, priority, and DSCP for an application.
• Network context—Network context segments network traffic for the purpose of applying
different QoS policy rules for the same application. This gets the highest order of precedence.
• Source prefix filter—Source based attributes get precedence over destination based attributes.
Source prefix filters are often added as exceptions, so these get a higher precedence over
applications.
• Applications—These are destination based, hence lower in the order of precedence.
• Destination prefix filter—These are often added in context of an application, so destination
prefix filters get lower precedence than applications.
• Priority—Priority determines the relative priority of network resources assigned to each
application.
• DSCP Values - When policy rules with marked DSCP bits are applied to a site, the ION branch
device will honor the bits in the first packet on an unknown application flow, and queue the
flow in the specified priority class.
QoS policy rules are added to the QoS policy sets.
STEP 1 | Select Manage > Policies > QoS > QoS Stacks > Advanced > QoS Sets.

STEP 2 | Select a QoS set and Add Rule.

STEP 3 | On the Info tab, enter a Name for the policy rule.

STEP 4 | Enter an Order number.

The default order number for a policy rule is 1024. .

STEP 5 | (Optional) Enter Description and Tags for the policy rule.

STEP 6 | Click Next.

STEP 7 | Select a Network Context on the Network Context tab and click Next.
You can add a new network context by clicking Add.

STEP 8 | Select a Source Prefix and a Destination Prefix on the Prefixes tab.
For information on prefixes, see Configuring Prefixes.

STEP 9 | Click Next.

Prisma SD-WAN Administrator’s Guide 348 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Stacked Policies

STEP 10 | Select applications to apply the policy rule on the Apps tab and click Next.
The number of applications for a policy rule is limited to 256.
You can filter applications based on:
• For sites 6.0.1 or above—Select this option to view system applications from PANW,
applications common to PANW and Prisma SD-WAN, and custom applications defined in
Prisma SD-WAN.
• For sites below 6.0.1—Select this option to view legacy system applications in Prisma SD-
WAN, applications common to PANW and Prisma SD-WAN, and custom applications
defined in Prisma SD-WAN.
• For any site—Use this option to view applications common to PANW and Prisma SD-WAN
along with custom applications defined in Prisma SD-WAN.
(Optional) You can check the type of application - System (PANW, CGX), System (CGX),
or Custom by selecting the application first and then using the filters to view the type of
application.

STEP 11 | Choose a priority on the Priority tab and click Next.

For more information on priorities, see Configure Circuit Capacities.

STEP 12 | Select an action from the DSCP drop-down on the DSCP tab.
If you choose:
• No Action—DSCP marking in the packet is not modified.
• Mark/Remark—Select a value between 0-63 from the drop-down. If a DSCP value is
specified and a flow matches this rule in the LAN to WAN direction, all packets belonging
to this flow is changed to the DSCP value specified here. For more information on DSCP
configuration, see Configure DSCP.

STEP 13 | Click Next.

STEP 14 | Review the Summary of the policy rule.

STEP 15 | Save & Exit.

You can sort QoS policy rules based on rules that are enabled, order of the rules, name,
network context, source and destination prefixes, priority of the application, and the DSCP
value. For policy rules in Path or QoS Stacks to be active, you need to bind Path or QoS Stacks
to a site. A single Path or QoS Stack can be bound to a site at a time.
You can bulk update or edit information for multiple QoS policy rules by selecting multiple
policy rules and editing the required information.

Information changed using bulk edit of policy rules overwrites the existing information
of individual policy rules.

Prisma SD-WAN Administrator’s Guide 349 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Stacked Policies

Add a Path Policy Set

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Path Policy sets contain policy rules and are a part of path policy set stacks. A simple path stack
contains a single path policy set. An advanced path stack contains multiple, ordered path policy
sets. Note that you can create path policy sets only through the Advanced view on the Path
screen.
STEP 1 | Select Manage > Policies > Path > Path Stacks > Advanced > Path Sets.

STEP 2 | On the Add Path Policy Set screen, enter a Name for the path policy set, and optionally
enter description and tags.

STEP 3 | (Optional) Select the Clone From a Policy Set check box to clone a policy set and select a
policy set to clone from the Choose a Policy Set.

STEP 4 | (Optional) Select the Clone From an Original Policy Set check box to clone a policy set
created under Network Policies (Original) and select a policy set to clone from the Choose
an Original Policy Set.

STEP 5 | Click Done to submit your changes.

Prisma SD-WAN Administrator’s Guide 350 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Stacked Policies

Add a Path Policy Rule

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Path policy rules define network paths for application sessions to leverage. Path Policy Rules use
network contexts, applications, destination zones, prefixes, ports, and protocols. Layer 3 paths can
be private or internet paths, VPN, or standard VPNs. You can directly add policy rules to a simple
path stack by clicking a simple path stack and then clicking Add Rule. For advanced stacks, select
a stack, then a policy set within the stack, and then add policy rules to the policy set.

Add a path policy rule to a simple path stack.

1. Select Manage > Policies > Path > Path Stacks > Simple > Select a Stack > Add Rule.
2. Select an order for the rule.
Policy rules follow explicit ordering and implicit ordering. In explicit ordering, each rule
within a policy set has an order number that is used to explicitly order rules overriding
an implicit order, a set of match criteria, and a set of actions. If two rules have the same

Prisma SD-WAN Administrator’s Guide 351 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Stacked Policies

order, then the rules follow implicit ordering wherein policy rules with more specific
attributes get precedence over rules with less specific attributes.
• Enter a Name for the policy rule, and optionally enter description and tags.
• Enter an order between 1-65535 for the policy rule.

An order of 1 indicates the highest priority for the policy rule. The default is
1024.
• (Optional) Select Disable Rule if you do not want the ION device to consider this rule.
3. (Optional) Configure network contexts.
• On the Network Contexts screen, select a previously configured Network Context or
click the + icon to create a network context.
4. (Optional) Configure Prefixes.
On the Prefixes tab, select a Source Prefix and a Destination Prefix.
5. (Optional) Add users or user groups.
On the Users tab, select a User and/or a Group from the User/Group drop-down.
6. (Optional) Select applications.
On the Apps tab, select the applications to apply the policy rule. You can select 256
applications for one policy rule.
You can filter applications based on:
• For sites 6.4.1 or above—Select this option to view applications supported for device
version 6.4.1 and above.
• For sites above 6.0.1 and less than 6.4.1—Select this option to view system
applications supported between releases 6.0.1 and pre-6.4.1.
• For sites below 6.0.1—Select this option to view applications supported for devices
versions below 6.0.1.
• For any site—Use this option to view applications supported for all device versions.
(Optional) You can check the type of application - System or Custom by selecting the
application first and then using the filters to view the type of application.
7. Configure paths.
On the Paths tab, choose Active/Backup/L3 Failure Paths for the application from the
drop-down list.
Select an Overlay and a Circuit Category for a path. You cannot repeat a combination of
an overlay and a circuit category for a policy rule.

You must configure an active path. You can optionally configure backup paths
and L3 failure paths. You can configure an L3 failure path without configuring a
backup path.

In ION devices running 5.2.1 and higher versions, the default setting moves flows back
to the active path in the policy as soon as the active path becomes available.
8. Select Service and DC Groups.

Prisma SD-WAN Administrator’s Guide 352 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Stacked Policies

Select Service & DC Groups, and then select Active/Backup Service & DC Groups from
the drop-down.

If the Required check box is selected, traffic will always transit through the
Service and DC Groups. If not selected, traffic may or may not transit through
the Service and DC Groups per policy. You cannot select Required, if you have
selected at least one direct path in the Paths tab.
9. Confirm the information displayed in the Summary tab and then click Save & Exit.

Add a path policy rule to an advanced path policy set.

1. Select Manage > Policies > Path > Path Stacks > Advanced > Select a Stack > Add Rule.
2. Follow the steps above for adding a path policy rule to a simple policy stack.

Configure User-ID based Policy Rules

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Prisma SD-WAN supports User-ID based policies, wherein you can configure policies directly for a
user or a group of users. You can use the user name or the group name as part of a policy rule for
path, QoS, and security policies.
You can apply User-ID based policies only to tenant service group (TSG) compatible tenants.
Workflow:
The PAN-OS firewall maps IP addresses to users. The Cloud Identity Engine maps users to user
groups.

1. A data center ION device learns the User-ID mapping from a User-ID Agent running on a PAN-
OS firewall. The User-ID client software runs on the data center ION device.

ION devices support only those PAN-OS firewalls running versions 10.1.7, 10.2.3,
11.0.x, or higher.
2. The DC ION device pushes the User-ID to IP address mapping to the Prisma SD-WAN
controller.
3. The Prisma SD-WAN controller interacts with the Cloud Identity Engine for User ID to User
Group mapping.

Prisma SD-WAN Administrator’s Guide 353 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Stacked Policies

4. The Prisma SD-WAN controller distributes these mappings to branches (after site-specific
filtering based on prefixes and policies).
5. The Prisma SD-WAN controller pushes User-ID based policies to branch site ION devices.
6. The branch ION devices apply User-ID based policies.
7. The branch ION devices tag the Prisma SD-WAN traffic with user name information for site-
to-site traffic.
8. The branch ION devices use the tag (username) received in the WAN traffic to enforce User-ID
based policies for remote site users.
9. The branch ION devices send stats/logs for User ID/Group ID used in the policies to the
controller.
Prisma SD-WAN supports WAN to LAN User-ID based policies for traffic between branch sites
with direct tunnels, but it does not support User-ID based policies for traffic that originates from
or transits through a data center.
You will need the following licenses and subscriptions in the same tenant service group (TSG) that
Prisma SD-WAN belongs to, in order to configure User-ID based policies in Prisma SD-WAN.
• PAN-OS firewall
• Cloud Identity Agent activation
Use the following steps to configure User-ID based policies in Prisma SD-WAN.

Prisma SD-WAN Administrator’s Guide 354 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Stacked Policies

STEP 1 | Set up the connection to the User-ID agent.

Configure a data center ION device to connect to the User ID Agent in the PAN-OS firewall.
1. Select Workflows > Data Centers and then select a data center site.
2. Click Configure User Agent.
3. Click Add User Agent.

1. Enter a Name for the User Agent configuration.

You can choose to disable the connection between the user agent client and the user
agent running on the PAN-OS firewall by selecting the Disabled check box.
2. Enter the Host IP address or a fully qualified domain name (FQDN)for the PAN-OS
firewall.
If you specify an FQDN, use the down-level logon name in the
(DLN)\sAMAccountName format instead of the FQDN\sAMAccountName format.
For example, use example\user.services not example.com\user.services.
3. Enter the Port number for the PAN-OS firewall.
4. (Optional) Enter a Collector Name.
Enter this information if you are using a Virtual System (hardware firewall).
5. (Optional) Enter a Collector Pre-Shared Key and confirm.
6. Submit your configuration.

STEP 2 | Configure user attributes.

1. Select Manage > System > Identity Management > Cloud Identity Engine.
2. Click Configure Identity Engine.

The formats supported are:

• User Principal Name—User-id@domain.com
• SAM Account Name—NetBIOS/User-ID format
When the username format is a SAM Account Name, Prisma SD-WAN supports only
the netbios\<user> format and not the domain\<user> format.

Prisma SD-WAN Administrator’s Guide 355 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Stacked Policies

STEP 3 | Add users and/or user groups in policy rules.

You can add users or user groups in path, QoS, and security policy rules.
1. Select Mange > Policies > Path > Path Stacks > Simple > Select a Stack > Add Rule.
2. On the Users tab, select a User and/or a Group from the User/Group drop-down.
The default value is Any.
An explicitly specified user name has priority over a group name. An explicitly specified
group name has priority over any/known/unknown user.

L3 Failure Paths
Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Layer 3 paths can be private or internet paths, VPN, or standard VPNs. There is a Layer 3 failure
on all other paths and there is no way to reach the WAN side destination optimally or sub-
optimally.
A path that is configured in the Layer 3 failure paths list is considered only in the following
conditions:
• Condition 1
• All active and backup paths are up and available, but Layer 3 is unreachable.
• Layer 3 failure paths are configured and up.
• At least one Layer 3 failure path is Layer 3 reachable.
• Condition 2
• All active and backup paths are down or routes on both paths do not exist. For example,
direct on public-1 and public-1 do not exist.
• Layer 3 failure paths are configured and are up.
• Condition 3
• Network asymmetry.

Minimize Metered LTE Usage

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

You can configure Prisma SD-WAN to minimize the use of metered backup links and leverage
the use of LTE links when other active paths are not available. Use the following workflow for
ensuring flexibility and agility at a lower cost by sending data over metered links for business
continuity only when the primary connection is unavailable.

Prisma SD-WAN Administrator’s Guide 356 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Stacked Policies

STEP 1 | Modify the LTE circuit settings to minimize metered usage.

1. Select Workflows > Sites > Select a site > Internet Circuits > Change Circuits >
(Metered 3G/4G/LTE Circuit Category) Circuit > Edit.
2. Minimize traffic over the LTE circuit.
• Clear BW Monitoring.
• Clear LQ Monitoring.
• Select the BFD Mode.
• For devices running versions 5.3.x or earlier versions, select Non-aggressive as the
BFD Mode because these versions do not support VPN keep-alives.
• For devices running 5.4.1 or later versions, select Override VPN Keep-Alive and
set the Keep-Alive Interval to 600,000 ms.
• Set Cost to 129 to lower the preference for the circuit.
• Select No for Controller Connections to exclude this circuit from connecting to the
controller for device-related services.
• Select No for App Reachability Probes to exclude this circuit from checking the
reachability of an application for a given path.

Prisma SD-WAN Administrator’s Guide 357 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Stacked Policies

STEP 2 | Modify the circuit category settings to minimize metered LTE usage.
1. Select Manage > Resources > Circuit Categories.
2. Edit the Metered 3G/4G/LTE circuit category.
You can select any circuit category to modify for minimizing metered LTE usage but use
the metered 3G/4G/LTE circuit category for optimum settings.
In less common cases, you can use metered private links. For example, metered LTE links
can be terminated into a private network versus the public internet. In this case, you can
use a Private circuit category instead of a Public circuit category.
3. Clear the Use For Controller Connections check box to minimize the amount of data
sent over that path to the controller.
4. Clear the Use For Application Reachability Probes check box to reduce the amount of
non-user application traffic over metered circuits.

This should ONLY be done if this circuit category is referenced as an L3 failure

path in the path policy rule, as this will effectively ensure that the ION device
does not react to layer 7 failures for application flows on this circuit.
5. Set the Keep-Alive Interval to 600,000 ms.

STEP 3 | Configure a path policy rule to minimize metered LTE usage.

1. Select Manage > Policies > Path > Path Stacks > Advanced > Path Sets > Select a Set >
Add Rule/Edit Rule.
2. On the Paths tab, select Metered 3G/4G/LTE as the Circuit Category under L3 Failure
Paths.
This is applicable for devices running versions 5.2.1 or higher.

For devices running versions 5.2.1 or earlier and have traffic going through a
Prisma SD-WAN VPN across a metered link, set the Backup Overlay to VPN and
the Circuit Category to Metered 3G/4G/LTE Internet in the path policy rule.

STEP 4 | Verify the policy configuration.

Path policies control application session forwarding behavior at a site level. Path policies can
specify broad actions as well as specific actions per application. This can include specific paths
defined as Active, Backup, or L3 Failure Paths in the policy.
1. Review paths configured in policy rules.
• Active Paths—These should include very specific circuit category definitions. For
example, for traffic intended to traverse a VPN across an Internet DSL link, the active
path overlay should be VPN and the circuit category should be Internet DSL.
• Backup Paths—These should include very specific Circuit Category definitions.
In many cases, it may be desirable to limit Backup Path usage only for critical
applications. This is determined on a case-by-case basis as this can vary by vertical
and the primary line of business at the location. For these cases, the use of Advanced

Prisma SD-WAN Administrator’s Guide 358 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Stacked Policies

Stacked Policies is recommended. This will allow for hierarchical policy inheritance
with exceptions where needed by the business.
• L3 Failure Paths—For ION devices running versions 5.2.1 and higher, the L3 Failure
Paths are built for Metered LTE circuits.
2. Review the path policy set stacks bound to a site.
Select Manage > Policies > Bindings to view the path policy set stack bound to a site.
The path policy set stacks and the order of the policy sets in the stack are bound to a
site.

Configure Default Path Policy Rule for IPv6

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Prisma SD-WAN supports a default path policy rule for IPv6 starting with Release 6.2.1. Create
a global prefix for IPv6 enterprise traffic and use it in the Path policy rule. Path Policy Rules use
network contexts, applications, destination zones, prefixes, ports, and protocols.
STEP 1 | Create a Global Prefix including for the IPv6 enterprise traffic.

Prisma SD-WAN Administrator’s Guide 359 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Stacked Policies

STEP 2 | Create a path policy rule as shown in the images below.

1. On the Prefixes tab, select the Source Prefix and Destination Prefix as shown in the
image.

2. On the Paths tab, choose Active/Backup/L3 Failure Paths for the application from the
drop-down list as shown in the image.

For release 6.2.1, only Direct on Any Private or Prisma SD-WAN on Any Public
or Private paths are supported in Active Path. You cannot repeat a combination
of an overlay and a circuit category for a policy rule.

3. Lastly, the Summary tab should have all the IPv6 configurations as shown in the image.

Prisma SD-WAN Administrator’s Guide 360 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Stacked Policies

STEP 3 | Create binding with the above created policy set:

Prisma SD-WAN Administrator’s Guide 361 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Stacked Policies

Bind Path or QoS Stacks to Sites

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

In order for policy rules in Path or QoS stacks to be active, bind Path or QoS stacks to a site. You
can bind a single Path or QoS stack to a site at a time.
STEP 1 | Select Manage > Policies > Bindings.

STEP 2 | For a site, select a path policy set stack from the Path Policy Set Stack drop-down and select
a QoS policy set stack from the QoS Policy Set Stack drop-down and Save.
(Optional) You can assign a path policy set stack and a QoS policy set stack to multiple sites
at a time by selecting multiple sites, clicking Edit and assigning the path or QoS stacks to the
sites.

Prisma SD-WAN Administrator’s Guide 362 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Stacked Policies

Custom Applications and System Application Overrides

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Applications are at the core of the Prisma SD-WAN solution. ION devices deployed in the
network actively analyze each application flow to ensure that policies for performance,
compliance, and security are maintained, and optimum network connections are used for each
flow.
The ION device uses application definitions and fingerprinting technologies for path selection,
QoS, and firewall policies. Prisma SD-WAN identifies each flow using various techniques such as
prefix, port, signature, and SaaS. It leverages this information to build a dynamic application map
cache, ensuring an optimal first packet match experience.
System applications are available by default, whereas you can configure custom applications
for your enterprise requirements. Prisma SD-WAN supports more than 4000 system or native
applications.
You can configure granular policy rules for cloud-based, encrypted, and custom applications to
the sub-application level without decrypting the application traffic or without maintaining long IP
address lists for cloud-based applications such as Google or Microsoft.
Starting with Release 6.0.1, Prisma SD-WAN supports unified App-IDs to provide application
detection services for Prisma SD-WAN and PANW applications. Click Manage > Resources >
Applications to view system applications from PANW and Prisma SD-WAN along with custom
applications in Prisma SD-WAN.
You can view the following types of applications:
• System (PANW)—Indicates system applications from PANW.
• System (CGX)—Indicates legacy system applications in Prisma SD-WAN.
• System (PANW, CGX)—Indicates applications common to PANW and Prisma SD-WAN.
• Custom—Indicates custom applications defined in Prisma SD-WAN.
Use the following links to configure custom applications and system application overrides.
• Configure Custom Applications
• Configure System Application Overrides

Configure Custom Applications

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Prisma SD-WAN Administrator’s Guide 363 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Stacked Policies

Prisma SD-WAN Custom Applications are applications you wish to include in your system for
your enterprise. You may define custom applications based on either L3/L4 or L7 characteristics.

Layer 3/Layer 4 Applications

STEP 1 | Select Manage > Resources > Application.

STEP 2 | Click Add Application.

STEP 3 | Enter a Display Name.

A suggested application abbreviation displays in the Abbreviation field.

STEP 4 | Select Network (L3/L4) for Identification.

STEP 5 | For UDP Filter Rules, include a mandatory port number, an (optional) DSCP value between 0
to 63, and an (optional) prefix filter.
Layer 3 or Layer 4 applications require a port number and a prefix filter.

STEP 6 | For TCP Filter Rules, include the server port number, (optional) DSCP value between 0 to 63,
and (optional) server prefix filter. The list of decimal values for common DSCP names are:

Decimal Value Hex Value Meaning

0 0x00 Best effort (CS0 - Default)

8 0x08 CS1

10 0x0A AF11

12 0x0C AF12

14 0x0E AF13

16 0x010 CS2

18 0x012 AF21

20 0x014 AF22

22 0x016 AF23

24 0x018 CS3

26 0x01A AF31

28 0x01C AF32

30 0x01E AF33

32 0x020 CS4

Prisma SD-WAN Administrator’s Guide 364 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Stacked Policies

Decimal Value Hex Value Meaning

34 0x022 AF41

36 0x024 AF42

38 0x026 AF43

40 0x028 CS5

46 0x02E Expedited forwarding (EF)

48 0x030 CS6

56 0x038 CS7

Prefix filters with respective ports are required for a custom application. Although it is possible
to reuse prefix filters, the ports need to be unique for each custom application.
For prefix filters, define one or more IP addresses or subnets. IP addresses within a prefix are
defined by the subnet. For example, 10.1.1.0/24 defines the entire limit of 255 IP addresses in
that subnet.
For global prefix filters, enter an IP and subnet address and for local prefix filters, select a site
in addition to entering an IP and subnet address.

STEP 7 | For IP Rules, choose a protocol, and enter a DSCP marking and a destination prefix filter.
1. Select a protocol from the Protocol drop-down. For example, GRE, or ICMP.
2. (Optional) Enter a value in the range of 0 – 63 for DSP.
3. Select a prefix filter from the Destination Prefix Filters drop-down.
Up to eight destination prefixes may be added. You may add a new prefix filter by
clicking Create New Filter, if prefix filters is not already defined.
4. Select a prefix filter from the Source Prefix Filters drop-down.
Up to eight destination prefixes may be added. You may add a new prefix filter by
clicking Create New Filter, if prefix filters is not already defined.

STEP 8 | Select Apply.

The new custom application displays under Custom Applications.

Layer 7 Applications
STEP 1 | Select Manage > Resources > Application.

STEP 2 | Click Add Application.

A suggested application abbreviation displays in the Abbreviation field.

STEP 3 | Select Application L7 for Identification.

Prisma SD-WAN Administrator’s Guide 365 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Stacked Policies

STEP 4 | For Domain, enter a domain name.

Domain names are case sensitive. Ensure that the domain name matches the name
displayed as per the Server Name Indication (SNI), so that Prisma SD-WAN detects the
application as an L7 custom application.

Layer 7 applications require a domain name or URL address. You may add up to 16 domain
names. You can accomplish a wildcard match by specifying the parent domain. For example, if
you have an application that leverages different sub-domains, a search for the parent domain
produces a result with all sub-domains.

STEP 5 | From the App Category drop-down, select a category.

STEP 6 | From the Transfer Type drop-down, select transfer type to be Transactional, Bulk, Real-
Time Audio, or Real-Time Video.
The order in which the queues are serviced within a priority level is Real-time audio, Real-time
video, Transactional, and Bulk. This selection directly impacts the queue in which the traffic is
placed within a priority tier (Platinum, Gold, Silver, or Bronze), as defined in a policy rule.

STEP 7 | Enter an Ingress Traffic Percentage.

Ingress traffic percentage is the amount of traffic in bytes for a given application received
by the ION device in the WAN-to-LAN direction compared to the overall traffic for that
application. This percentage determines the weight given to bandwidth capacity and utilization
when the system makes path-selection decisions. For example, 50% would provide equal
weight to both ingress and egress traffic.

STEP 8 | Enter Connection Idle Timeout in seconds.

Timeout, in terms of resources allocated, is when an application flow is maintained in the
system when there is no traffic flow for the application. After the specified timeout, the flow is
deleted from the system

STEP 9 | Set Path Affinity to Strict or None.

• Strict—If a path selected for a client session is available within a policy, subsequent
application sessions from the same client for this application adheres to the originally-
selected path.
• None—It is the opposite of strict. Each subsequent client session is free to take any path
allowed by policy as long as that path is available within the service level agreement (SLA).

STEP 10 | Use the Using Unreachability Detection option to monitor applications for reachability.
Use application reachability to determine if an application is reachable on a given path. This
information is useful when making path selection decisions. If an application is considered
unreachable on a given path, then that path is not used. If all paths are marked unavailable,
then one of the active paths is selected as defined in the application path policy.
The ION device continuously monitors the communication between clients (on the LAN side)
and servers (on the WAN side). If the ION device determines that a server is not responding
to a client's messages on a given path, it triggers the application reachability feature. The

Prisma SD-WAN Administrator’s Guide 366 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Stacked Policies

ION device actively probes the server on that path to ensure that the server is reachable and
responding.
The ION device monitors communication only for the TCP flows initiated from the LAN side of
the ION device. All TCP applications have unreachability detection enabled by default. When
configuring a custom application, this feature can be disabled optionally.

STEP 11 | Enable Network Scan App to designate custom applications as network scan applications.
This functionality is disabled by default. Enabling the attribute on an existing custom
application applies only for new flows coming in and hitting the application after the
configuration is made. Existing flows hitting the custom application do not inherit the
configuration,

STEP 12 | Select Apply.

The new custom application displays under Custom Applications.

Configure System Application Overrides

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

System applications are applications that are defined, managed, and maintained by Prisma SD-
WAN. These applications are pre-loaded and continuously updated in your system. Prisma SD-
WAN allows users to customize system applications by configuring overrides. The values defined
will override the default values defined in the system. System Application attributes that you may
customize include application category, ingress traffic, connection idle timeout, transfer type, and
path affinity. To configure system application overrides:
STEP 1 | Select Manage > Resources > Applications.

STEP 2 | Select a system application and from the ellipsis menu, select Add Override.

STEP 3 | (Optional) From the Category drop-down, select a category to override the existing category
for a given application.

STEP 4 | (Optional) From the Path Affinity drop-down, select Strict or None.
Strict—If a path selected for a client session is available within policy, subsequent application
sessions from the same client for this application will adhere to the originally-selected path.
None—It is the opposite of strict. Each subsequent client session will be free to take any path
allowed by policy as long as that path is available within the service level agreement (SLA).

STEP 5 | (Optional) From the Transfer Type drop-down, select transfer type as Transactional, Bulk,
Real-Time Audio, or Real-Time Video.

STEP 6 | Select Use Parent App Network Policy, where child applications use the network policies of
their parent applications.
This functionality is disabled by default and is currently available only for Google applications.

Prisma SD-WAN Administrator’s Guide 367 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Stacked Policies

STEP 7 | (Optional) Enter a percentage value for Ingress Traffic Capacity.

This value indicates application traffic characteristics with respect to ingress. If an application
takes longer to download, configure a higher value for ingress traffic percentage.

STEP 8 | (Optional) Enter a value in seconds for Connection Idle Timeout.

The new value will be applicable for new flows, while existing flows will continue to use the old
timeout value. If the ION device does not see a flow termination sequence for a given flow and
there is no activity on the flow, then the ION device will delete its internal flow state after the
configured idle timeout.

STEP 9 | Select Unreachability Detection to monitor applications for reachability.

Application reachability is used to determine if a given application is reachable on a given
path. This information is useful when making path selection decisions. If an application is
unreachable on a given path, then that path is not used. If all paths are marked unreachable,
then one of the active paths, as defined in application path policy is selected.
The ION device continuously monitors communication between clients (on the LAN side)
and servers (on the WAN side). If the ION device determines that a server is not responding
to a client's messages on a given path, it triggers the application reachability feature. The
ION device actively probes the server on that path to ensure that the server is reachable and
responding.
The ION device monitors communication only for the TCP flows initiated from the LAN side
of the ION device. All TCP applications have the unreachability detection feature enabled by
default. When adding a system application override, this feature can be disabled optionally. If
no value is selected for this field, then the unreachability detection feature remains enabled for
this application.

STEP 10 | Save & Exit.

Prisma SD-WAN Administrator’s Guide 368 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Stacked Policies

Service and Data Center Groups

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Palo Alto Networks maps third-party services and data centers to allow flexibility when creating
network policy rules to account for uniqueness across sites. For example, you may create a single
network policy that directs all HTTP and SSL internet bound traffic through the primary cloud
security service in the region if available. If the primary cloud service is not available, you may
leverage the backup cloud security service in the region. You may have different primary and
backup cloud security service endpoints based on your geographic location. The intent and the
policy rules remains the same regardless of the site location.
The illustration below displays how endpoints, added to a group, are associated with a domain.

The domains are bound to a site, thus uniquely mapping third-party services or data centers to
each site. You can map a group, with different endpoints, to one or more domains and map a
domain to one or more sites.
A site can use only the endpoints configured in a group within a domain that is assigned to the
site. The same group, however, can be in multiple domains with different service endpoints, which
allows you to use the same policy across different sites utilizing different endpoints.

Add a Standard VPN Endpoint

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

A service endpoint is a label representing a specific location or network service. It can be Prisma
SD-WAN data centers for transit services or third-party data centers.
STEP 1 | Select Manage > Resources > Service & DC Groups.

STEP 2 | Select Manage Endpoints to an endpoint.

Prisma SD-WAN Administrator’s Guide 369 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Stacked Policies

STEP 3 | Select Standard VPN from the drop-down and click Add Endpoint.
All Palo Alto Networks data center sites are automatically added when Admin Up is selected,
which means that it can accept traffic per network policy. These endpoints cannot be
deleted from the list. You can clear the Admin Up selection to remove the endpoints from
consideration when the system performs path selection per the defined network policy rules.

STEP 4 | Enter a Name, and optionally, a Description for the service endpoint.

STEP 5 | Select Admin Up to bring it up.

If you do not select Admin Up, the endpoint is not used in path selection for forwarding traffic.

STEP 6 | (Optional) Select Allow Enterprise Traffic to explicitly allow enterprise traffic to transit
through the Cloud Security Service.

STEP 7 | (Optional) Enter Address of the endpoint location.

STEP 8 | (Optional) Add values for the IPs & Hostnames and select the Disable Tunnel Reoptimization
to disable the tunnel reoptimizing for latency change.

When multiple IP addresses or URLs are configured under a Standard VPN endpoint,
the ION device probes each endpoint IP address (it will resolve the URLs if configured)
to determine the lowest latency endpoint. After the lowest latency endpoint is
determined, the ION device builds the Standard VPN tunnel to that IP address. If the
configuration liveliness check fails, then it uses the next lowest latency endpoint IP
address in the list. Additionally, the ION device tracks the current latency to each
endpoint IP address, and, if there is a significant change in the latency to the closest
endpoint from the current endpoint, the tunnel is moved.

STEP 9 | (Optional) Enter Liveliness Probe information for liveliness probing.

For ICMP PING, enter values for probing interval, failure count, and IP address. For HTTP,
enter values for probing interval, failure count, HTTP status codes, and URL.

STEP 10 | Save & Exit the endpoints dialog.

After adding the endpoints, proceed to add groups and add domains.

Add Groups
Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

A service group is a set of common service endpoint types. This service group label is used in
network policy rules to allow or force traffic to the defined service endpoint(s). It can be Palo Alto
Networks endpoints or standard VPN endpoints and can contain multiple service endpoints.
You add endpoints to groups which are used to map endpoints to specific domains.
STEP 1 | Select Manage > Resources > Service & DC Groups.

Prisma SD-WAN Administrator’s Guide 370 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Stacked Policies

STEP 2 | Click Add Group and select Standard VPN.

STEP 3 | Enter a Name for this group.

This group name will be referenced in the network policy rules.

Add Domains
Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

A domain is a collection of groups which can be assigned to a set of sites. There can be multiple
domains defined, but a site can only be assigned to one domain at a time.
STEP 1 | Select Manage > Resources > Service & DC Groups > Add Domain.

STEP 2 | Add a Domain Name in the popup, and select Done.

STEP 3 | Map the service endpoints to the appropriate groups under each domain and select Done.
If more than one endpoint are part of a group, they are considered as equal in network policy
path selection.
Proceed to bind domain to sites.

Bind Domain to Sites

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

When you bind or map a domain to a site, it enables you to access all the endpoints within groups
or domains. Different domains can be mapped to different sites, but only one domain may be
mapped per site.
STEP 1 | Navigate to Manage > Resources > Service & DC Groups.

STEP 2 | Select Sites.

STEP 3 | Select the appropriate domain from the drop-down next to each site.
Select Edit All to bulk edit all sites.

STEP 4 | Save to update the mapping.

Prisma SD-WAN Administrator’s Guide 371 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Stacked Policies

Use Prisma SD-WAN Data Center Endpoints

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

All Prisma SD-WAN data center sites can be configured as endpoints. You cannot delete the
endpoints after you configure them. However, you can uncheck Admin Up option, which will
remove the endpoints from consideration when the system performs path selection as per the
network policy rules.
STEP 1 | Select Manage > Resources > Service & DC Groups > Add Group.

STEP 2 | Click Add Group and select Prisma SD-WAN.

STEP 3 | Enter a name for the group.

STEP 4 | Map the data center endpoint to the appropriate group under each domain.

STEP 5 | Save the mappings.

The endpoints are added to groups and these groups can be used in policy paths.

Use Service Endpoint Groups in Policies

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

You must define service endpoint groups before using a standard VPN in a policy rule. Each group
can have one or more Prisma SD-WAN data centers or standard service endpoints. A group is
used in policy rules. You must bind domain to sites to define mappings for endpoints to groups
groups. This ensures the policy rules using the group is effective.
If you choose standard VPN as a path to allow traffic to transit through a standard endpoint, you
must have a standard service and DC group defined with the appropriate endpoints associated.
There can be four combinations of active or backup groups that can be used in policies. You can
select only one Palo Alto Networks group or one non-Palo Alto Networks group as an active or
backup path in policies. The following table explains the combinations of the active or backup
groups in policies.

Active Group Backup Group Example

Standard Palo Alto Networks Internet-bound SSL traffic from

a branch site transits through
the Cloud Security Service. If all
standard VPN paths to any of
the endpoints are not available,
internet-bound SSL traffic transits

Prisma SD-WAN Administrator’s Guide 372 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Stacked Policies

Active Group Backup Group Example

through one of the Prisma SD-WAN
data center endpoints assigned
to that group using the Palo Alto
Networks VPN.

Palo Alto Networks Standard Internet-bound SSL traffic from a

branch site transits through one of
the Prisma SD-WAN data center
endpoints assigned to that group
using the Palo Alto Networks VPNs.
If all Palo Alto Networks VPNs to
all of the data center endpoints in
that group are unavailable, internet-
bound SSL traffic transits through
the Cloud Security Service using one
of the standard VPN paths to any of
the endpoints in the standard group.

Standard Standard Internet-bound SSL traffic from

a branch site transits through the
primary Cloud Security Service using
one of the standard VPN paths to
any of the endpoints in the primary
Cloud Security Service group. If
all standard VPNs are down to all
endpoints in the primary group, the
internet-bound SSL traffic transits
through the backup Cloud Security
Service using one of the standard
VPN paths to the endpoints that are
part of the backup group.

Palo Alto Networks Palo Alto Networks Internet-bound SSL traffic from a
branch site transits through one of
the Prisma SD-WAN data center
endpoints assigned to the active
group using the Palo Alto Networks
VPNs. If all Palo Alto Networks
VPNs to all of those endpoints are
down, internet-bound SSL traffic
transits through one of the Prisma
SD-WAN data center endpoints
assigned to the backup group using
the Palo Alto Networks VPNs.

Prisma SD-WAN Administrator’s Guide 373 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Stacked Policies

Configure Network Contexts

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Network context segments network traffic for the purpose of applying different network policy
rules for the same application. A rule with a network context always take precedence over a rule
without a network context. You may create one or more network contexts, but an individual LAN
network can belong to only one network context.
STEP 1 | Navigate to Manage > Resources > Network Contexts.

STEP 2 | Select Add to add the network context.

STEP 3 | Enter a Name and Description.

STEP 4 | Save to add the network context.

Attach Network Contexts to LANs

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

You must attach the network contexts to the appropriate LAN segments to be effective.
STEP 1 | Select Workflows > Devices > Claimed Devices, select a device and click Configure the
device.

STEP 2 | Select the Interfaces tab and select a bypass pair.

STEP 3 | Disable L3 forwarding and WAN forwarding

STEP 4 | On Main Configurations, select Private L2 from the Use These Ports For drop-down.

STEP 5 | Enter a number for VLAN between 1-4094 for attached networks.

Prisma SD-WAN Administrator’s Guide 374 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Stacked Policies

STEP 6 | Enter the IP address for the router.

STEP 7 | (Optional) Select a network context from the Network Context drop-down.

STEP 8 | Select the Scope of the network context—Global or Local.

STEP 9 | Create the network context.

Prisma SD-WAN Administrator’s Guide 375 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Stacked Policies

Configure Circuit Capacities

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Configure circuit capacities to allocate or modify the percentage of bandwidth configured for
each priority and application traffic type. Priority, categorized as platinum, gold, silver, and bronze,
determine application priority in times of congestion. Application traffic types can be audio, video,
transactional, and bulk. You can configure up to four bandwidth allocation schemes and three
breakpoints in a given QoS policy set and bandwidth allocated per priority and traffic type within
each scheme. Depending on the link capacity in use, the corresponding bandwidth allocation
scheme is used. By default, a QoS policy set has no breakpoints.
The following diagram illustrates the bandwidth allocation schemes for different breakpoints.

STEP 1 | Select Manage > Policies > QoS > QoS Stacks > Advanced > QoS Sets.

STEP 2 | For a QoS Sets, click the ellipsis menu, and select Edit Circuit Capacity.

If no breakpoints are configured, the default breakpoints displays with the default
bandwidth allocation per priority and application traffic type.

STEP 3 | Select Add Breakpoint to add breakpoint.

STEP 4 | Enter a value in Mbps for the breakpoint and click OK.

STEP 5 | Save & Exit.

• A breakpoint splits a bandwidth allocation. If breakpoints for 2500 mbps and 5000 mbps
are added, the bandwidth allocation schemes created are 0 to 2500 mbps and 2500.01 to
5000 mbps, and the final scheme adjusts automatically to 5000.01 to 10,000 mbps.
• When a breakpoint is created within an existing bandwidth allocation scheme, the values
for priority and traffic type from the existing scheme is copied over to the newly-created

Prisma SD-WAN Administrator’s Guide 376 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Stacked Policies

scheme. For example, when a breakpoint is added for 2500 mbps, the values from 0 to
5000 mbps are copied over to the newly-created 0 to 2500 mbps scheme.
• If the breakpoint for 2500 mbps is deleted, the bandwidth allocation scheme adjusts
automatically to 0 to 5000 Mbps, and the bandwidth allocation defined for 2500.01 to
5000 Mbps is applied to the entire range of 0 to 5000 Mbps.
After the breakpoints are created, proceed to customizing the individual priorities and
application traffic types.

STEP 6 | Change the percentage of bandwidth allocation per priority and application traffic type.
The sum of all allocations should add up to 100%.

STEP 7 | Save & Exit.

Prisma SD-WAN Administrator’s Guide 377 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Stacked Policies

Configure DSCP
Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Quality of Service (QoS) policies allow you to specify differentiated services code point (DSCP)
values, priority, and traffic type. You can define DSCP mapping in any policy set, but only the first
match is used for a decision. The order of DSCP mapping lookup is the same as a policy set order.
If an application traffic flow matches any two rules defined in the default rule policy set and
matches the DSCP value defined in DSCP mapping, the flow is placed in the priority queue and
transfer type specified in the DSCP map. The table below shows the mapping of DSCP values,
priority, and traffic type.

DSCP Values Priority Traffic Type

EF Platinum Audio

AF41, AF31 Gold Video

CS6 Platinum Transactional

AF21 Silver Transactional

AF11 Bronze Bulk

STEP 1 | Select Manage > Policies > QoS > QoS Stacks > Advanced > QoS Set.

STEP 2 | For a QoS Set, click the ellipsis menu.

STEP 3 | Select DSCP Configuration.

STEP 4 | On the DSCP Mappings screen, enter DSCP Hex values.

You can select up to 16 DSCP values from the available list.

STEP 5 | Select a Priority and the type of traffic from the Transfer Type drop-down.

STEP 6 | (Optional) Click Add Configuration to define additional DSCP configurations, if required.

STEP 7 | Save & Exit.

Prisma SD-WAN Administrator’s Guide 378 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Stacked Policies

Prefixes
Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

A prefix is a group of one or more individual IP addresses or IP address subnets. Prefixes are used
with Path Set Policies and Priority Policies. They can be either global or local in scope.
• Global prefixes are used when traffic of interest across all sites in a network can be identified
with the same set of prefixes. For example, facilities infrastructure or print services for an
enterprise.
• Local prefixes are used when specific prefix values change by branch location. Use of local
prefixes can simplify creation and administration of rules. For example, a subset of IP addresses
within a subnet.
Prefixes configured under path are only applicable for Path Policy Sets and prefixes configured
under QoS are only applicable for QoS Policy Sets.

Configure Global Prefixes

1.Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

STEP 1 | Select Manage > Policies > Path > Path Prefixes.
Alternatively, select QoS and then QOS Prefixes.

STEP 2 | Click Create Global Prefix.

STEP 3 | On the Add Path Global Prefix screen, enter a Name and optionally a Description for the
prefix.

STEP 4 | Enter IP Prefixes.

IP addresses within a prefix are defined by the subnet. For example, 10.1.1.0/24 defines the
entire limit of 255 IP addresses in that subnet.
The following IPv6 addressing formats are supported:
• Eight groups of four hexadecimal digits: xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx
• Suppressed leading zeros in each 16-bit field: xxxx:xxx:xx represents xxxx:xxxx::xxxx:xxxx
• Two colons to represent longest sequence of consecutive all-zero fields: xxxx:xxx:xxxx
represents xxxx:xxx:xxxxx:x

STEP 5 | Add IP Prefix to add more than one IP prefix.

STEP 6 | Select Path for Create For Policy Types.

Prisma SD-WAN Administrator’s Guide 379 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Stacked Policies

STEP 7 | Click Create.

Configure Local Prefixes

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

STEP 1 | Select Manage > Policies > Path > Path Prefixes.
Alternatively, select QoS and then QOS Prefixes.

STEP 2 | Select Local and click Create Local Prefix.

STEP 3 | On the Add Path Local Prefix screen, enter a Name and optionally a Description and Tags
for searching.

STEP 4 | Select Path for Create For Policy Types.

STEP 5 | Click Save.

Prisma SD-WAN Administrator’s Guide 380 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Stacked Policies

Configure Syslog Profiles

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Prisma SD-WAN allows to use the same syslog profile configurations across multiple devices.
Create a Syslog Profile from the Prisma SD-WAN web interface for forwarding the Log Collector
logs as syslog messages to a syslog server. ION device supports syslog RFC 5424 format for all
the protocols.
Syslog message format is structured as follows:
• Syslog message format

ION_HOST="hostname" DEVICE_TIME="timestamp" MSG="pam-session-

opened by (uid=0)" SEVERITY="minor" PROCESS_NAME="sshd"
FACILITY="authpriv" USER="elem-admin" ELEMENT_ID="id"

STEP 1 | Select Manage > Resources > Configuration Profiles and click Syslog.

Prisma SD-WAN Administrator’s Guide 381 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Stacked Policies

STEP 2 | To add a Syslog profile, click Create Syslog Profile.

1. Enter a Name for the Syslog profile.
This is a mandatory field.
2. (Optional) Enter a Description for the Syslog profile.
3. (Optional) Enter Tags to enhance the search mechanism while querying common
attributes.
Tags are used for reporting purposes and can help search for Syslog profiles with specific
common attributes. For example, you can use the UDP_EXPORTER tag to search for
Syslog profiles using UDP Protocol.
4. Select Enable Flow Logging to export flow logs to the Syslog profile.
5. Select the Severity Level from a severity level of Critical, Major, or Minor.
When a severity level is set for a device, logs and events for the selected severity level
and a higher level are exported to the Syslog profile.
6. Select the protocol type as TCP, or UDP, or TLS for the Protocol field.
The default protocol is UDP.
If you select TLS as the protocol type, the Import Certificate option specifies the
certificate file.
Click View Certificate to view the selected certificate and Clear to remove the
certificate.

• Syslog connection fails if Self Signed certificate is uploaded.

• If the FQDN server selects as a server, FQDN should match the subject
alternate name (SAN) in the peer certificate.
• Prisma SD-WAN supports only TLS version1.2.
7. If you select Server IP, enter the Syslog Server IP address. Or, if you choose Server
FQDN (fully qualified domain name), enter the Syslog Server FQDN domain name.
This field is mandatory. You must provide either a Server IP address or a Server FQDN
address.
8. Enter the Syslog Server port number in the Server Port field.
The default port is 514 for TCP or UDP and 6514 for TLS.

Prisma SD-WAN Administrator’s Guide 382 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Stacked Policies

9. Click Save to save the Syslog profile configuration.

STEP 3 | To edit the existing syslog profiles, click the ellipsis and Edit.

• To clone the existing syslog profile, click Clone to add a new cloned syslog profile.
• To delete a syslog profile, click Delete.

Prisma SD-WAN Administrator’s Guide 383 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Stacked Policies

STEP 4 | Click Save to save the Syslog profile configuration.

Prisma SD-WAN Administrator’s Guide 384 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Stacked Security
Policies
Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Prisma SD-WAN supports stacked security policies to translate business security intent and
requirements into configurable security policy rules that determine connectivity and secure
access. Stacked security policies use security policy set stacks, security policy sets, and security
policy rules to control access to applications. The stacked security policy constructs include
applications, prefix filters, zones, security policy sets, security policy rules, and actions. The
information specified for these constructs defines the security policy you want to implement.
• Add a Security Policy Stack
• Add Stacked Security Policy Sets
• Add Stacked Security Policy Rules
• Attach Security Stacks to Sites

385
Prisma SD-WAN Stacked Security Policies

Add a Security Policy Stack

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

You can create a simple security policy stack or an advanced security policy stack.
A simple security policy stack has only one security policy set. The security policy set has the
same name as the security policy Stack. You can add security policy rules directly to Simple
Security Policy Set Stacks. This simplifies the management of security policy stacks if you do not
need to leverage the stacking capabilities.
An advanced security policy stack can accommodate a maximum of four policy sets and one
default rule policy set. The policy sets in a security policy stack are ordered from left to right, with
the left-most policy set designated as the highest priority. A site will evaluate policy sets within a
stack based on the order of the policy sets.

Add a simple security policy stack.

1. Select Manage > Policies > Security > Security Stacks > Simple > Add Stack.
2. On the Add Security Stack screen, enter a Name for the stack, and an optional
description and tags.
3. (Optional) Select the Clone From Simple Security Stack check box to clone a stack and
select a stack to clone from the Choose a Simple Security Stack.
4. Save your changes.

Add an advanced security policy stack.

1. Select Manage > Policies > Security > Security Stacks > Advanced > Add Stack.
2. On the newly added row in the Name column, click the ellipsis menu for the stack and
select Edit Policy Set Stack Info.
3. Enter a Name for the stack, and optionally enter description and tags and Save.

Prisma SD-WAN Administrator’s Guide 386 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Stacked Security Policies

Add Stacked Security Policy Sets

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Stacked security policy sets contain policy rules and are a part of Security Policy Set Stacks. A
simple security policy stack contains a single security policy set. An advanced security policy stack
contains multiple, ordered security policy sets.
There are two types of policy sets—Normal Policy Set and Default Policy Set. The Default Policy
Set will have only the implicit policy rules i.e. Intra-Zone, Self-Zone and Catch-All Deny. The
normal policy set will not have any implicit policy rules, that is, Intra-Zone, Self-Zone and Catch-
All Deny.

You can create Security Policy Sets only through the Advanced view on the Security
screen.

STEP 1 | Select Manage > Policies > Security > Security Stacks > Advanced > Security Sets > Add
Set.

STEP 2 | On the Add Security Policy Set screen, enter a Name for the Security policy set, and enter an
optional description and tags.

STEP 3 | (Optional) Select the Clone From a Policy Set check box to clone a policy set and select a
policy set to clone from the Choose a Policy Set.

STEP 4 | (Optional) Select the Clone From an Original Policy Set check box to clone a policy set
created under Security Policies (Original) and select a policy set to clone from the Choose an
Original Policy Set.

STEP 5 | Click Done to submit your changes.

Prisma SD-WAN Administrator’s Guide 387 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Stacked Security Policies

Add a Stacked Security Policy Rule

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Each security policy set is a collection of security policy rules. A security policy set has default
security policy rules which cannot be changed, removed, or deleted. You can create custom
security policy rules to take precedence over the default security policy rules. You can directly add
policy rules to a simple path stack by clicking a simple path stack and then clicking Add Rule. For
advanced stacks, select a stack, then a policy set within the stack, and then add policy rules to the
policy set.

Prisma SD-WAN Administrator’s Guide 388 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Stacked Security Policies

Add a security policy rule to a simple security stack.

1. Select Manage > Policies > Security > Security Stacks > Simple > Select a Stack > Add
Rule.
2. Select an action for the rule.
Configure general allow or deny rules first, then add more specific access and deny
rules and have them listed in higher priority order so that they are evaluated before the
broader rules.
On the Info tab:
• Enter a Name for the policy rule, and optionally enter description and tags.
• Enter an order between 1-65535 for the policy rule.
An order of 1 indicates the highest priority for the policy rule. If you leave this field
blank, the rule is given the least priority.
• (Optional) Select Disable Rule if you do not want the ION device to consider this rule.
• Select the action to take for traffic matching this rule as either Allow, Deny, or Reject.
The default action is Allow.
• Allow—Indicates that the ION device allows traffic that matches the parameters
specified in the rule.
• Deny—Indicates that the ION device drops traffic without sending a RESET or
ICMP HOST UNREACHABLE message to the client or server.
• Reject—Indicates that the ION device rejects traffic that matches the parameters
specified in the rule and sends a RESET message to both the client and the server.
3. (Optional) Configure services for the rule.
Add protocols, source ports, and destination ports to make the policy rule more specific.
On the Services tab:
• (Optional) Click Add Service to add protocols, source ports, and/or destination ports.
• (Optional) Select a protocol from the Protocol drop-down.
• (Optional) Select Source Port Ranges between 1 and 65535. Click Add Port Range
for additional port ranges. You can add a maximum of 16 source port ranges.
• (Optional) Select Destination Port Ranges between 1 and 65535. Click Add Port
Range for additional port ranges. You can add a maximum of 16 destination port
ranges.
4. (Optional) Add zones and prefixes.
While creating security policy rules, specify the source and destination zones to which
the rule applies and establish one or more source and destination zones for each security

Prisma SD-WAN Administrator’s Guide 389 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Stacked Security Policies

rule. The source zone identifies the LAN network from where traffic originates, and the
destination zone identifies traffic from the LAN network.
Prefixes restrict access within a branch and filter out traffic to specific IP addresses
within the particular source and destination zones.

Configure security zones and security prefixes before using them in security
policy rules.

On the Zones & Prefixes tab:

• (Optional) Select a source Zone and Prefix.
• (Optional) Select a destination Zone and Prefix.
5. (Optional) Add applications.
Applications are the core element of the security solution for controlling network traffic
and implementing security policies. You can use the same application definitions and
fingerprinting technologies for security policies, path selection for network policies, and
for Quality of Service (QoS) implementation in QoS policies.
On the Applications tab:
• Select the applications to apply the policy rule.
You can select 16 applications for one policy rule.
You can filter applications based on:
• For sites 6.0.1 or above—Select this option to view system applications from PANW,
applications common to PANW and Prisma SD-WAN, and custom applications
defined in Prisma SD-WAN.
• For sites below 6.0.1—Select this option to view legacy system applications in
Prisma SD-WAN, applications common to PANW and Prisma SD-WAN, and custom
applications defined in Prisma SD-WAN.
• For any site—Use this option to view applications common to PANW and Prisma SD-
WAN along with custom applications defined in Prisma SD-WAN.
(Optional) You can check the type of application - System (PANW, CGX), System (CGX),
or Custom by selecting the application first and then using the filters to view the type of
application.

Add a security policy rule to an advanced security stack.

1. Select Manage > Policies > Security > Security Stacks > Advanced > Security Sets >
Select a Security Set > Add Rule.
2. Follow the steps above for adding a security policy rule to an advanced security stack.

Prisma SD-WAN Administrator’s Guide 390 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Stacked Security Policies

Add a Security Policy Set to a Security Stack

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

After creating security policy sets, you need to add these policy sets to a security stack. Note that
you can add security policy sets to Security stacks only via the Advanced view on the Security
screen.
STEP 1 | Select Manage > Policies > Security > Security Stacks > Advanced.

STEP 2 | Select a security stack for adding a security policy set.

STEP 3 | Select a policy set from the Policy Set list, and then Save.
You can assign up to 4 policy sets to an advanced security stack.

You can convert a simple security stack to an advanced security stack by assigning
more than one policy set to the simple security stack.

Prisma SD-WAN Administrator’s Guide 391 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Stacked Security Policies

Bind Security Stacks to Sites

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

In order for stacked security policy rules to be active, bind security policy set stacks to a site. You
can bind a single security policy set stack to a site at a time.
STEP 1 | Select Manage > Policies > Bindings.

STEP 2 | For a site, select a security stack from the Security Policy Set Stack list and Save.
(Optional) You can assign a security policy set stack to multiple sites at a time by selecting
multiple sites, clicking Edit and selecting the security stack for assigning to sites.

Prisma SD-WAN Administrator’s Guide 392 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Stacked Security Policies

Add Security Zones for Stacked Security Policies

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Security Zones specify enforcement boundaries where traffic is subject to inspection and filtering.
Each security zone maps to networks attached to physical interfaces, logical interfaces, or sub-
interfaces of a device. These zone-level interfaces serve as a proxy for physical circuits and virtual
circuits, such as VLAN, Layer 3 VPN, and Layer 2 VPN circuits.
You can manage and secure every interface in a zone independently.
• Allow or deny every interface in zone access to other zones within an enterprise network.
• Segregate interface traffic by blocking all access not explicitly allowed by the security policies
of an enterprise.
• Isolate networks that have private or secure information by restricting access to it from public
networks.
An area includes source and destination zones with network IDs for a site and is associated with
one or more WAN, LAN, or VPN. Attach a zone to multiple networks, but each network type LAN,
WAN, or VPN would be connected to one location. Typically, most organizations create three to
four zones to segregate traffic using the model’s guest zone, one or more corporate LAN zones,
an outside zone for internet underlay, and a corporate WAN zone for private WAN and VPN over
the internet or private WAN.
Policy rules use zones in the form of Source Zones or Destination Zones. In Security Policy rules,
specify the source and destination zones to which the rule applies. You must establish one or
more source and destination zones for each security rule to configure. The source zone identifies
the network from where traffic originates and the destination zone identifies the destination
traffic of the network.
Add security zones from Stacked Policies.
STEP 1 | Select Manage > Policies > Security > Security Zones > Add Security Zone.

STEP 2 | On the Add Security Zone screen, enter a Name for the security zone and an optional
description.

STEP 3 | Click Create to create a security zone.

You must bind a zone to a site or a device interface(s) for policy rules to be effective.

Prisma SD-WAN Administrator’s Guide 393 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Stacked Security Policies

Bind Security Zones to Sites and Devices

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

You can bind security zones at the site-level or at the device-level. You can associate a security
zone with a specific interface or a subnet or with multiple interfaces and networks at a site,
including LANs, WANs, or VPNs. However, each interface or network attaches to only one zone.
If you do not bind a security zone to an interface or subnet, it blocks all the traffic.

In case of a conflict between site-level and device-level bindings, device-level bindings

take priority.

Bind Security Zones to Sites

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Use site bindings to map firewall zones to interfaces and networks. Binding a zone to a site
attaches networks to the zones for that site. A zone can have multiple networks, but a network
can only have one zone.

If a site has both site-level bindings and device-level bindings, the two settings’ resulting
configuration is united. In the event of a conflict between site-level bindings and device-
level bindings, device-level bindings take precedence.

You can bind security zones to sites either by selecting a security zone first and then binding it to
site or you can select the site first and then select a security zone for binding.

Select a security zone and bind it to a site.

1. Select Manage > Policies > Security > Security Zones, and select a Security Zone.
2. From the ellipsis menu for a security zone, select View Interface Bindings.
3. Click Site.
4. Click Bind New Site.
5. Select a site to bind and click Submit.
6. On the Site Zone Binding for Site screen, select a circuit(s) to bind to the zone.
7. Click Save.

Prisma SD-WAN Administrator’s Guide 394 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Stacked Security Policies

Select a site and bind a security zone to a device interface(s).

1. Select Workflows > Sites/Data Centers > Select a Site > Configuration > Advanced >
Bind Security Zones.
2. Select Sites and click Bind Zone.
3. Select a zone to bind and then click Done.
4. On the Zone Networks Binding for Zone screen, select a circuit(s) to bind to the zone.
5. Click Save.

Bind Security Zones to Interfaces

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

You can attach or bind security zones to individual interfaces at the device-level. Bind zones to
logical Layer 3 interfaces on a device and specify separate bindings for standard VPNs. You can
bind security zones to the following types of interfaces.
WAN interface types with attached WAN circuit labels:
• Layer 3 stand-alone interfaces
• Layer 3 sub-interfaces
• Layer 3 PPPoE interfaces
• Layer 3 bypass pair, where the WAN member interface is available for zone binding
• Layer 2 bypass pair, where the WAN member interface is single for zone binding
• Loopback bypass pairs
Layer 3 Interfaces and Bypass pairs without a WAN circuit label:
• Stand-alone Layer 3, where Used_for is LAN
• Layer 3 bypass pair, where Used_for is LAN, and the LAN member interface is available for
zone binding
• Sub-interface Layer 3, where Used_for is LAN
• Stand-alone, non-parent interface, where Used_for is NONE
• Standard tunnel interface
• Loopback bypass pairs
You cannot bind zones to the following types of interfaces:
• Controller interfaces
• LAN member interfaces of Layer 2 bypass pairs
• Parent interfaces of sub-interfaces and PPPoE interfaces

Prisma SD-WAN Administrator’s Guide 395 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Stacked Security Policies

If a site has both site-level bindings and device-level bindings, the two settings’ resulting
configuration is united. In the event of a conflict between site-level bindings and device-
level bindings, device-level bindings take precedence.

You can bind security zones to device interfaces either by selecting a security zone first and
then binding it to a device interface or you can select the device interface first and then select a
security zone for binding.

Select a security zone and bind it to a device interface(s).

1. Select Manage > Policies > Security > Security Zones, and select a Security Zone.
2. From the ellipsis menu for a security zone, select View Interface Bindings.
3. Click Element.
4. Click Bind New Element.
5. Select an ION device and click Submit.
6. On the Element Zone Binding screen, select an interface(s) to bind to the zone.
7. Click Save.

Select a device from a site and bind a security zone to a device interface(s).
1. Select Workflows > Sites/Data Centers > Select a Site > Configuration > Advanced >
Bind Security Zones.
2. Select Devices and click Bind Zone.
3. Select a zone to bind and then click Done.
4. On the Zone Networks Binding for Zone screen, select an interface(s) to bind to the
zone.
5. Click Save.

Prisma SD-WAN Administrator’s Guide 396 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Stacked Security Policies

Configure Security Prefixes

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

A prefix is a group of one or more individual IP addresses or IP address subnets. Prefixes are a
construct of stacked policies which help to identify traffic. With security policies, prefix filters
restrict access within a branch and filter out traffic to specific IP addresses within the particular
source and destination zones. As with application definitions, you can reuse prefix filters across
the rules and policy sets you have created for security policy rules.
Prefixes can be either global or local in scope.
• Global prefix filters use the same set of prefixes. By applying the global prefix filters defined for
custom applications, leverage the security policy application definition.
• Local prefixes are used when specific prefix values change by branch location. Use local
prefixes to simplify creation and administration of rules. For example, a subset of IP addresses
within a subnet. Use local prefixes to create a single policy across all sites to describe
application behavior, eliminating the need to develop individual policies on a per-site basis.

Configure global security prefixes.

1. Select Manage > Policies > Security > Security Prefixes.
2. Select Global, and then click Create Global Prefix.
3. On the Add Global Prefix screen, enter a name and description for the prefix.
4. Enter an IP and subnet address.
IP addresses within a prefix are defined by the subnet. For example, 10.1.1.0/24 defines
the entire limit of 255 IP addresses in that subnet.
5. Select NGFWSECURITY in the Create for policy Type(s) section to create the prefix for
security policies.
(Optional) You can create a copy of this prefix filter to be used in Path, QoS, and NAT
policies respectively by selecting the respective check boxes.

Configure local security prefixes.

1. Select Manage > Policies > Security > Security Prefixes.
2. Select Local, and then click Create Local Prefix.
3. On the Create Local Prefix screen, enter a name and description for the prefix.
4. Select NGFWSECURITY in the Create for policy Type(s) section to create the prefix for
security policies.
(Optional) You can create a copy of this prefix filter to be used in Path, QoS, and NAT
policies respectively by selecting the respective check boxes.

You must attach a local prefix to a site for the prefix to work.

Prisma SD-WAN Administrator’s Guide 397 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Stacked Security Policies

Attach Local Security Prefixes to Sites

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Local prefixes must be attached to sites in order for the prefixes to take effect.
STEP 1 | Select Manage > Policies > Security > Security Prefixes > Local.

STEP 2 | Click Bind Site for a local prefix filter.

STEP 3 | On the Site Bindings screen, click Bind New Site.

STEP 4 | Select a site to attach the prefix filter and click Submit.

Prisma SD-WAN Administrator’s Guide 398 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Stacked Security Policies

Monitor Security Policy Rules

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

You can view statistics for a security policy rule and also the number of times a security policy rule
has been enforced.

View summary statistics for a security policy rule.

1. Select Manage > Policies > Security.
2. Select a simple security stack or a security set from an advanced security stack.
3. From the ellipsis menu for a security rule, select View Summary Stats.

• Select the required time interval. The default is Past 1 hour.

• You can view the hits for a policy rule per site or for multiple sites from the All Bound
Sites list.

The total hits by sites may be greater than the sum of the hits for all
individual sites, since the total hits takes into account rules which match the
criteria but are not bound to any site.
• View the details for the security policy rule from Rule Summary.
• View the audit logs for the rule from the Audit Logs section.

Prisma SD-WAN Administrator’s Guide 399 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Stacked Security Policies

Monitor a security policy rule.

You can monitor security policy rules per security stack, security set, or individual security
policy rules.
1. Select Manage > Policies > Security.
2. Select a simple security stack or a security set from an advanced security stack.
3. From the ellipsis menu for a security rule, select Monitor Rule.

4. Select a site and view the number of security rules and the details of the rules hit for the
site.

Prisma SD-WAN Administrator’s Guide 400 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Stacked Security Policies

Security Policy Migration

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Prisma SD-WAN supports stacked network and security policies. If you are a new user starting
with Release 6.0.1, you can configure only stacked network and security policies. You will not be
able to view or access Security Policies (Original).
If you have configured original or legacy policies, you have to migrate these legacy policies to
stacked policies before you can upgrade your device to Release 6.0.1.
See the relationship between Security Policies (Original) and Stacked Security Policies based on
the ION device versions. If you are:
• Using ION device version 5.5 or lower and you have configured Security Policies (Original)
You can configure stacked security policies, but unless you upgrade your device to version 5.6
or higher, you cannot use the stacked security policies. You can continue using the original
security policies.
• Using ION device version 5.5 or lower and you have not configured Security Policies (Original)
You can configure stacked security policies, but unless you upgrade your device to version
5.6, you cannot use stacked policies. You will not be able to view or access Security Policies
(Original).
• Using ION device version 5.6 or higher, but lower than 6.0.1, and you have configured
Security Policies (Original)
• You can continue working with Security Policies (Original).
• You will not be able to upgrade your device to Release 6.0.1, unless you migrate these
legacy policies to stacked policies.

If you try to upgrade your device to a device version 6.0.1 or higher without converting
your legacy policies to stacked policies, you will receive an error message.
• Using ION device version 5.6 or higher and you have not configured Security Policies
(Original)
You will have to configure stacked security policies. You will not be able to view or access
Security Policies (Original).

Prisma SD-WAN Administrator’s Guide 401 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Stacked Security Policies

Prisma SD-WAN Administrator’s Guide 402 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Performance
Policy
Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license.

Physical and virtual ION devices running
software version 6.3.1 and higher.

Measuring application performance and delivering App SLAs is a core component of Prisma SD-
WAN. Performance Policy builds upon the existing App SLA configuration to deliver a policy
framework for the measurement, enforcement, and alerting for application SLAs.
Performance Policy utilizes link quality metrics such as Latency, Loss, and Jitter as well as
application performance metrics such as Application RTT and Init failure % as SLA metrics. If the
SLA metrics are violated, the system takes action to ensure that the SLA is enforced including
moving flows to a compliant path (if available) and invoking line conditioning such as Forward
Error Correction (FEC) to ensure the SLA is met. Optionally, an incident can be generated
for critical applications when an SLA is violated. Although default policies work well for most
environments, policies can be granularly tuned per application, path type, DC group, and circuit
category to align to the performance needs of the business.
The system automatically assigns a default policy stack to a site as part of the default policy
configuration. You can't remove the default set from the default stack, default rules from the set,
or the default threshold profile from rules. Your ability to make changes is limited to editing the
actions and thresholds for default policy rules. After you configure a rule, it takes precedence
over the default rules based on the order of rules. The default values for Media Apps are set at
latency = 150ms, packet loss = 2%, and jitter = 40ms. For all other Apps, default values are latency
= 500ms, packet loss = 5%, and jitter = 100ms.
The following are the Performance Policy functions and supported device software versions:

Function Software Version

Action: Move Flows, Visibility, Incident 6.3.1 and later

Action: Forward Error Correction (FEC) 6.3.1 and later / 6.3.2 recommended

Match Criteria: Application, Transfer Type, 6.3.1 and later

Circuit Category, Path Type, Service & DC
Group

SLA: Application Metrics, Link Quality Metrics 6.3.1 and later

Action: Packet Duplication 6.4.1 and later

403
Prisma SD-WAN Performance Policy

Function Software Version

SLA: Service Health Probes 6.4.1 and later

SLA: Incident action for System Metrics; CPU, 6.4.1 and later
Memory, Disk, Concurrent Flows, Circuit
Utilization

SLA: Application UDP-TRT for DNS, Link 6.4.1 and later

Quality MOS

To prevent the need for policy migrations, configuration of a function that is not
supported by a specific device version where the policy rule is bound is permitted.
However, the device will ignore the configuration for the entire rule if any function is not
supported

Performance Policy Function Matrix

Refer to the following function matrix to understand the performance policy feature:

Function Action
Move Flows Visibility Incident FEC Packet
Duplication

Action Move -- Combination Combination Required Required

Flows Supported Supported

Visibility -- -- Combination Combination Combination

Supported Supported Supported

Incident -- -- -- Combination Combination

Supported Supported

FEC -- -- -- -- Mutually
Exclusive

Packet -- -- -- -- --
Duplication

Match Application -- -- -- -- --
Criteria ID,
Transfer
Type

Circuit -- -- -- -- --
Category,
Path Type

Prisma SD-WAN Administrator’s Guide 404 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Performance Policy

Function Action
Move Flows Visibility Incident FEC Packet
Duplication

Service & -- -- -- -- --
DC Groups

SLA Application -- -- -- -- --
Metrics

Link -- -- -- -- --
Quality
Metrics

Service -- -- -- -- --
Health
Probes

System -- -- -- -- --
Metrics

Function Match Criteria

App ID, Transfer Circuit Category, Service & DC
Type Path Type Group

Action Move Flows Supported Supported Supported

Visibility Not Supported Supported Supported

Incident Supported Supported Supported

FEC Supported Supported Supported

Packet Supported Required Supported

Duplication

Match Criteria Application ID, -- Combination Combination

Transfer Type Supported Supported

Circuit -- -- Combination
Category, Path Supported
Type

Service & DC -- -- --
Groups

SLA Application -- -- --
Metrics

Prisma SD-WAN Administrator’s Guide 405 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Performance Policy

Function Match Criteria

App ID, Transfer Circuit Category, Service & DC
Type Path Type Group

Link Quality -- -- --
Metrics

Service Health -- -- --
Probes

System Metrics -- -- --

Function SLA
Application Link Quality Service Health System
Metrics Metrics Probes Metrics

Action Move Flows Support for Support for ICMP - N/A

new flows new and Latency,
only existing Loss, Jitter
Fabric DNS -
VPN flows Transaction
within the Time,
same NAT Transaction
boundary Failure
HTTP/S -
Transaction
Time, Init
Failure

Visibility Not Supported Not Not

Supported Supported Supported

Incident Supported Supported Supported Supported

FEC Not Packet Loss Not N/A

Supported Required Supported

Packet Not Packet Loss Not N/A

Duplication Supported Required Supported

Match Application Required Supported Supported N/A

Criteria ID, Transfer
Type

Circuit Supported Supported Supported Supported

Category,
Path Type

Prisma SD-WAN Administrator’s Guide 406 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Performance Policy

Function SLA
Application Link Quality Service Health System
Metrics Metrics Probes Metrics

Service & DC Supported Supported Supported N/A

Groups

SLA Application -- N/A N/A N/A

Metrics

Link Quality -- -- N/A N/A

Metrics

Service -- -- -- N/A
Health
Probes

System -- -- -- --
Metrics

Prisma SD-WAN Administrator’s Guide 407 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Performance Policy

Performance Policy Default Behavior

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license.

Physical and virtual ION devices running
software version 6.3.1 and higher.

The system automatically assigns a default policy stack to a site as part of the default policy
configuration. You can't remove the default set from the default stack, the default rules from
the set, or the default threshold profile from the rules. Your ability to make changes be limited
to editing the actions and thresholds for default policy rules. After you configure a rule, it takes
precedence over the default rules based on the order of rules. The default values for media apps
are set at latency = 150 ms, packet loss = 2%, and jitter = . For all other Apps, default values are
latency = 500 ms, packet loss = 5%, and jitter = 100 ms.
After upgrading an ION device to version 6.3.1 or higher, the system automatically applies the
following three default performance policy rules to the site.
1. Default Performance Policy Rule for Action Visibility
• Intent: This rule uses the Performance SLA (Latency: 150 ms, Packet Loss: 2%, Jitter: 75 ms)
to control the threshold lines available under Monitor > Branch Sites > Prisma SD-WAN >
{Site Name} > {Circuit Name} > {Secure Fabric}.
• Action: Visibility
• Performance SLA: Default performance SLA for media apps.
• Latency: 150
• Packet Loss: 2
• Jitter: 75
2. Default Performance policy rule for All Media Apps
• Intent: This rule attempts to utilize an active path (as listed in the path policy) that meets
the conditions of the performance SLA (Latency: 150 ms, Packet Loss: 2%, Jitter: 75 ms), for
Audio and Video media apps. If no active paths are compliant, it will use the backup paths.
• Action: Move Flows
• Performance SLA: Default performance SLA for media apps.
• Latency: 150
• Packet Loss: 2
• Jitter: 75
• App Filters: Audio, Video (Transfer Type).

Prisma SD-WAN Administrator’s Guide 408 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Performance Policy

3. Default Performance Policy Rule for All Apps

• Intent: This rule attempts to utilize an active path (as listed in the path policy) that meets the
conditions of the performance SLA (Latency: 500 ms, Packet Loss: 5%, Jitter: 100 ms), for
bulk and transactional apps. If no active paths are compliant, it will use the backup paths.
• Action: Move Flows
• Performance SLA: Default performance SLA for media apps.
• Latency: 500
• Packet Loss: 5
• Jitter: 100
• App Filters: Transactional, Bulk (Transfer Type).

You can edit the default policy SLAs to customize Prisma SD-WAN according to the
specific requirements of your network. Default rules are not editable, only the default
SLAs can be edited.

Default Service Health Probe Behavior

After upgrading an ION device to version 6.4.1 or higher, the system automatically applies the
following three default service health probes to each circuit:

If you were an existing customer at the time of the 6.4.1 controller upgrade (April 2024),
the service health probes will be created, attached to the default probe profiles, which
are bound to the appropriate (nonmetered) circuit categories but, in a disabled state. The
default service probes can be enabled globally for each of the three probes under Manage
> Prisma SD-WAN > Resources > Probes > Probe Config. If your tenant was created after
the 6.4.1 controller upgrade, then the three default service health probes will be enabled
for the nonmetered circuit categories and no further action is required.

Default Service Probe for CloudFlare DNS ICMP

• Probe Name: CloudFlare DNS ICMP Response
• Intent: ICMP response for CloudFlare DNS is used to measure general internet network
conditions across all paths. This probe should be used as an SLA input for general internet-
destined traffic.
• IP Address: 1.1.1.1
• Protocol: ICMP
• Probe Cycle Duration: 10 seconds
• Probe Count: 2
• Probe Path: Direct, Prisma SD-WAN VPN, Standard VPN
Default Service Probe for MS Teams ICMP Response
• Probe Name: MS Teams ICMP Response
• Intent: ICMP response for Microsoft Teams is used to measure the specific network conditions
for Microsoft Teams across all paths. This probe should be used as an SLA input for Microsoft
Teams traffic.

Prisma SD-WAN Administrator’s Guide 409 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Performance Policy

• FQDN/URL: teams.microsoft.com
• Protocol: ICMP
• Probe Cycle Duration: 10 seconds
• Probe Count: 2
• Probe Path: Direct, Prisma SD-WAN VPN, Standard VPN
Default Service Probe for Google G-suite ICMP Response
• Probe Name: Google G-Suite ICMP Response
• Intent: ICMP response for Google G-Suite is used to measure the specific network conditions
for the Google Productivity suite across all paths. This probe should be used as an SLA input
for Google traffic.
• FQDN / URL: apps.google.com
• Protocol: ICMP
• Probe Cycle Duration: 10 seconds
• Probe Count: 2
• Probe Path: Direct, Prisma SD-WAN VPN, Standard VPN

Prisma SD-WAN Administrator’s Guide 410 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Performance Policy

Add Performance Policy Stack

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license.

Physical and virtual ION devices running
software version 6.3.1 and higher.

The Performance Policy Stacks is a collection of performance sets containing the performance
policy rules. Performance policy sets specify traffic engineering and can accommodate a maximum
of four policy sets and one default rule policy set for each policy stack.

The Performance Stacks tab lists the existing policy stacks. Use the Actions icons to Edit, attach
the policy to a site, view the audit logs or any system configuration changes, and remove a policy
stack.
To add a performance stack is a collection of policy rules in a single policy set:
STEP 1 | Select Manage > Policies > Performance > Performance Stacks.

STEP 2 | Select Simple or Advanced and Add Stack.

STEP 3 | On the Add New Performance Stack screen, enter a Name for the stack, and optionally
Description and Tags.

Prisma SD-WAN Administrator’s Guide 411 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Performance Policy

STEP 4 | In Advanced UI, assign performance sets to the policy stack by selecting from the Policy Sets
drop down.
The policy sets in a stack are ordered from left to right, with the left-most policy set
designated as the highest priority.

STEP 5 | Save to add to the stacks.

Prisma SD-WAN Administrator’s Guide 412 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Performance Policy

Add Performance Policy Set

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license.

Physical and virtual ION devices running
software version 6.3.1 and higher.

The Performance Sets tab contains policy rules and are a part of the policy set stacks. A policy
set has default policy rules, which can't be changed, removed, or deleted. You can create custom
policy rules to take precedence over the default policy rules. Select a stack, then a policy set
within the stack, and then add policy rules to the policy set.
Use the Actions icons to Edit a policy set, view the audit logs or any system configuration
changes, and remove a policy set.

To add a performance set:

STEP 1 | Select Manage > Policies > Performance > Performance Sets.

STEP 2 | Select Advanced and Add Set.

STEP 3 | On the Add New Performance Set screen, enter a Name for the performance set, and
optionally enter description and tags.

STEP 4 | Select the Clone from Performance Set? checkbox to create a stack similar to an existing
path stack.

STEP 5 | Save your changes.

Prisma SD-WAN Administrator’s Guide 413 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Performance Policy

Add Performance Policy Rules

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license.

Physical and virtual ION devices running
software version 6.3.1 and higher.

Performance Policy rules can be defined with Link Quality Metrics, Application metrics thresholds,
and System health probes. Performance Policy provides two rule types that are used for
Application/Network SLAs or System Metric SLAs. Application / Network SLAs utilize Link Quality
Metrics, Application Metrics, and Probe Metrics while System Metrics utilize device and circuit
resources. You can select a rule type and apply the rule at an application or transfer-type level,
select Path filters; Circuit labels, Path types, and Data Center groups.
You can select a policy set and then add policy rules to the policy set. To edit the rule, click on the
Policy Rule name.
To add a performance policy rule to a policy set:
STEP 1 | Go to Manage > Policies > Performance > Performance Sets.

STEP 2 | Select a Policy Set > Add Rule.

STEP 3 | In the Add New Rule > General section, the Enable Rule is selected by default. Disable the
rule if you don't want the ION device to consider this rule.

STEP 4 | Enter a Rule Name, Description, and optional Tags for the policy rule.

x`

Prisma SD-WAN Administrator’s Guide 414 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Performance Policy

STEP 5 | Enter an Order Number for the policy rule. An order of 1 will place the rule at the top of the
list.

Organize specific rules at the top of the Policy Set list; otherwise, a less specific policy
rule may be matched first.

Performance Policy rules follow explicit ordering, wherein each rule within a policy set has an
order number that is used, a set of match criteria, and a set of actions.
The default order number will place the rule at the bottom of the policy set, just above the
default rules. Rules will automatically reorder if a nondefault rule order is specified.

STEP 6 | Select the Rule Type as App/Network SLA or System Health.

App/Network SLA
• If you select App/Network SLA as the Rule Type, go to the Action section and select one or
more actions.

• Create Incident generates incidents for both Applications and Circuits using link quality
and application performance SLA criteria, where applicable incidents are automatically
correlated.
• Move Flows moves existing flows and excludes paths for new flows that are in violation
of a performance SLA. These include both Link Quality and Application Metrics. When
the Move Flows field is empty in a rule, the datapath won't consider Link Quality Metrics
measurements during path selection.
• FEC (Forward Error Correction) must be enabled along with the Move Flows action. FEC
only relies on the loss and Latency Link Quality Metrics and does not use Application
metrics. FEC takes effect only on Prisma SD-WAN VPNs. If you enable FEC, note that:
• FEC is effective on packet loss between 1% and 10%.
• As the loss increases above 1% additional repair is added to the application session to
which FEC is enabled on the VPN.
• Packet Duplication assures the delivery of packets for critical applications even when all
underlay paths are degraded beyond application SLA. It replicates an application session
across up to three VPN paths simultaneously and is an additional action within the
performance policy, selectable on a per-app and per-path basis. Leveraging this capability
requires explicit selection of all paths onto which packets will be duplicated (secondary/

Prisma SD-WAN Administrator’s Guide 415 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Performance Policy

alternate paths) and duplicated by (primary path). Packet Duplication must be enabled
along with the Move Flows action and takes effect only on Prisma SD-WAN VPNs.
• Visibility affects the Secure Fabric Link-time series by displaying the performance SLA
indicator in the graph. Visibility solely depends on Link Quality Metrics and does not
utilize Application metrics.
• In the Match Criteria section, choose the following filters:

If the Match Criteria section is left blank, this will be considered a match any.

• (Optional) In App Filters, select an Applications from the drop-down to apply the policy
rule. You can select 256 applications for one policy rule.
• (Optional) From the Application by Transfer Type drop-down, select the transfer type to
be Bulk, Audio, Video, or Transactional.
• (Optional) In Path Filters, select the Path Category from the drop-down. Select an
overlay and a Circuit Category for a path. You can't repeat a combination of an overlay
and a circuit category for a policy rule.
• (Optional) Select the Path Type as Direct, Prisma SD-WAN VPN, or Standard VPN.
• (Optional) Select the DC Group value from the drop-down. By default, if the section is
left blank, all Service & DC Groups are included as well as branch to branch VPNs. If any
DC Groups are specified, then branch to branch VPNs are excluded.
• In the Performance SLAs section, you can either use an existing performance threshold, or
to add a new threshold, click Add New.

Prisma SD-WAN Administrator’s Guide 416 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Performance Policy

• Check the desired performance SLA and enter the respective thresholds for the SLA.
• Expand the Advanced Settings down arrow to set the values for Raise Above (between
10% to 100%) and Clear Below (between 1% to 80%).
• Raise Above: If the aggregated percentage (comprising LQM samples over all paths for
the same circuit) exceeds the configured percentage value, the system will raise an alarm
for each circuit.
• Clear Below: The system will clear the alarm for the same circuit when the aggregated
percentage exceeds the configured percentage value.
• Use the drop-down to select the monitoring approach to control the incident generation.
The monitoring approach actively adjusts using a time-based algorithm to control incident
generation. A Conservative monitoring approach takes longer to trigger and clear an incident,
as it evaluates a longer time period. Conversely, an Aggressive monitoring approach triggers
and resolves incidents as conditions change. The time taken to generate and clear an incident

Prisma SD-WAN Administrator’s Guide 417 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Performance Policy

depends on the configured percentages for raise above and clear below thresholds, the
frequency of threshold violations over time, and the selected monitoring approach.
System Metrics
• If you select System Health as the Rule Type, go to the Action section and select Create
Incident.

Incidents are generated for system health metrics using Concurrent Flows, Memory, CPU,
Disk, and Circuit Utilization SLA criteria.
• In the Performance SLAs section, you can either use an existing performance threshold, or
to add a new threshold, click Add New. Check any or all of the metrics.
• If you select System Health Metrics,

• Enter the CPU Utilization value (between 1-100%).

• Continue clicking the + sign or select from the drop-down to enter the Memory
Utilization value (between 1-100%) and the Disk Utilization value (between 1-100%).
• Continue clicking the + sign or select from the drop-down to enter the Memory
Utilization value (between 1-100%) and the Disk Utilization value (between 1-100%).
• Expand the Advanced Settings down arrow to set the values for Raise Above (between
10% to 100%) and Clear Below (between 1% to 80%).
• If you select Flow Metrics,

• Enter the Concurrent Flow Utilization value (between 1-100%).

• If you select Circuit Utilization,

Prisma SD-WAN Administrator’s Guide 418 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Performance Policy

• In Path Filters, select the Category from the drop-down.

• Select an overlay and a Circuit Category for a path. You can't repeat a combination of
an overlay and a circuit category for a policy rule. Circuit Utilization SLA can be set per
Circuit and for All Circuits.

STEP 7 | Review the Summary of the policy rules for the desired policy intent and Save & Exit.

Prisma SD-WAN Administrator’s Guide 419 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Performance Policy

Add Performance Policy SLA

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license.

Physical and virtual ION devices running
software version 6.3.1 and higher.

The Performance SLAs tab contains Prisma SD-WAN performance SLAs. It provides the
Application, Link Quality Metrics, System Health, Circuit Utilization, Flow and, Probe SLA
threshold values for the performance policy rule.
Use the Actions icons to Edit a performance SLA, view the audit logs for any system configuration
changes, or remove a performance SLA.

To add a performance SLA:

STEP 1 | Go to Manage > Policies > Performance > Performance SLAs and select Add New SLA.

STEP 2 | In the Add New Performance SLA screen, enter a Name for the SLA with the option of
including a description and tags.

Prisma SD-WAN Administrator’s Guide 420 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Performance Policy

STEP 3 | Select the desired Metrics from the drop-down.

• If you check the option Link Quality Metrics,

• Enter the Latency value (between 1-500ms).

• Continue to click the + sign or select from the drop-down to enter the Jitter value
(between 1-100ms), the MOS value (between 1-5), and the Packet Loss value (between
1-20%).

On a per-branch circuit basis, the Jitter, Latency and Packet Loss values will utilize
the best (lowest) measured value between the Branch and all Data Centers.
• If you check the option Application Metrics,

• Provide the Init Failure Rate (between 1-100%).

• Continue to click the + sign or select from the drop-down to enter the RTT value
(between 1-500ms) and the UDP TRT value (between 1-500ms).
Init Failure rate is the percentage of TCP 3-way handshake failures and RTT is the TCP
Round Trip Time from a client to the server and back to the client.
UDP Response Time (UDP-TRT) is the amount of time it takes for the server to respond
to the UDP transaction request from the time the request is received. Currently, UDP-
TRT provides information on UDP DNS traffic only.
• If you check the Probe option,

Prisma SD-WAN Administrator’s Guide 421 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Performance Policy

• Select the Probe config from the drop-down. Depending on the probe config selected
(DNS/HTTP/ICMP), enter the value for the following probe metrics:
• DNS Transaction Time (between 1-500ms), and the DNS Transaction Failure Rate
(between 1-100%).
• HTTP Transaction Time (between 1-500ms), and Init Failure Rate (between 1-100%).
• Latency value (between 1-500ms), and continue to click the + sign or select from the
drop-down to enter the Jitter value (between 1-100ms) and the Packet Loss value
(between 1-20%).
• If you check the option System Health Metrics,

• Enter the CPU Utilization value (between 1-100%).

• Continue to click the + sign or select from the drop-down to enter the Memory
Utilization value (between 1-100%) and the Disk Utilization value (between 1-100%).
• If you check the option Circuit Utilization, enter the Circuit Utilization value (between
1-100%).

• If you check the option Flow Metrics, enter the Concurrent Flow Utilization value (between
1-100%).

Prisma SD-WAN Administrator’s Guide 422 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Performance Policy

STEP 4 | Save your changes.

Prisma SD-WAN Administrator’s Guide 423 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Performance Policy

Configure Probes
Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Physical and virtual ION devices running
software version 6.4.1 and higher.

Prisma SD-WAN supports always-on probing, enabling measurement of key metrics such
as round trip latency, packet loss, jitter and other metrics to any ICMP/DNS/HTTP/HTTPS
service across all transports (Direct, Fabric, Standard VPN). These results are available to the
administrator and serve in making path selection decisions with precise control using performance
policy. Furthermore, the system can utilize the same application health probes to determine
L3 Reachability. At the tenant level, you can configure probes by specifying the probe type,
endpoints, and frequency.
Probe Profiles, which are global objects containing probe configurations, are defined at the tenant
level and linked to Circuit Categories and Circuits. Probe Configs are created with parameters
such as Protocol Type (ICMP, DNS, HTTP, HTTPS), EndPoints (IP/FQDN/URL), Frequency, Probe
Cycle Duration, and Path Type (Direct, Standard VPNs, Prisma SD-WAN VPNs).

Prisma SD-WAN Administrator’s Guide 424 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Performance Policy

STEP 1 | To configure Probe Profiles, go to Manage > Resources > Probes > Probe Profiles.
View the list of configured probe profiles and their configurations. Use the Actions options to
Edit a probe profile, view the Audit Logs, or any system configuration changes and remove a
probe profile. To add a new Probe Profile:

1. Select Add New Probe Profile and enter a Name for the profile and optionally, Description
and Tags.
2. From the Probe Configs drop down, select a probe profile. You can select up to 8 probe
configs for a probe profile. The default probe configs are:

3. Save your changes.

The system automatically applies default probe profiles to all circuit categories, while default
probe configurations are disabled by default for existing tenants. You can't remove a default
probe profile, but you have the option to delete a default probe configuration.

Prisma SD-WAN Administrator’s Guide 425 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Performance Policy

STEP 2 | To configure Probe Configs, go to Manage > Resources > Probes > Probe Configs.

View the list of configured probe configurations and their details. Use the Actions options to
Edit a probe config, view the Audit Logs or any system configuration changes. To add a new
Probe Config:
1. Select Add New Probe Config. For existing tenants, the default Probe Configs will be
present in Disabled mode. However, for new tenants, they will be in Enabled mode by
default.

2. Enter a Name for the probe config and optionally, Description and Tags.
3. Enter an IP address or FQDN for the probe configuration.
4. Select the Probe Cycle Duration to be in minutes or seconds. The minimum value is 1
second and the maximum value is 60 minutes. The results of the probe are used in path
selection (in combination with an SLA) and will trigger flow moves for existing flows and
avoidance for new flows if the defined SLA is not being met.
5. Enter the Probe Count value as a multiple of the probe cycle duration; multiples of 1, 2, and
3 are accepted.
6. Select the Probe Path Type as Direct, Prisma SD-WAN VPN, and Direct VPN.
7. Select the Protocol as,
• HTTP: Enter the HTTP Response Code from the drop-down and the HTTP Response
String.
• HTTPS: Enter the HTTPS Response Code from the drop-down and the HTTPS Response
String.
• DNS: Enter the DNS Server IP address.

The IP / FQDN address will be used as the PTR / DNS record lookup criteria.

• ICMP
8. Save your changes.

Prisma SD-WAN Administrator’s Guide 426 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Performance Policy

Monitor Probes
Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license.

Physical and virtual ION devices running
software version 6.3.1 and higher.

Monitor the probe health of a circuit and flow data.

STEP 1 | To view the Probe Health of a circuit, go to Strata SD-WAN > Monitor > Branch Sites >
Prisma SD-WAN
1. Select the Branch Site Name and click on the Circuit you wish to view the probe health.
2. Expand the Probe name to view the circuits where the probes were applied. It provides
information on the endpoint, protocol, RTT, Loss, Jitter, Transaction Failure Rate and Init
Failure Rate.

1. Select a path to view the Probe Details such as Latency, Jitter, and Packet Loss by filtering
by Path and Time Range.

Prisma SD-WAN Administrator’s Guide 427 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Performance Policy

STEP 2 | To view the performance policy probes in flow data, go to Strata SD-WAN > Monitor >
Branch Sites > Prisma SD-WAN > Flows.
1. Select a site to view the Flows data and select any flow to view detailed information on the
attributes of the flow.
2. Flow Decision Data provides a detailed per flow account for all aspects of the app session,
including the actions taken to meet the configured performance policy probes SLAs and also
lists any SLA violations.

Prisma SD-WAN Administrator’s Guide 428 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Performance Policy

Best Practices and Recommendations

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license.

Physical and virtual ION devices running
software version 6.3.1 and higher.

Performance Policy provides a flexible framework for the assurance of Application and Network
SLAs. In this section we will review sample policy rules for several common use cases along
with general guidelines for implementation. Performance Policy is supported on ION device
versions 6.3.1 and higher. The following are the recommended best practices when configuring
Performance Policy:
1. Simple Policy Sets: Use simple policy stacks unless the modular flexibility of advanced stacks is
required.
2. Rule Order: As Performance Policy uses an explicit order, more specific (app match, path
match, DC Group, etc) rules must be placed at the top of the policy set and less specific rules at
the bottom. Any match field left empty will be considered a match all.
3. Migration of LQM and APT thresholds from Advanced Menu: Prior to the availability of
Performance Policy in 6.3.1, the configuration governing performance-based path selection
was configured through the Advanced menu. As of 6.3.1 this configuration is longer used by
the device and the rules must be configured in a performance policy set applied to the site.
4. Functional Limits for Forward Error Correction (FEC) and Packet Duplication: FEC and Packet
Duplication are adaptive and will only invoke when a Prisma SD-WAN VPN path exceeds the
packet loss threshold specified in the SLA. As FEC or Packet Duplication is invoked, additional
resources are required for processing the packet recovery information. The maximum VPNs
actively encoding recovery information per platform are listed below:

ION Model Max VPNs Branch Max VPN DC

1000 8 N/A

1200 8 N/A

1200-S 8 N/A

2000 8 N/A

3000 16 32

3200 16 32

5200 32 128

7000 32 128

Prisma SD-WAN Administrator’s Guide 429 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Performance Policy

ION Model Max VPNs Branch Max VPN DC

9000 64 256

9200 64 256

• The branch ION determines if the SLA will be met in both the inbound and outbound
direction on a per path basis. In the case that inbound (from the Data Center) loss exceeds
the SLA, the branch ION sends an in-band instruction attached to a packet to the Data
Center ION instructing it to invoke FEC for the affected flow.
• If the number of VPNs actively invoking FEC and Packet Duplication meets the platform
limit (above) then no further VPNs will be able to encode or decode recovery information.
• When an ION simultaneously applies Forward Error Correction (FEC) and Packet
Duplication on traffic from the same VPN, this counts as a single VPN instance.
• ION Device version 6.3.2 or higher is recommended when using Forward Error Correction.
• ION Device version 6.4.1 or higher is required when using Packet Duplication.
5. Policy Rule Configuration Limits: Each ION device model varies in system resources depending
on the targeted use case for the appliance.
• For Performance Policy there are two important metrics to consider; the total number of
rules and the number of specific application ID that matches per rule.
• Multiply the total number of rules by the total number of application IDs matched.
• The table below is a reference for the maximum validated and recommended rule
configurations:

ION Model Rule Count Max Rules x Apps

1000 30 150

1200 50 250

1200-S 200 1275

2000 50 1275

3000 255 1275

3200 255 1275

5200 255 1275

9000 255 1275

9200 255 1275

Prisma SD-WAN Administrator’s Guide 430 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Performance Policy

6. Prerequisites: Ensure that Use LQM on non-hub paths is configured on each of the circuit
categories used in the network.

Circuit specific overrides may be configured.

7. Application & Network Performance and Reachability Information in Prisma SD-WAN :

Prisma SD-WAN uses a combination of real user traffic, reachability probes, service health
probes, and link quality monitoring to form an accurate picture of the application and network
performance landscape. These perspectives include:
• Real User Traffic: Prisma SD-WAN measures numerous parameters of each application
session including:
• Init Success / Failure Rate - TCP 3-way Handshake
• Transaction Success / Failure Rate - TCP Retransmission
• RTT - Application Round Trip Time
• SRT - Application Server Response Time
• NTTn - Time for TCP Window Completion
• DNS Transaction Time - Round Trip Time
• Voice MOS
• Voice and Video Packet Loss
• Voice and Video Jitter
• App Reachability Probe: When the system detects a 3-way handshake failure for LAN
initiated traffic, the ION crafts a special synthetic probe packet to mimic the original failed
TCP SYN on that specific path. If the synthetic probe fails to establish a TCP connection, the
path is automatically marked as unusable due to App Unreachable for that App/Path/Prefix
combination. This probe continues to generate every 1 minute to verify the application

Prisma SD-WAN Administrator’s Guide 431 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Performance Policy

reachability status. If the probe is successful, the path is then considered for path selection
for that App/Path/Prefix combination.
• L3 Reachability: If all VPNs on a WAN interface go down and there is no inbound traffic,
the ION automatically generates traffic to verify the true usability status of the circuit. By
default, these endpoints are:
• Ping 8.8.8.8
• Ping 8.8.4.4
• Ping 208.67.222.222
• HTTPS GET for captive.apple.com
• HTTPS GET for captive.google.com
Starting from release 6.4.1, the L3 Reachability probes can optionally be configured to use
the results of Service Health Probes to determine the L3 Reachability status of the circuit.
• Standard VPN Endpoint Liveliness Probes: This is an optional configuration that enables the
system to generate probes through a standard VPN tunnel after it is created. There are two
types of probes:
• ICMP
• Interval between 1 to 30 seconds.
• Failure Count between 3 to 300; how many consecutive failures before the Standard
VPN is marked as down.
• IP Address
• HTTP
• Interval between 10 to 3600 seconds.
• Failure Count between 3 to 300; how many consecutive failures before the Standard
VPN is marked as down.
• HTTP Status Codes; A matched HTTP status code response will be considered as up.
A failure to match the HTTP status code will mark the Standard VPN as down.
• URL of the HTTP content.
• Standard VPN IKE DPD: DPD or Dead Peer Detection is a keepalive method used to
determine the liveliness of the IKE peer.
• VPN Keep-Alives: Prisma SD-WAN VPNs utilize VPN Keep-Alives to ascertain their up/
down status. The default configuration generates a Keep-Alive every second and identifies
a VPN as down when it loses 3 consecutive Keep-Alives. This can be tuned to an aggressive
100 ms Keep-Alive interval with a minimum failure count of 3, resulting in 300 ms to detect
a down path.
• Link Quality Monitoring: Link Quality Monitoring (LQM) provides automatic and
continuous path monitoring for Branch to Data Center and Branch to Branch Gateway VPN
connections, assessing Latency, Loss, Jitter, and link MOS. LQM results are visible in the
user interface and can serve as App/Network SLA criteria in Performance Policy, enabling

Prisma SD-WAN Administrator’s Guide 432 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Performance Policy

performance-based path selection, FEC or Packet Duplication, and incident generation.

LQM can be disabled at the circuit category or site circuit definition.
• ADEM: Autonomous Digital Experience Monitoring (ADEM) provides always on monitoring
for business critical applications using the ION as a remote network sensor.
• Service Health Probes: Introduced in release 6.4.1, Service Health Probes provide the
capability to configure health checks for specific endpoints and monitor performance
metrics across the underlay, Prisma SD-WAN VPN overlay, and Standard VPNs. Each
circuit can monitor up to 8 health probe endpoints simultaneously across all path types. The
results of these health probes are monitored under the circuit health, with optional incident
generation. These metrics can also influence path selection and be utilized in a performance
policy rule (with failover time as low as 1000ms) under the Probe SLA type, as well as to
determine the L3 Reachability status of the circuit. The supported probe configurations are:
• HTTP/S
• HTTP/S Transaction Time; Includes content download
• HTTP/S Transaction Failure Rate
• HTTP/S Code Response
• HTTP/S Content Validation
• HTTPS Allow Invalid Certificate
• DNS
• DNS Transaction Response Time
• DNS Transaction Failure Rate
• ICMP
• Round-trip Latency
• Round-trip Loss
• Round-trip Jitter

Prisma SD-WAN Administrator’s Guide 433 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Performance Policy

Performance Policy Use Cases

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license.

Physical and virtual ION devices running
software version 6.3.1 and higher.

Performance Policy provides a flexible framework for the assurance of Application and Network
SLAs. In this section, we will review common use cases, how to configure the policy intent, and
how to monitor for effectiveness.
• Use Case 1 - Protect a Business Critical SaaS Application
• Use Case 2 - Protect a Business Critical Enterprise Application
• Use Case 3 - Protect Physical Security on LEO Satellite and 5G
• Use Case 4 - Protect An Enterprise Voice Application

Use Case 1 - Protect a Business Critical SaaS Application

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

In this scenario the business uses SuperSaaSApp as the primary CRM, sales, support, and
fulfillment application. SuperSaaSApp is moderately tolerant to loss and jitter but latency can
affect the end-user experience. SuperSaaSApp is configured to use direct internet paths in path
policy.
• Active Paths:
• Direct on Primary internet (Verizon at the example site).
• Direct on Secondary internet (Comcast at the example site).
• Backup Paths: None
• Layer 3 Failure Paths: Direct on Metered 5G.

Performance Policy Intent

• Use Link Quality Monitoring (LQM) information available from the branch to DC VPNs and TCP
Metrics available from real user traffic for path selection decisions on new flows.
• Use any Active Path to load share traffic as long as the path is SLA compliant.
• Use only the Layer 3 Failure Path if all active paths are down, not degraded.
• Generate an Incident to be forwarded to operations in case of noncompliance with the SLA
metrics.
Configure the Policy Rule

Prisma SD-WAN Administrator’s Guide 434 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Performance Policy

STEP 1 | Select the desired policy set from Manage > Prisma SD-WAN > Policies > Performance.

STEP 2 | Select Add Rule and enter the Name as Protect SuperSaaSApp, Description (optional), and
the Order Number (optional).

More specific rules should be organized at the top of the Policy Set list, else a less
specific policy rule may be matched first.

STEP 3 | In the Actions section, select Raise Alarms and Move Flows.

STEP 4 | In the Match Criteria section, under App Filters, select the application SuperSaaSApp from
the drop-down, select the category in Path Filters as All Public, and select the Path Type as
Direct.

STEP 5 | In the Performance SLAs section, click Add New, and check the options Link Quality Metrics
and Application Metrics. Enter the SLA Name as SuperSaaSApp.

STEP 6 | In Link Quality Metrics, enter the Jitter value as 50 ms.

STEP 7 | Click the + sign to enter the Latency value as 100 ms and the Packet Loss value as 3%.

STEP 8 | Retain the Advanced Settings at their default values.

STEP 9 | In Application Metrics, enter the Init Failure Rate value as 10%. This uses the rate of TCP 3-
way handshake failure on a per app (matched above), per path, per destination prefix basis. It
uses real user traffic.

STEP 10 | Click the + sign to enter the RTT value as 100 ms. This uses the TCP Round-Trip Time based
upon real user traffic.

STEP 11 | In the Advanced Settings change the monitoring approach from Moderate to Aggressive.
The Aggressive setting will give more weight to the most recent real user traffic
measurements, causing the incident generation to be more sensitive to recent issues.

STEP 12 | Review the Summary of the policy settings for the desired policy intent and Save & Exit.

Monitor the Policy Intent

• Application Site Details: Each Application has both global and site-specific details which can
be viewed by navigating to Monitor > Applications > Prisma SD-WAN > SuperSaasApp >
{Branch Site Name}. This view presents numerous data points reflecting the true health of
the application at the site. Focusing on the SuperSaaSApp Path Performance Details widget
reveals that very little traffic has been routed through the Verizon connection.

From this point, we can inspect the performance of the circuit available from the site summary
or the individual flows. As the flows for this application are located at the bottom of the

Prisma SD-WAN Administrator’s Guide 435 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Performance Policy

page, inspecting them will help determine why the system is avoiding the Verizon circuit for
SuperSaaSApp.
• Flow Browser: Flow Browser provides a detailed per flow account for all aspects of the app
session, including the conditions at the time and actions taken to meet the configured SLA.
Click on the Flow Detail for the SuperSaaSApp application in the Flow Browser to view its
details.

The Advanced Info option provides information on the Flow Decision Data.

In this case, the Verizon connection exceeded the 3% packet loss tolerance specified in the
Performance SLA and the path was avoided.
• Incidents and Alerts: If the Application SLA metrics are violated, the system generates an
incident, which can be found under Incidents & Alerts > Prisma SD-WAN > Incidents, labeled
with the incident code APPLICATION_PERFORMANCE_DEGRADED.

In this case, not only were the Application SLA Metrics (Init fail % or RTT) violated, the link
quality SLA metrics were also breached. This generated another incident under the incident
code CIRCUIT_PERFORMANCE_DEGRADED. As circuit health issues generally lead to
application SLAs not being met, the system automatically detects the correlation between

Prisma SD-WAN Administrator’s Guide 436 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Performance Policy

the two and APPLICATION_PERFORMANCE_DEGRADED becomes a child incident of

CIRCUIT_PERFORMANCE_DEGRADED.

The default system behavior will correlate the Application Performance Degraded
incident and suppresses it to reduce excessive App SLA notifications. This default
behavior enables faster root cause determination by minimizing the symptoms (paths
not being compliant with App SLAs). Using Incident Settings, the default suppress
behavior can be changed to not suppress the child incident.
• Summary: Implementing the Performance Policy rule for SuperSaaSApp ensures an optimal
end-user experience by consistently utilizing the best-performing direct internet path available.
The effects of the rule are easily monitored using the App Site Details, Link Quality Metrics,
and flow browser. Operationally, the generated Incidents notify operations staff that the
Verizon internet connection periodically proves unsuitable for SuperSaaSApp.

Use Case 2 - Protect a Business Critical Enterprise Application

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

In this scenario, the business uses the application WebPoS for Point of Sale, and it is hosted
in the corporate Data Centers. WebPoS can tolerate moderate levels of latency and jitter, but
packet loss can affect the end-user experience, leading to failures in order processing. WebPoS is
configured with these Path Policy rules:
• Active Paths: Prisma SD-WAN VPN on Primary Internet.
• Backup Paths: None
• L3 Failure Paths: Prisma SD-WAN VPN on Metered 5G.

Performance Policy Intent

• Use the Active Path as long as it is available.
• Use Link Quality Monitoring (LQM) information available from the Branch to Data Center
VPNs, to adaptively control Forward Error Correction (FEC) for any observed packet loss.
• Use only the L3 Failure Path if the active path is down, not degraded.

Configure the Policy Rule

Prisma SD-WAN Administrator’s Guide 437 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Performance Policy

STEP 1 | Select the target policy set from Manage > Prisma SD-WAN > Policies > Performance.

STEP 2 | Select Add Rule and enter the Name as WebPoS, Description (optional), and the Order
Number (optional).

More specific rules should be organized at the top of the Policy Set list, else a less
specific policy rule may be matched first.

STEP 3 | In the Actions section, select Forward Error Correction (FEC) and Move Flows.

STEP 4 | In the Match Criteria section, under App Filters, select the application WebPoS from the
drop-down, select the category in Path Filters as All Public and All Private.

STEP 5 | Select the Path Type as Prisma SD-WAN VPN.

STEP 6 | In the Performance SLAs section, click Add New, and check the option Link Quality Metrics.
Now, enter the SLA Name as WebPoS.

STEP 7 | In Link Quality Metrics, enter the Jitter value as 50 ms.

On a per-branch circuit basis, this will utilize the best (lowest) measured Jitter value between
the Branch and all Data Centers.

STEP 8 | Click the + sign to enter the Latency value as 150 ms.
On a per-branch circuit basis, this will utilize the best (lowest) measured Latency value
between the Branch and all Data Centers.

STEP 9 | Click the + sign to enter the Packet Loss value as 1%.
On a per-branch circuit basis, this will utilize the best (lowest) measured Packet Loss value
between the Branch and all Data Centers.

STEP 10 | Advanced Settings do not apply since the Create Incidents action was not specified.

STEP 11 | Review the Summary of the policy settings for the desired policy intent and Save & Exit.

Monitor the Policy Intent

• Link Quality Monitoring: The performance of the Prisma SD-WAN VPN (Secure Fabric
Link) between the Branch and Data Center can be inspected by navigating to Monitor >
Applications > Prisma SD-WAN > {Branch Site Name} > {CircuitName} > {Secure Fabric
Name}. This view details the performance characteristics of the Secure Fabric VPN tunnel
between the Branch and Data Center over time and reveals that loss is consistently high.

Prisma SD-WAN Administrator’s Guide 438 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Performance Policy

• Application Monitoring: You can view the site-level impact of Forward Error Correction
(FEC) on the WebPoS application by navigating to Monitor > Applications > Prisma SD-
WAN > WebPoS (Branch Site Name). This view presents numerous data points reflecting
the true health of the application at the site. Focusing on the Application Statistics Data
reveals an effective 0% rate for Init Failures (3-way handshake) and Transaction Failures (TCP
retransmission).

• The Transaction Stats widget details the Init and Transaction statistics over time.

• The App Reachability widget displays the application reachability status over time per WAN
transport type, detailing good App Reachability.

• Flow Browser: Flow Browser provides a detailed per flow account for all aspects of the app
session, including the conditions at the time and actions taken to meet the configured SLA.

Prisma SD-WAN Administrator’s Guide 439 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Performance Policy

Near the bottom of the Application Details screen in the Flows section, select the Flow Detail
for the WebPoS application in the Flow Browser, then click on Advanced Info.

• The Flow Decision Data indicates High Packet Loss on the Active Path.
• As there are no other configured Active Paths nor Backup Paths, Forward Error Correction
(FEC) is applied to the flow.

• Summary: Implementing the Performance Policy rule for WebPoS ensures an optimal end-user
experience by mitigating a consistent ~5% rate of transport packet loss down to 0% for the
application sessions. The impact of the Protect WebPoS rule is easily monitored using the App
Site Details, Link Quality Metrics, and Flow Browser.

Use Case 3 - Protect Physical Security on LEO Satellite and 5G

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

In this scenario, the business has many locations in remote geographies where high speed wire
line connectivity is unavailable. These locations have strict requirements for physical security
including video and audio surveillance as well as access control. This traffic is tolerant to latency
and jitter but loss can severely impact operations. Due to the bandwidth demands both primary
connections must be used actively.
RTP-Base, RTP-Audio, RTSP, SIP, RTP-Video, and HID are configured with these path policy rules:

Prisma SD-WAN Administrator’s Guide 440 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Performance Policy

• Active Paths:
• Prisma SD-WAN VPN on LEO Satellite Internet.
• Prisma SD-WAN VPN on Unmetered Public 5G.
• Backup Paths: None
• L3 Failure Paths: Prisma SD-WAN VPN on Internet ADSL.
Performance Policy Intent
• Use both of the Active Paths as long as they are SLA compliant.
• Use Link Quality Monitoring (LQM) information available from the Branch to Data Center
VPNs to control Packet Duplication for any observed packet loss onto the active paths.
• If neither of the Active Paths are SLA compliant then begin to duplicate packets onto each of
the active paths.
• If one of the two Active Paths is down and the other is degraded, perform single link packet
duplication.
• Use the Internet ADSL Path if all of the Active Paths are down (not degraded).
• Generate an Incident to be forwarded to operations in case of non compliance with the SLA
metrics.
Configure the Policy Rule
STEP 1 | Select the desired policy set from Manage > Prisma SD-WAN > Policies > Performance.

STEP 2 | Select Add Rule and enter the Name as Protect Physical Security Traffic, Description
(optional), and the Order Number (optional).

More specific rules should be organized at the top of the Policy Set list, else a less
specific policy rule may be matched first.

STEP 3 | In the Actions section, select Packet Duplication, Move Flows, and Create Incident.

STEP 4 | In the Match Criteria section, under App Filters, select the applications RTP-Base, RTP-
Audio, RTSP, SIP, RTP-Video, and HID from the drop-down, select the category in Path
Filters as LEO Satellite Internet and Unmetered Public 5G . Select the Path Type as Prisma
SD-WAN VPN.

STEP 5 | In the Performance SLAs section, click Add New, and check the option Link Quality Metrics.
Enter the SLA Name as Physical Security SLA .

STEP 6 | In Link Quality Metrics, enter the Jitter value as 50 ms.

This will use the best (lowest) measured Jitter value between the branch and all data centers
on a per branch circuit basis.

STEP 7 | Click the + sign to enter the Latency value as 200 ms and the Packet Loss value as 1%.

STEP 8 | Retain the Advanced Settings at their default values.

STEP 9 | Review the Summary of the policy settings for the desired policy intent and Save & Exit.

Prisma SD-WAN Administrator’s Guide 441 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Performance Policy

Summary: Implementing the Performance Policy rule for Physical Security ensures the delivery of
the business critical traffic by mitigating consistent loss in the transport networks. The impact of
the rule is easily monitored using the App Site Details, Link Quality Metrics, and Flow Browser.

Use Case 4 - Protect An Enterprise Voice Application

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

In this scenario, the business uses a traditional VoIP system hosted in the corporate data center
for their customer contact centers. The business has an SLA with a minimum acceptable MOS
score of 3.6 and the packet loss cannot exceed 1% in either direction for contact center media
traffic which is detected as RTP-Audio, RTP-Base, and SIP. There is a mix of internet and MPLS
for active transport and Metered 5G as a path of last resort, which will only be used for this
traffic.
RTP-Audio, RTP-Base, and SIP are configured with these path policy rules:
• Active Paths:
• Prisma SD-WAN VPN on Primary Internet.
• Prisma SD-WAN VPN on MPLS.
• Backup Paths: None
• L3 Failure Paths: Prisma SD-WAN VPN on Metered 5G.
Performance Policy Intent
• Use one of the Active Paths as long as at least one path is MOS and Packet Loss SLA
compliant.
• Use Link Quality Monitoring (LQM) information available from the Branch to Data Center
VPNs to control Packet Duplication for any observed packet loss onto the active paths.
• If neither of the Active Paths are compliant with the packet loss SLA, then begin to duplicate
packets on to each of the active paths.
• If one of the two Active Paths is down and the other is degraded, then perform single link
packet duplication.
• Use the Metered 5G L3 Failure Path if all of the Active Paths are down (not degraded).
• If the Metered 5G path exceeds the loss, SLA tolerance then performs single link packet
duplication.
Configure the Policy Rule
STEP 1 | Select the desired policy set from Manage > Prisma SD-WAN > Policies > Performance.

STEP 2 | Select Add Rule and enter the Name as Protect Voice Traffic, Description (optional), and the
Order Number (optional).

More specific rules should be organized at the top of the Policy Set list, else a less
specific policy rule may be matched first.

Prisma SD-WAN Administrator’s Guide 442 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Performance Policy

STEP 3 | In the Actions section, select Packet Duplication and Move Flows.

STEP 4 | In the Match Criteria section, under App Filters, select the applications RTP-Base, RTP-
Audio, and SIP from the drop-down, select the category in Path Filters as Primary Internet
and MPLS . Select the Path Type as Prisma SD-WAN VPN.

STEP 5 | In the Performance SLAs section, click Add New, and check the option Link Quality Metrics.
Enter the SLA Name as Voice SLA.

STEP 6 | In Link Quality Metrics, enter the MOS (Mean Opinion Score) value as 3.6.
This will use the best (highest) measured MOS value between the branch and all data centers
on a per branch circuit basis.

STEP 7 | Click the + sign to enter the Packet Loss value as 1%.
This will use the best (lowest) measured Packet Loss value between the branch and all data
centers on a per branch circuit basis.

STEP 8 | Retain the Advanced Settings at their default values.

STEP 9 | Review the Summary of the policy settings for the desired policy intent and Save & Exit.

Summary: Implementing the Performance Policy rule for the contact center media applications
ensures the delivery of the business critical traffic by finding MOS and Packet Loss SLA compliant
paths and mitigating any loss in the transport networks using packet duplication when necessary.
The impact of the rule is easily monitored using the App Site Details, Link Quality Metrics, and
Flow Browser.

Prisma SD-WAN Administrator’s Guide 443 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Performance Policy

Prisma SD-WAN Administrator’s Guide 444 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Security Policies
Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Prisma SD-WAN focuses on security policies that control access to applications through zone-
based firewalls.

If you are a new user starting with Release 6.0.1, you can configure only stacked security
policies. You will not be able to view or access Security Policies (Original). If you have
configured original or legacy policies, you have to migrate these legacy policies to
stacked policies before you can upgrade your device to Release 6.0.1.

• Prisma SD-WAN Security Architecture

• Prisma SD-WAN ZBFW
• ZBFW Contructs
• Configure Security Policies
• Modify and Delete Policy Rules and Sets

445
Prisma SD-WAN Security Policies

Prisma SD-WAN Security Architecture

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Prisma SD-WAN provides a stateful, flexible, application-aware and enterprise Zone-Based

Firewall (ZBFW) that secures an ever-changing WAN perimeter, facilitates segmentation within a
branch.
ZBFW translates business security intent and requirements into configurable security policy rules
that determine connectivity and secure access, ensuring compliance across different network
circuits and interfaces.

Prisma SD-WAN Administrator’s Guide 446 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Security Policies

Prisma SD-WAN ZBFW

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

The zone-based firewall (ZBFW) is designed to create, manage, and enforce security policies and
propagate those policies to all branch sites without using fragmented rules or managing security
at an individual device-level. It is a lightweight security solution for securing the WAN perimeter
and segmenting traffic within a branch site.
• Securing the Perimeter—ION hardware and virtual devices include an application-aware,
stateful, zone-based firewall to protect internet connections in the remote office. With the ION
device, application-aware policies are defined that specify what is allowed into and out of the
remote location, giving the administrator explicit control to secure the perimeter. Additionally,
AppFabric is centrally managed through the cloud-delivered and deploys hardware, software,
and storage to support the management and monitoring infrastructure.
• Segment Traffic in the Branch—Prisma SD-WAN uses the concept of zones and prefix filters
within ZBFW rules to isolate and segment traffic in the branch.
• Prepare to Configure ZBFW—To prepare for securing the network, conduct preliminary
planning and evaluation of your environment.

Prisma SD-WAN Administrator’s Guide 447 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Security Policies

ZBFW Contructs
Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

ZBFW constructs include applications, prefix filters, zones, security policy sets, security policy
rules, and actions. The information specified for these constructs defines the security policy you
want to implement.

ZBFW Application
Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Applications are the core element of the ZBFW solution for controlling network traffic and
implementing security policies. You use the same application definitions and fingerprinting
technologies for security policies for path selection and quality of service (QoS) in network policy
definition.

ZBFW Prefix Filters

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Prefix filters specify a group of one or more individual IP addresses or IP address subnets. With
security policies, prefix filters restrict access within a branch and filter out traffic to specific IP
addresses within the particular source and destination zones. As with application definitions, you
can reuse prefix filters across the rules and policy sets you have created for security policy rules.
• Global prefix filters use the same set of prefixes. By applying the global prefix filters defined for
custom applications, leverage the security policy application definition.
• Local prefix filters use branch location. They enable you to address site-specific scenarios
where devices in a specific zone such as a guest zone.
Local filters allow administrators to create a single policy across all sites to describe application
behavior, eliminating the need to develop individual policies on a per-site basis. It automatically
populates the prefix values for the specific branch location and notifies the administrator to settle
deals for local prefix filters as needed, if you add a new branch, simplify policy administration, and
reduce the number of rules that need to be configured and managed.

Prisma SD-WAN Administrator’s Guide 448 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Security Policies

ZBFW Zones
Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Zones specify enforcement boundaries where traffic subject to inspection and filtering. Each
zone maps to networks attached to physical interfaces, logical interfaces, or sub-interfaces of a
device. These zone-level interfaces serve as a proxy for physical circuits and virtual circuits, such
as VLAN, Layer 3 VPN, and Layer 2 VPN circuits. You can manage and secure every interface in a
zone independently.
• Allow or deny every interface in zone access to other zones within an enterprise network.
• Segregate interface traffic by blocking all access not explicitly allowed by the security policies
of an enterprise.
• Isolate networks that have private or secure information by restricting access to it from public
networks.
An area includes source and destination zones with network IDs for a site and is associated with
one or more WAN, LAN, or VPN. Attach a zone to multiple networks, but each network type LAN,
WAN, or VPN would be connected to one location.
Typically, most organizations create three to four zones to segregate traffic using the model’s
guest zone, one or more corporate LAN zones, an outside zone for internet underlay, and a
corporate WAN zone for private WAN and VPN over the internet or private WAN.
Define the network segments that allow or restricts the application access to control traffic
between LAN or between LAN and WAN and, through site bindings, bind zones to the
appropriate LAN and WAN interfaces at each site.
In Security Policy rules, specify the source and destination zones to which the rule applies. You
must establish one or more source and destination zones for each security rule to configure.
The source zone identifies the network from where traffic originates and the destination zone
identifies the destination traffic of the network.

Security Policy Sets

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

A security policy set provides a common administrative domain for a group of security policy rules
applied to designated sites. Each security policy set is attached—or bound—to one or more areas
and contains the collection of individual security rules that applies to those sites.
By default, each security policy set has three default security policy rules. You can add security
policy rules to a set to customize the traffic allowed, denied, or rejected from any source or
destination zone in a site. You bind security policy sets to sites to map the firewall zones that

Prisma SD-WAN Administrator’s Guide 449 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Security Policies

specify interfaces and network segments and apply the associated security rules to the selected
location.

Security Policy Rules

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

A security policy rule specifies the handling of application traffic between zones in a branch office.
For each security policy rule, define source and destination zones, the applications to which the
rule applies, optional prefix filters, and the appropriate action.
By default, three security policy rules add to the end of every security policy set. These default
policy rules provide a basic framework for handling network traffic and cannot be edited or
deleted.
If you don’t configure any security policy rules of your own, the following default security policy
rules are applied:
• Default—Denies all traffic from any source zone to any destination zone.
• Self-Zone—Allows any traffic generated by the ION or destined to the ION on trusted L3
interfaces (L3 LAN, controller, or L3 private WAN interfaces). For an untrusted interface
(L3 public WAN), only traffic initiated by the ION untrusted interface permits by this rule;
unsolicited inbound traffic to a public WAN port drops by default regardless of ZBFW policy
and zones applied.
• Intra-Zone—Allows any traffic within the same zone.
The new rules take precedence over the default rules and control how rules evaluate by
specifying the ruling order.

There is no limit on the number of security policy rules added to the network
configuration.

Actions
Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Prisma SD-WAN ZBFW supports the action to allow, deny, or reject traffic based on the security
intent of the enterprise.
• Allow—Traffic that matches this rule is permitted.
• Deny—Traffic that matches this rule is dropped with no RESET or ICMP HOST
UNREACHABLE message sent to the client or server.
• Reject—TCP traffic that matches this rule sends a RESET message to both the client and the
server.

Prisma SD-WAN Administrator’s Guide 450 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Security Policies

Configure Security Policies

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Security policies define the zone-based firewall rules that determine application access within
a branch. They allow or deny application access and traffic within a zone or across zones based
upon administrator specified zone definitions, prefix filters, and actions.
Security policies are made up of security policy sets and are provisioned globally at a branch site
or locally at any remote branch office. These policies, at all times, supersede network policies.
Configuring or implementing zone-based firewall security rules for an enterprise involves creating
zones, binding zones to a site, physical or virtual interfaces on an ION device, creating a security
policy set, creating security policy rules, and binding the security policy set to a site.

Create Zones
Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Zones are a critical component for creating security policy rules. When you are ready to create
zones, policy rules rely on a zone-pair that includes at least one source zone and one destination
zone. Zone maps to networks and interfaces. The default action is to deny traffic between zones.
Modify the default zone-pair policy to allow all traffic or deny, then create exceptions to deny or
allow specific traffic by changing the order of applied policy rules. Define the network segments
used to restrict application access and control traffic between LANs or LANs and WANs. Bind
zones to the appropriate LAN and WAN interfaces at each site through site bindings.
While creating security policy rules, specify the source and destination zones to which the
rule applies and establish one or more source and destination zones for each security rule you
configure. The source zone identifies the LAN network from where traffic originates, and the
destination zone identifies traffic from the LAN network.
STEP 1 | Select Manage > Policies > Security(Original) > Select a Security Set > Zones.

STEP 2 | Click Add Zone.

STEP 3 | Click Map and select a site to configure the zone interfaces and bind the zone to a site.

Bind Zones to Sites and Devices

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Prisma SD-WAN Administrator’s Guide 451 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Security Policies

Zones bound at the site-level or the device-level to a specific interface or a subnet are bound
to multiple networks at a site, including LANs, WANs, or VPNs. However, each network only
attaches to one zone, and a device is bound to multiple interfaces or subnets. If a zone or device is
not bound to an interface or subnet, it blocks all the traffic.

In case of a conflict between site-level and device-level bindings, device-level bindings

take priority. It is recommended to use device-level binding.

Bind Zones to Sites

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Use site bindings to map firewall zones to interfaces and networks to attach the current security
policy set to the selected site. You must bind a security policy set to a site to make its security
policy rules applicable to the site and associated zones. When planning to bind sites, zones, and
security policy sets, you should be aware:
• Binding a zone to a site attaches networks to the zones for that site. A zone can have multiple
networks, but a network can only have one zone.
• Binding a security policy set to a site attaches the zone-based firewall rules to that site.
• Binding a security policy set to a site will block all traffic not explicitly allowed by the security
policy rules by default.

Bind Zones to Devices

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Bind zones to logical Layer 3 interfaces on a device and specify separate bindings for standard
VPNs. Zones bound to the interfaces:
WAN interface types with attached WAN circuit labels:
• Layer 3 stand-alone interfaces
• Layer 3 sub-interfaces
• Layer 3 PPPoE interfaces
• Layer 3 bypass pair, where the WAN member interface is available for zone binding
• Layer 2 bypass pair, where the WAN member interface is single for zone binding
• Loopback bypass pairs
Layer 3 Interfaces and Bypass pairs without a WAN circuit label:
• Stand-alone Layer 3, where Used_for is LAN
• Layer 3 bypass pair, where Used_for is LAN, and the LAN member interface is available for
zone binding

Prisma SD-WAN Administrator’s Guide 452 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Security Policies

• Sub-interface Layer 3, where Used_for is LAN

• Stand-alone, non-parent interface, where Used_for is NONE
• Standard tunnel interface
• Loopback bypass pairs
Zones cannot be bound to the following types of interfaces:
• Controller interfaces
• LAN member interfaces of Layer 2 bypass pairs
• Parent interfaces of sub-interfaces and PPPoE interfaces

If a site has both site-level bindings and device-level bindings, the two settings’ resulting
configuration is united. In the event of a conflict between site-level bindings and device-
level bindings, device-level bindings take precedence.

STEP 1 | Click Map.

Perform one of the following to search or select a site to display its configuration details.
1. Type a site name or address in the search field.
2. Click the right-facing arrow to display a list of existing sites.

STEP 2 | Select Options > Security Zone Binding and then once on the appropriate tab, click Bind
Zone.
Bind zones to devices from the Devices tab (zone bindings on devices override zone bindings
on the site).

STEP 3 | Choose the zone name from the list of zones and Select.

STEP 4 | Choose the zone network bindings for the zone and Save.
All VPNs are bound to a single zone. Verify that the networks you select for zone bindings
are attached to an interface. A zone is bound to multiple networks, including LANs, WANs, or
VPNs. However, each network is attached to one zone.
Bind the zone to networks for a site when editing a policy set by selecting the security policy
set. All VPNs are bound to a single zone and indicated as a single VPN in the Name column on
the Zone Network Bindings for Zone screen. Once you have bound the zones to a site and an
interface, create Security Policy Sets and Security Policy Rules for your traffic.

Create Prefix Filters

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

In Prisma SD-WAN, you can create prefix filters (global or local) before creating security policy
rules or creating security policy rules while you are specifying source or destination zone filters
within a policy rule.

Prisma SD-WAN Administrator’s Guide 453 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Security Policies

STEP 1 | From Prisma SD-WAN web interface, go to Policies > Security Policies (Original) > Prefix
Filters, then choose Global or Local.

STEP 2 | Enter a name and (optional) description for the filter.

STEP 3 | From the Site drop-down, select a site for local prefix filters and enter an IP and subnet
address.
The subnet defines IP addresses within a prefix. To add more than one IP prefix, click the +
sign.

Create a Security Policy Set

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Security policy sets contain security policy rules that determine application access across zones
within an enterprise local area network (LAN), wide area network (WAN), and virtual private
network (VPN).
Prisma SD-WAN web interface does not automatically create any default security policy sets.
Security policy sets supersede network policy sets for an enterprise.
Using security policy sets and security policies rules, you should be able to:
• Manage and secure every interface in a zone independently.
• Provision security policies globally at a data center or locally at a branch.
• Allow or deny application access and traffic flow based on specified source and destination
zones and prefix filters.

It would be best if you explicitly create all of the security policy sets you want to use.

• Create one or more security policy sets or create new security policy sets by cloning and
editing an existing policy set.
• Each security policy set is associated with one or more sites. However, only one security policy
set can be active at any given time for each site. Use the same security policy set across sites
with differing characteristics, such as different IP ranges, port configurations, port usage, or
VLAN IDs.
• Each security policy set has three default security rules created automatically – self-zone,
default, and intra-zone.

You cannot remove a security policy set if any site is using it.

STEP 1 | SelectManage > Policies > Security(Original) > Create Security Set.

STEP 2 | Enter the name and (optional) description for the security policy set.

Prisma SD-WAN Administrator’s Guide 454 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Security Policies

STEP 3 | Select Create Set to create a security policy set.

STEP 4 | For Policy Stance, select Optimum, Conservative, or Standard.

The policy stance is pre-defined. The security policy set populates automatically with the
default policy rules (self-zone, default, and intra-zone) and cannot be edited. You can add as
many security policy rules to the created policy set as needed.

Create Security Policy Rules

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Each security policy set is a collection of security policy rules. The default security policy rules
automatically assigned to a security policy set cannot be changed, removed, or deleted. You can
create custom security policy rules to take precedence over the default security policy rules.
You should configure general permit any or deny any rules first, then add more specific access and
deny rules and have them listed in higher priority order so that they evaluate before the broader
rules.
STEP 1 | SelectManage > Policies > Security(Original). Select a security policy set and then click Add
Policy Rule.

STEP 2 | Type a rule name, (optional) description. Select the source zones and source filters to which
this rule applies, and then click Next.
Source zones specify where traffic originates. Source filters specify IP addresses that further
refine the source zone traffic to which the rule applies.
1. Select Any to apply this rule to all listed source zones and filters.
2. De-select Any to select one or more specific source zones and source filters.

STEP 3 | Select the destination zones and destination filters to which this rule applies, then click Next.
Destination zones specify the traffic destined. Destination filters specify IP addresses that
further refine the destination zone traffic to which the rule applies. You can select more than
one filter to apply to the traffic.
1. Select Any to apply this rule to all listed destination zones and filters.
2. De-select Any to select one or more specific destination zones and destination filters.

STEP 4 | Select Any to apply created rule to all listed applications or de-select Any to select one or
more specific applications for this rule, then click Next.
If you de-select Any, search for a specific application, filter using Categories, or sort by
application name or modify the date.

Prisma SD-WAN Administrator’s Guide 455 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Security Policies

STEP 5 | Select the action to take for traffic matching this rule, then click Next.
Actions determine how the traffic from the specified source zone to the specified destination
zone should respond.
1. Select Deny denying traffic between the specified zones and filters.
2. Select Reject to reject traffic between the specified zones and filters.
3. Select Allow allowing traffic that matches the rule to be forwarded.

STEP 6 | Review the security rule summary and select Create & Exit to add the new security policy
rule to its security policy set.

Bind a Security Policy Set to a Site

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Use site bindings to map firewall zones to interfaces and networks and attach the current security
policy set to the selected site. You must bind a security policy set to a site to make its security
policy rules applicable to the site and associated zones. When planning to bind sites, zones, and
security policy sets, you should know:
• Binding a zone to a site attaches networks to the zones for that site. A zone can have multiple
networks, but a network can only have one zone.
• Binding a security policy set to a site attaches the zone-based firewall rules to that site.
• Binding a security policy set to a site will block all traffic not explicitly allowed by the security
policy rules by default.
STEP 1 | Select Manage > Policies > Security(Original).

STEP 2 | Select a security policy set, click Sites, and then Bind Site.
A message is displayed indicating that the site is successfully bound to the selected policy set.

Prisma SD-WAN Administrator’s Guide 456 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Security Policies

Modify and Delete Policy Rules and Sets

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

In Prisma SD-WAN, after you create security policy sets and security policy rules, you can edit
the sets and rules, if needed. You can edit the name and description for security policy sets, clone
an existing security policy set to create a new policy set, or delete a security policy set if not
required.

Change Security Rule Order

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

In Prisma SD-WAN, security policy rules are evaluated in order. If network traffic matches the
first rule in a policy set, that rule is applied and access is allowed, denied, or rejected. If traffic
passing from the source zone to the destination zone doesn’t match the first rule; it is evaluated
against the next rule in the policy set until a matching rule is applied.
You can change the order in which the security policy rules are evaluated by specifying a
numerical order value or by dragging and dropping the rule definition to a new location in the
graphical representation of the security policy set as part of it. For example, to change the second
rule in a policy to be the first rule checked, you can change its policy set position.
STEP 1 | Select Manage > Policies > Security(Original)and select a security policy set.

STEP 2 | Select a policy rule block, drag it to a new position and Save Ranking.

Manage Existing Security Policy Rules

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

In Prisma SD-WAN, you can modify, disable, monitor, delete, or view change history for any
security policy rule in a set.
STEP 1 | Select Manage > Policies > Security(Original)and select a security policy set.

STEP 2 | Select a security policy rule, to display operations in a toolbar, and select an icon for the task
you want to perform.

Prisma SD-WAN Administrator’s Guide 457 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Security Policies

Edit a Security Policy Set

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

In Prisma SD-WAN, if you want to modify the name or description for a security policy set
without changing any of its security policy rules, you can edit the policy set.
STEP 1 | Select Manage > Policies > Security(Original)and select a security policy set.

STEP 2 | Click the ellipsis menu next to the policy set name, select Edit Name & Description enter a
new name and description for the security policy set, and Save.

Clone a Security Policy Set

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

In Prisma SD-WAN, if you want to use an existing security policy set as a template then modify its
security policy rules and site binding, you can clone the policy set.
STEP 1 | Select Manage > Policies > Security(Original)and select a security policy set.

STEP 2 | Click the ellipsis menu next to the policy set name, select Clone Set.

STEP 3 | Enter a new name for the cloned security policy set, and Clone Set.

STEP 4 | Return to the list of security policies and select the cloned policy set and Edit, disable or
delete the set's cloned security policy rules.

Delete a Security Policy Set

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

In Prisma SD-WAN, if you want to remove a security policy set and all of its security policy rules,
you must remove any site binding. When the security policy set is no longer bound and used by
any site, you can delete it.
STEP 1 | Select Manage > Policies > Security(Original)and select a security policy set.

STEP 2 | Click the ellipsis menu next to the policy set name, and select Delete Set.
If any of the sites are not using the policy set, you can confirm that you want to delete the set
by clicking OK.

Prisma SD-WAN Administrator’s Guide 458 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN NAT Policies
Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Prisma SD-WAN supports Network Address Translation (NAT) to translate public and private IP
addresses. This ensures privacy of internal networks connected to public or private networks and
allows reuse of the same IP address or mapping multiple IP addresses to a single IP address. Use
NAT policies to configure a central framework for NAT operations.
• Add a NAT Stack
• Add NAT Policy Sets
• Add a NAT Policy Rule
• Add a NAT Policy Set to a NAT Stack

459
Prisma SD-WAN NAT Policies

Add a NAT Stack

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

You can create a simple NAT stack or an advanced NAT stack.

A simple NAT stack has only one NAT policy set. The NAT policy set has the same name as the
NAT Stack. You can add NAT Policy rules directly to Simple NAT Policy Set Stacks. This simplifies
the management of NAT stacks if you do not need to leverage the stacking capabilities.
An Advanced NAT stack can accommodate a maximum of four policy sets and one default rule
policy set. The policy sets in a NAT stack are ordered from left to right, with the left-most policy
set designated as the highest priority. A site will evaluate policy sets within a stack based on the
order of the policy sets.

Add a simple NAT stack.

1. Select Manage > Policies > NAT > NAT Stacks > Simple > Add Stack.
2. On the Add NAT Stack screen, enter a Name for the stack, and an optional description
and tags.
3. (Optional) Select the Make Default Path Stack check box to make this stack a default
stack.
4. (Optional) Select the Clone From Simple NAT Stack check box to clone a stack and
select a stack to clone from the Choose a Simple NAT Stack drop-down.
5. Save your changes.

Add an advanced NAT stack.

1. Select Manage > Policies > NAT > NAT Stacks > Advanced > Add Stack.
2. On the newly added row in the Name column, click the ellipsis menu for the stack and
select Edit Policy Set Stack Info.

3. Enter a Name for the stack, and optionally enter description and tags and Save.

Prisma SD-WAN Administrator’s Guide 460 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN NAT Policies

Add NAT Policy Sets

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

NAT Policy sets contain policy rules and are a part of NAT Policy Set Stacks. A simple NAT stack
contains a single NAT policy set. An advanced NAT stack contains multiple, ordered NAT policy
sets. Note that you can create NAT Policy Sets only through the Advanced view on the NAT
screen.
STEP 1 | Select Manage > Policies > NAT > NAT Stacks > Advanced > NAT Sets > Add Set.

STEP 2 | On the Add NAT Policy Set screen, enter a Name for the NAT policy set, and enter an
optional description and tags.

STEP 3 | (Optional) Select the Clone From a Policy Set check box to clone a policy set and select a
policy set to clone from the Choose a Policy Set drop-down.

STEP 4 | Click Done to submit your changes.

Prisma SD-WAN Administrator’s Guide 461 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN NAT Policies

Add a NAT Policy Rule

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

NAT Policy Rules use source and destination zones, prefixes, ports and protocols. You can directly
add policy rules to a simple NAT stack by clicking a simple NAT stack and then clicking Add Rule.
For advanced stacks, you have to first select a stack, then a policy set within the stack, and then
add policy rules to the policy set.

Prisma SD-WAN Administrator’s Guide 462 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN NAT Policies

Add a NAT policy rule to a simple NAT stack.

1. Select Manage > Policies > NAT > NAT Stacks > Select a Stack > Add Rule.
2. Add a source or destination NAT zone.
• Enter a Name for the NAT policy rule, and enter an optional description and tags.
• Choose Source or Destination Zone based on the direction of traffic with respective
to the ION device. Accordingly the policy rule will be classified under Source Zone
Rules or Destination Zone Rules.
• Select a previously configured NAT zone from the NAT Zone drop-down.
You can create a new NAT zone by clicking + next to the NAT Zone field.
• Select an order between 1-4 for the policy rule.

An order of 1 indicates the highest priority for the policy rule.

• (Optional) Select Disable Rule if you do want the ION device to disregard this rule.

3. Configure filters.
• (Optional) On the Match Criteria screen, select a Protocol from the drop-down list or
enter a number between 1 and 255 for a protocol.
• (Optional) For Source and Destination prefixes, choose prefixes from the Prefixes
drop-down list.
• (Optional) Enter a start and end port for Port Ranges. Click Add Port Range to add
additional ports if needed.

Note that a maximum of 16 port ranges are allowed, and port ranges can
only be added for TCP or UDP protocols.

Prisma SD-WAN Administrator’s Guide 463 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN NAT Policies

4. Configure NAT actions.

On the Actions tab, you can configure a maximum of four actions and you can select a
NAT Pool per action for every policy rule. Select any of the following NAT actions.
• No NAT—Select if you do not wish to perform a NAT action on the selected filters.
When you specify No NAT for a policy rule, you cannot specify any of the other NAT
actions in that NAT policy rule.
• Source NAT
• Destination NAT
• Static Source NAT
• Static Destination NAT
• ALG Disable

Add a NAT policy rule to an advanced NAT policy set.

1. Select Manage > Policies > NAT > NAT Stacks > Advanced > NAT Sets > Select a policy
set > Add Rule.
2. Add NAT zones.
3. Configure filters.
4. Configure NAT actions.

Prisma SD-WAN Administrator’s Guide 464 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN NAT Policies

Add a NAT Policy Set to a NAT Stack

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

After creating NAT policy sets, you need to add these policy sets to a NAT stack. Note that you
can add NAT policy sets to NAT stacks only via the Advanced view on the NAT screen.
STEP 1 | Select Manage > Policies > NAT > NAT Stacks > Advanced.

STEP 2 | Navigate to a NAT stack for adding a NAT policy set.

STEP 3 | Select a policy set from the Policy Set drop-down, and then Save.
You can assign up to 4 policy sets to an advanced NAT stack.

You can convert a simple NAT stack to an advanced NAT stack by assigning more than
one policy set to the simple NAT stack.

Prisma SD-WAN Administrator’s Guide 465 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN NAT Policies

Bind NAT Stacks to Sites

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

In order for NAT policy rules to be active, bind NAT policy set stacks to a site. You can bind a
single NAT policy set stack to a site at a time.
STEP 1 | Select Manage > Policies > Bindings.

STEP 2 | For a site, select a NAT stack from the NAT Policy Set Stack drop-down and Save.
(Optional) You can assign a NAT policy set stack to multiple sites at a time by selecting multiple
sites, clicking Edit and selecting the NAT stack for assigning to sites.

Prisma SD-WAN Administrator’s Guide 466 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN NAT Policies

Configure NAT Zones

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Source and destination zones identify traffic that is sourced from a zone or destined to a zone,
respectively. Zones must be bound to interfaces for NAT to be effective. Zones used in NAT
policy rules are different than zones used in Prisma SD-WAN security policy rules. You can
configure NAT zones from the Prisma SD-WAN web interface.
STEP 1 | Navigate to Manage > Policies > NAT > NAT Zones.

STEP 2 | Select Add NAT Zone to create a new NAT zone.

STEP 3 | Enter a Name and optional Description and Tags for the NAT zone.

STEP 4 | Click Create to add the NAT zone.

From the ellipsis menu, you may Edit, View Interface Bindings, Delete, and view the Audit
Logs for a NAT zone.

Prisma SD-WAN Administrator’s Guide 467 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN NAT Policies

Bind NAT Zones to Interfaces

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Zones can be attached or bound to individual interfaces at the device-level. To bind NAT Zones to
interfaces from the Prisma SD-WAN web interface.
STEP 1 | Navigate to Manage > Policies > NAT > NAT Zones, and select a NAT Zones.

STEP 2 | From the ellipsis menu, select View Interface Bindings to view NAT zones bound to
interfaces for a device.

STEP 3 | Click Bind Interfaces to create a new interface binding.

STEP 4 | From the Device drop-down, select an ION device. From the Interfaces drop-down, select an
available interface, and click Save.

Prisma SD-WAN Administrator’s Guide 468 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN NAT Policies

Configure NAT Pools

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

A NAT Pool contains ranges of IP addresses with mandatory start and end addresses. In a NAT
Policy Rule, these addresses are used in conjunction with an action (Source NAT or Destination
NAT) to translate either the source or destination IP address to an IP address from the NAT pool.
You may configure NAT Pools from the Prisma SD-WAN web interface.
STEP 1 | Navigate to Manage > Policies > NAT > NAT Pools.

STEP 2 | Select Add NAT Pool to create a new NAT pool.

STEP 3 | Enter the Name, Description and add a (Optional) Tag for the NAT pool.

STEP 4 | Click Create to add a NAT Pool.

From the ellipsis menu, you may Edit, View Interface Bindings, Delete, and view the Audit
Logs for the NAT pool.

Prisma SD-WAN Administrator’s Guide 469 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN NAT Policies

Bind NAT Pools to Interfaces

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Pools can be attached or bound to individual interfaces at the device-level. You may bind NAT
Pools to interfaces from the Prisma SD-WAN web interface.
STEP 1 | Select Manage > Policies > NAT > NAT Pools.

STEP 2 | From the ellipsis menu for a NAT pool, select View Interface Bindings to view attached
interfaces.

STEP 3 | Click Bind Interface to bind a new interface to the NAT pool.

STEP 4 | From the Device drop-down, select an ION device. From the Interface drop-down, select an
available interface.

STEP 5 | For IP Ranges, enter a start IP address and an end IP address.

STEP 6 | Click Add Range to include additional IP address ranges, if needed.

A maximum of four IP ranges can be added per device per interface for a NAT pool.

STEP 7 | Click Save.

You may bind a maximum of 64 NAT pools to an interface. You may also add NAT Pools from
the Interfaces tab by clicking Add Entry under NAT Pools.

Prisma SD-WAN Administrator’s Guide 470 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN NAT Policies

Configure NAT Prefixes

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

A prefix is a group of one or more individual IP addresses or IP address subnets. Prefixes are a
construct of NAT which help to identify traffic. They can be either global or local in scope. Global
prefixes are used when traffic of interest across all sites in a network can be identified with the
same set of prefixes. For example, facilities infrastructure or print services for an enterprise.
Local prefixes are used when specific prefix values change by branch location. Use local prefixes
to simplify creation and administration of rules. For example, a subset of IP addresses within a
subnet.

Configure global NAT prefixes.

1. Select Manage > Policies > NAT > NAT Prefixes.
2. Click Add Prefix, and then select Global from the drop-down list.
3. On the Create Global Prefix screen, enter a name and description for the prefix.
4. Enter an IP and subnet address.
IP addresses within a prefix are defined by the subnet. For example, 10.1.1.0/24 defines
the entire limit of 255 IPs in that subnet.
5. Select NAT in the Create for policy Type(s) section to replicate the prefix for NAT
policies.
(Optional) You can create a copy of this prefix filter to be used in Path and QoS policies
respectively by selecting the Path and QoS check boxes.

Configure local NAT prefixes.

1. Select Manage > Policies > NAT > NAT Prefixes.
2. Click Add Prefix, and then select Local from the drop-down list.
3. On the Create Local Prefix screen, enter a name and description for the prefix.
4. Attach a site to the local prefix filter from the Choose a site drop-down.

You must attach a local prefix filter to a site for the filter to work.

5. Select NAT in the Create for policy Type(s) section to replicate the prefix for NAT
policies.

Prisma SD-WAN Administrator’s Guide 471 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN NAT Policies

Use Cases
Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Prisma SD-WAN provides details and examples of the following topologies:

• Default Source NAT
• Destination NAT
• Static NAT
• ALG Disable

Default Source NAT

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

By default, Prisma SD-WAN provides an out-of-the-box configuration that automatically performs

Source NAT on traffic destined directly to public internet interfaces.

Fields Description

1 A new flow source is from Host PC1 with a source address of

10.10.10.10 and a destination address of 60.60.60.60.

2 A packet arrives at the ION device’s LAN Interface. A policy

lookup and a path selection decision perform to put the traffic
on the link to ISP A.

3 Place the packet onto the internet segment; the Default-

NATPolicySet matches against the Default-InternetRule.
This rule contains the following configuration:
• Destination Zone Rule: NAT Zone Internet
• Match Criteria: any protocol, any prefix, any port
• Action: Source NAT

Prisma SD-WAN Administrator’s Guide 472 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN NAT Policies

Fields Description
In this rule:
• The NAT Pool is blank by default, and the system uses the IP
Address bound to the internet interface.
• The ION device will ARP for IP addresses where the NAT
Pool intersects with the configured interface subnet on the
ION device.

Apply the packet's policy; the source address of

10.10.10.10 overwrites by the address bound to
the Internet Interface (50.50.50.1). The source port
changes to a random port during this operation.

In this example the original packet: (s) 10.10.10.10:12345:

(d) 60.60.60.60:443. Is rewritten to: (s) 50.50.50.1:54321: (d)
60.60.60.60:443.

4 Traffic arrives at the internet-based SaaS application.

5 Traffic returns to the destination of 50.50.50.1:54321.

6 Traffic arrives at the ION device's internet interface, where a

translation table check is performed on the flow to ensure that
there is an active connection.

7 Establish the traffic onto the LAN segment; the destination IP

address returns from 50.50.50.1:54321 to 10.10.10.10:12345.

Destination NAT
Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Prisma SD-WAN destination NAT securely permits inbound connections from the internet to
access internal private IP resources at a branch site location.
One of the use cases involves physical security monitoring services that require direct
inbound connections from the internet and outbound connections from the local device, often
implemented with a dedicated 1:1 NAT configuration.
In this example, the external system Host 1 needs to communicate with Server 1 in the branch
location across the internet. For Host 1, the IP address for the branch service is 50.50.50.2 and
port 443.

Prisma SD-WAN Administrator’s Guide 473 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN NAT Policies

Fields Description

1 A new flow source from Host 1 with a source address of

70.70.70.70 and a destination address of 50.50.50.2.

2 The packet arrives at the ION device's internet interface. It

performs the policy lookup and the traffic on the LAN path.

3 Place the packet onto the LAN segment and match it against the
recently created NAT Policy Rule.
This rule contains the following configuration:
• Source Zone Rule: NAT Zone Internet
The NAT Zone Internet is bound to the interface.
• Match Criteria:
• Protocol: TCP
• Source Prefix: Any
• Source Port Range: Any: Any
• Destination Prefix: Internet-Services-Prefix
This a local prefix filter, and the entry for this site is
50.50.50.2/32
• Destination Port Range: 443:443 (leave blank if all ports
are allowed)

The ION device sends GARP messages and

responds to ARP requests for 50.50.50.2.
• Action: Destination NAT
• NAT Pool: LAN-Services
The NAT Pool LAN-Services define as 10.10.10.20 - 10.10.10.20
on the branch ION device.

NAT Pools are defined in persisting ranges and can

be configured through the NAT Policy UI or directly
through the device-level interface configuration.

As the policy applies to the packet, the original destination

address is 50.50.50.2, overwrites by the NAT Pool LAN-

Prisma SD-WAN Administrator’s Guide 474 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN NAT Policies

Fields Description
Services address. In this example the original packet (s)
70.70.70.70:12345: (d) 50.50.50.2:443. Is rewritten to: (s)
70.70.70.70:12345: (d) 10.10.10.20:443.

4 Traffic arrives on the LAN at the server hosting inbound services

from the internet.

5 Sends the return traffic to the destination of 70.70.70.70:12345.

6 Traffic arrives at the ION device's LAN interface, where a

translation table check is performed on the flow to ensure that
there is an active connection.

7 Establish the traffic onto the LAN segment, the source IP

address is rewritten from 10.10.10.10:443 to 50.50.50.2:443.

If traffic that originates from Server 1 (10.10.10.20)

also needs to be translated to 50.50.50.2 and a
corresponding Source NAT Rule is configured.

Static NAT
Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Prisma SD-WAN provides scenarios that require a 1:1 mapping of a range of IP addresses to
another range of IP addresses.
Scenarios include direct mapping of a publicly routable range of IP addresses to RFC 1918
addresses. For example, they translate 50.50.50.16-31 to 10.10.10.16-31 in a 1:1 manner where
traffic would translate to 50.50.50.20 to 10.10.10.20 and vice versa across the entire IP range.
Another common scenario would be when IP prefix overlap occurs due to a company merger. In
this situation, it would also translate the IP addresses bound to the hosts in a 1:1 manner from
one RFC 1918 range to another RFC 1918m range.
In this example, application requirements specify that each internal server must have a unique
internet IP address. Each server must initiate connections on ephemeral ports and receive
inbound links on the same persistent IP address on port 443. To enable this most efficiently, use
static source NAT and static destination NAT.

Prisma SD-WAN Administrator’s Guide 475 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN NAT Policies

Case: Inbound connection from the Internet

Fields Description

1 A new flow source from Host 1 with a source address of

70.70.70.70 and a destination address of 50.50.50.20.

2 A packet arrives at the ION device's internet interface. Perform a

policy lookup and the traffic on the LAN segment.

3 Place the packet onto the LAN segment; it matches against the
recently created NAT Policy Rule.
This rule contains the following configuration:
• Source Zone Rule: NAT Zone Internet
The NAT Zone internet is bound to the interface.
• Match Criteria:
• Protocol: TCP (leave blank for any protocol)
• Source Prefix: Any
• Source Port Range: Any: Any (blank)
• Destination Prefix: Internet-Services
This is a local prefix filter, and the entry for this site is
50.50.50.16/28
• Destination Port Range: 443:443 (leave blank if all ports
are allowed)

The ION device sends GARP messages and

responds to ARP requests for 50.50.50.2.
• Action: Static Destination NAT
• NAT Pool: LAN-Services
The NAT Pool LAN-Services is defined as 10.10.10.16 -
10.10.10.31 on the branch ION device. It can be configured
through the NAT Policy UI or directly on the interface
configuration of the device.

NAT Pools are in contiguous ranges.

As the policy applies to the packet, the original destination

address of 50.50.50.20 overwrites by the address defined in
the NAT Pool LAN-Services. In this example the original packet:
(s) 70.70.70.70:12345: (d) 50.50.50.20:443. Is rewritten to: (s)
70.70.70.70:12345: (d) 10.10.10.20:443.

Prisma SD-WAN Administrator’s Guide 476 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN NAT Policies

Fields Description

4 Traffic arrives on the LAN at the server hosting inbound services

from the internet.

5 Sends the return traffic to the destination of 70.70.70.70:12345.

6 Traffic arrives at the ION device's LAN interface, where a

translation table check is performed on the flow to ensure that
there is an active connection.

7 Establish the traffic onto the LAN segment, the source IP

address is rewritten from 10.10.10.10:443 to 50.50.50.2:443.

Case: Outbound Connection from the Local Server to an Internet Service

Fields Description

5 A new flow source from Server 1 with a source address of

10.10.10.20 and a destination address of 70.70.70.80.

6 A packet arrives at the ION device's internet interface. Perform a

policy lookup and the traffic on the LAN segment.

7 Place the packet onto the internet segment; it matches against

the recently created NAT Policy Rule.
This rule contains the following configuration:
• Destination Zone Rule: NAT Zone Internet
The NAT Zone internet is bound to the interface.
• Match Criteria:
• Protocol: Any: Any (blank)
• Source Prefix: LAN-Services-Prefix
This is a local prefix filter, and the entry for this site is
10.10.10.16/28
• Source Port Range: Any: Any (blank)
• Destination Prefix: Any: Any (blank)
• Action: Static Destination NAT
• NAT Pool: Internet-Services
The NAT Pool Internet-Services is defined as 50.50.50.50.16 -
50.50.50.50.31 on the branch ION device.

Prisma SD-WAN Administrator’s Guide 477 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN NAT Policies

Fields Description
The ION device sends GARP messages and responds
to ARP requests for 50.50.50.16/28. NAT Pools
can be configured through the NAT Policy UI or
directly on the interface configuration and defined in
contiguous ranges.

As the policy applies to the packet, the original source address

of 10.10.10.20 overwrites by the address defined in the NAT
Pool Internet-Services. In this example the original packet: (s)
10.10.10.20:12345: (d) 70.70.70.80:443. Is rewritten to: (s)
50.50.50.20:12345: (d) 70.70.70.80:443.

8 Traffic crosses the internet and arrives at the destination server

70.70.70.80. Return traffic processes in the reverse order, and
the ION device references the original outbound connection
previously opened with the Static Source NAT action.

ALG Disable
Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Prisma SD-WAN application fabric is a critical enabler of this transition by emphasizing Voice &
Video quality reporting and SLA assurance. As the consumption of these services has changed, it
has driven new demands of the network. Specifically, many UCaaS systems require that network
solution providers disable the SIP ALG (Application Layer Gateway) for any traffic that crosses a
NAT boundary destined for a SIP provider.
In this example, a phone is configured at the branch to communicate with a UCaaS system on the
internet via SIP (Session Initiation Protocol), a standard protocol used by collaboration endpoints
to register with the intended control system. The SIP traffic (via Path Policy) configures to be
placed directly onto any available internet link. As such, it uses the default NAT policy. The UCaaS
provider has also specified that any SIP ALG must be disabled. Disabling the SIP ALG prevents
issues from occurring that may affect phone registration and 1-way audio.

Prisma SD-WAN Administrator’s Guide 478 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN NAT Policies

Fields Description

1 A new SIP registration source from Phone 1 with a source

address of 10.10.20.20 and a destination address of
80.80.80.80.

2 A packet arrives at the ION device's LAN interface. Perform a

policy lookup and the traffic on the internet segment.

3 Place the packet onto the internet segment; the Default-

NATPolicySet it matches against the Default-InternetRule.
This rule contains the following configuration:
• Destination Zone Rule: NAT Zone Internet
• Match Criteria: Any Protocol, Any Prefix, Any Port
• Action: Source NAT
In this rule, the NAT Pool is blank by default, and the system
uses the IP Address bound to the internet interface.

Apply the packet's policy; the source address of

10.10.10.10 overwrites by the address bound to
the Internet Interface (50.50.50.1), and it might
change the source port to a random port during this
operation.

In this example the original packet: (s) 10.10.20.20:12345: (d)

80.80.80.80:5060. Is rewritten to: (s) 50.50.50.1:54321: (d)
80.80.80.80:5060.

4 In addition to the default NAT policy, the traffic also matches the
recently created rule to disable the SIP ALG.
• Destination Zone Rule: NAT Zone Internet
• Match Criteria:
Protocol: Any: Any (blank)
Source Prefix:
Local Prefix Filter - 10.10.20.0/24 (Phone Network)
Source Port Range: Any: Any (blank)
Destination Prefix: Any (blank)
Destination Port Range: Any: Any (blank)
Action: ALG Disable
ALG Protocols to Disable: SIP

5 Traffic arrives at the SIP server directly on the internet.

Prisma SD-WAN Administrator’s Guide 479 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN NAT Policies

Fields Description

6 Send the return traffic to the destination of 50.50.50.1:54321. A

translation table check is performed on the flow to ensure that
there is an active connection.

7 Establish the traffic onto the LAN segment; the destination

IP address is rewritten from 50.50.50.1:54321 to
10.10.20.20:12345.

To clone the Default-NATPolicySet, add the

appropriate policy settings and apply this newly
created set to the intended target site(s).When
required to change ALG behavior, it is best practice to
create a new Policy Set Stack. Once created, add the
Default-NATPolicySet to the stack, then create a new
NAT Set with a rule that disables ALG. Bind the new
NAT Set to the new NAT Stack.

Prisma SD-WAN Administrator’s Guide 480 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Incident Policies
Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Incident policy framework provides user defined control over system generated alerts and alarms
in the network. You can use incident policy rules to suppress or escalate alarms that arise during
a scheduled time period and can also change the default priority of system generated alarms to a
priority level that is more aligned with the your business requirements.
The incident policy rules can be applied to a set of network resources like sites, devices,
interfaces, circuits, BGP peers, etc or can be matched to be applied on specific incident codes.
Incident policy rules allow you to manage alerts and alarms for better visibility into network issues
and for quicker troubleshooting.
Read on to know about configuring incident policies.
• Incident Policies Constructs
• Incident Policy Framework-Use Case
• Create a New Incident Policy Set
• Create a New Incident Policy Rule

481
Prisma SD-WAN Incident Policies

Prisma SD-WAN Administrator’s Guide 482 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Branch High
Availability
Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Prisma SD-WAN offers a unique branch HA solution ensuring full WAN capacity in the case of
an ION device failure. This is achieved by leveraging the fail-to-wire capabilities and HA group
technology of ION devices at a branch site. Prisma SD-WAN High Availability (HA), ensures
automatic failover between active and backup devices, maintaining all services and forwarding
paths when an ION device experiences a software, hardware, or network related failure.
At most, one HA group may be created per branch site and up to two devices can be bound to a
group. One of the devices in the group will be elected as active, and the second device, if present,
will be the backup device.
• The Active device performs traffic forwarding and monitoring functions, including path
selection, BGP peering, usable VPN establishment, advertising and learning routes, reporting
statistics, alerts, and alarms.
• The Backup device merely bridges traffic to the active device and will not perform path
selection, and advertise and learn routes. It reports a limited set of statistics, alerts, and alarms.
Also in some topologies it may establish VPNs to remote endpoints, but these will not be
usable while the device is in a backup state.
The HA control interface is used to determine which device is active or backup synchronizes some
state information between the ION devices (e.g. DHCP server leases). The HA control interface
can be any Layer 3 interface on the ION device with a statically configured IP address. However,
we recommend using the Controller port as long as the interfaces are within the same subnet. In
topologies where the controller ports are in two different subnets, use a different pair of ports
that are in the same subnet and dedicate those interfaces for HA control.
Read on to understand the key concepts, topologies, and how to configure branch HA.
• Prisma SD-WAN Branch HA Key Concepts
• Configure Branch HA

483
Prisma SD-WAN Branch High Availability

Prisma SD-WAN Branch HA Key Concepts

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Prisma SD-WAN enables the election of an active or backup device through Priority and
Preemption configuration.
Priority is assigned to devices to dictate preference during election. For example, certain
topologies may require that a particular device be active while the other remains as a backup
device. In such cases, an administrator can assign a higher priority to the device with higher
preference to dictate which device becomes active during election, with the highest priority being
255. It is recommended to have a minimum difference of at least 40 between the priorities of an
active ION device and a backup ION device.
Preemption is enabled at the HA group level to automatically force a switchover to the device
with a higher priority.
• If enabled, it dictates that a re-election within the group be forced whenever there is a priority
change that results in the current active device’s priority to be less than that of the backup
device.
• If disabled, it dictates that an election not happen as long as the current active device has an
effective priority greater than 0, which means it has not experienced a critical failure.
Advertisement Interval—Prisma SD-WAN uses VRRP to determine HA peer liveliness at specified
intervals. At the HA group level, an administrator will specify the interval in which the active
device will advertise its priority to the other members of the HA group. This can be a value
between 1 - 10 seconds. If no advertisement is received by the backup device for 3 consecutive
advertisement intervals, it assumes that the active device is unavailable and will begin its
transition to the active state.
Interface Tracking—Each device will automatically track the state of the HA-control interface, and
upon a failure of the interface, the device will immediately transition to a failed state, giving way
to the other device in the HA group to become active. In addition, an administrator can optionally
configure up to four non-HA control interfaces to track, and for each interface that goes down the
HA priority of the device will be reduced by the configured value.
Administration—The devices in an HA group can be administratively disabled from participating in
an HA group for operational reasons. When a device is disabled in a group, it will withdraw from
the group and become a passive device. For example, in Returned Merchandise Authorization
(RMA) scenarios, an administrator can administratively bring down and bring up a device. Similarly,
before a software upgrade, an administrator can mark the device as disabled to perform the
software upgrade and then enable the device in the HA group after the software upgrade is
complete.
DHCP Server—The devices will automatically synchronize DHCP server leases from active to
backup, so that the backup device, when active, can continue to perform all the functions of an
active device.

Prisma SD-WAN Administrator’s Guide 484 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Branch High Availability

HA Status—HA group status can be displayed for current active and backup devices with the last
switchover time and the reason for the switchover.
Configuration Management—The device configuration may need to be identical on both devices,
depending on the topology.
• If the configuration is applied at the site level (For example, network path policy, QoS policy,
etc.), the same policy is applied to both the devices.
• If the configuration was executed at the device level (For example, NAT port forwarding,
security zone binding at the interface level, etc.) the policy/configuration needs to be applied
to both the devices. This applies to other configurations as well.

Prisma SD-WAN Administrator’s Guide 485 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Branch High Availability

Configure Branch HA
Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Prisma SD-WAN supports different High Availability (HA) topologies for ION devices at branch
sites. Based on your deployment, choose the topology model for your needs.
After you have selected your topology model, configure physical connections and interfaces as
per your topology model. The next step is to configure HA groups and then add your ION devices
to the newly created HA Group. You can then edit the HA Group and the HA Group Membership.
Read on to perform the following tasks that will help you configure branch HA.
STEP 1 | Configure HA Groups

STEP 2 | Add ION Devices to HA Groups

STEP 3 | Edit HA Groups and HA Group Membership

Prisma SD-WAN Administrator’s Guide 486 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Branch High Availability

Configure HA Groups
Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

An HA group is created at the site level and devices are bound at the device level. At the group
level, you may view the details of a group, edit members of a group, and so on. HA Groups can be
configured either from Map or Device Configuration. You can create a single HA Group consisting
of two devices.
STEP 1 | Select add an HA Group.
You can navigate in any of the following ways to add an HA Group.
• Select Workflow > Sites. From the ellipsis menu select HA Groups.
• Select Workflow > Devices > Claimed Devices. Select a device and from the ellipsis menu,
select Configure the Device.

STEP 2 | Click Add HA Group to add a new HA Group.

Only one HA Group can be created. If an HA group is already created, the Add HA Group is
disabled.

STEP 3 | Create a new HA Group.

1. Enter a name for the HA group.
2. (Optional) Enter description and tags.
3. Check the Preempt? check box, to enable preemption.
If Preempt is enabled, it dictates that a re-election within the group should be forced
whenever there is a priority change that results in the current active device’s priority
to be less than that of the backup device. If disabled, it will dictate that an election not
happen as long as the current active device has not experienced a catastrophic failure,
which causes the priority to immediately go to 0 (e.g. power loss, critical process failure,
loss of link on the HA control port, or track events which cause the priority to reduce to
0), even if the backup device has a higher priority.
4. Enter an Advertisement Interval between 1 and 10 seconds.
The Advertisement Interval indicates how often the active device advertises its status to
the backup. Three consecutive missed advertisements indicate that the active device has
failed after which a backup device becomes active and takes over as the active device.
The value recommended for Advertisement Interval is 1 second.
5. Click Create.
An Up arrow indicates that the device is enabled for Branch HA. After an HA group is
created, the Redundancy section shows the option to assign and configure devices in the
HA group.

Prisma SD-WAN Administrator’s Guide 487 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Branch High Availability

Configure a High Availability (HA) Interface for HA

Deployment
Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Prisma SD-WAN offers a unique branch HA solution ensuring full WAN capacity in the case of
an ION device failure. This is achieved by leveraging the fail-to-wire capabilities and HA group
technology of ION devices at a branch site. Prisma SD-WAN High Availability (HA), ensures
automatic failover between active and backup devices, maintaining all services and forwarding
paths when an ION device experiences a software, hardware, or network related failure.
Generation One ION devices (ION 1000, ION 2000, ION 3000, and ION 9000) use the control
port for the exchange of HA heart beat and manage the controller traffic between the active and
the standby device. The NextGen ION devices (ION 1200-S, ION 3200, ION 5200, ION 9200) do
not need a dedicated controller port with the introduction of used-for-HA as a port type.
The used-for-HA interface (referred to as the used-for-control interface prior to Release 6.3.1)
exchanges heartbeat between the two ION devices and also connects the standby device to the
controller through the active ION device. You can use this interface to send management traffic
like App Probe, NTP, SNMP, RADIUS, and IPFIX.
Starting with Release 6.3.1, the support for High Availability (HA) has been enhanced to include
compatibility with various interface types.

If you have configured the used-for-HA interface and you want to downgrade to a version
that does not support the used-for-HA interface, contact Palo Alto Customer Support.

Used-for-HA is supported on all ION platforms. Directly establishing the High Availability
(HA) connection between devices is recommended only in cases where there are no
southbound LAN switches present and exclusively only with 1200-S and 3200-L2 models
with redundant ports.

Used-for-HA is supported on the following interfaces in HA topology:

• Configure a Switch Virtual Interface (SVI) for HA Connectivity
• Configure a Sub-interface for HA Connectivity
• Configure a Main Interface for HA Connectivity
You will need ION device software version 6.3.1 or higher to configure a main interface as a
used-for-HA interface.

Prisma SD-WAN Administrator’s Guide 488 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Branch High Availability

Configure a Switch Virtual Interface (SVI) for HA Connectivity

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Configure Switch Virtual Interface (SVI) as a source interface for control or management purpose
and to allow heartbeat exchange for connection between the active and backup device in high
availability.
To configure an SVI for HA, first create an HA group at the site level, then create a sub-interface
on the SVI for both devices in the same subnet. Configure the Used-for property as HA for the
SVI subinterfaces on both devices, and finally configure the control interface as the sub-interface
created above.
STEP 1 | Select Workflows > Devices > Claimed Devices, select the device you want to configure.

STEP 2 | On the Interface tab, select the Add (plus) icon and select VLAN/Switch Virtual Interface.

Prisma SD-WAN Administrator’s Guide 489 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Branch High Availability

STEP 3 | Enter the following VLAN information:

1. Enter a valid VLAN ID, ranging from 1-4000. Enter a unique ID, else you get an error
message that the ID is duplicate.
2. (Optional) Enter a Name, Tags, and Description for the VLAN.
3. Select Admin Up to use the switch virtual interface.
4. Enable or disable Auto Operational State.
Starting with version 6.4.1, the Auto Operational State is enabled by default. This means
that if all VLAN member ports are down, the device will enter the backup High Availability
(HA) mode. This is generally the recommended deployment setting.
Auto Operational State functions differently with existing and new SVIs:
• For existing SVIs, after upgrading to release 6.4.1,Auto Operational Stateis disabled.
Enable the state by selecting the radio button.
• For new SVI, the state will be enabled by default.
5. Select the VLAN Type as Data or Voice LAN.
6. Select Used for as HA.

Prior to release 6.3.1, Used for HA was referred to as Used-for-Control.

7. Select Static IP Configuration for the interface.

Provide IP Address, Default Gateway, and DNS Server. The IP address should be same as
the peer IP address. Example of the IP address on the active and backup devices is shown
below:
Active device:
• IP Address/Mask—100.1.10.1/24
• Default Gateway—100.1.10.2
• Used for—HA
Backup device:
• IP Address/Mask—100.1.10.2/24
• Default Gateway—100.1.10.1
• Used for—HA
8. Enter global Scope of the interface.

STEP 4 | Save your changes.

The VLAN is created with a system-generated name vlan-<id>. If you have specified a
VLAN name in step 3, the given name is used.

STEP 5 | Add the configured VLAN as a part of the trunk VLAN or select access port.

Prisma SD-WAN Administrator’s Guide 490 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Branch High Availability

STEP 6 | To make the device level configuration, on the Basic Info tab, on the HA Configuration,
enable the Spoke Cluster.
The Redundancy section displays details of devices in the HA group, including the status of the
devices and the priorities set for the devices.

STEP 7 | Set the Priority between 1 to 254.

STEP 8 | Select the configured SVI in the HA Control Interface.

STEP 9 | Ignore the Track Availability fields.

STEP 10 | Accept the changes.

You can configure this management interface for App Probe, NTP, SNMP, IPFix as the source
interface.

Configure a Sub-interface for HA Connectivity

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Configure a sub-interface to allow heartbeat exchange and connection between the active and
backup device for high availability (HA).
To configure a sub-interface for HA, first create an HA group at the site level, then create a sub-
interface on both devices in the same subnet, configure the Used-for property as HA for sub-
interfaces on both devices.
STEP 1 | Select an interface on a device.

STEP 2 | Select the Sub-interfaces tab and Add a sub-interface.

STEP 3 | Enter a VLAN ID and Name.

STEP 4 | (Optional) Enter a Description.

STEP 5 | For Admin Up, select Yes.

STEP 6 | From Use this sub-interface for, select HA.

Prior to release 6.3.1, Used for HA was referred to as Used-for-Control.

Prisma SD-WAN Administrator’s Guide 491 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Branch High Availability

STEP 7 | Select Static IP Configuration for the interface.

Provide IP Address, Default Gateway, and DNS Server. The IP address should be same as the
peer IP address. Example of the IP address on the active and backup devices is shown below:
Active device:
• IP Address/Mask—100.1.10.1/24
• Default Gateway—100.1.10.2
• Use this sub-interface for—HA
Backup device:
• IP Address/Mask—100.1.10.2/24
• Default Gateway—100.1.10.1
• Use this sub-interface for—HA

STEP 8 | Enter Global Scope of the interface.

STEP 9 | Save to create the sub-interface.

STEP 10 | To make the device level configuration, on the Basic Info tab, on the HA Configuration,
enable the Spoke Cluster.
The Redundancy section displays details of devices in the HA group, including the status of the
devices and the priorities set for the devices.

STEP 11 | Set the Priority between 1 to 254.

STEP 12 | Select Control in the HA Control Interface.

STEP 13 | Ignore the Track Availability fields.

STEP 14 | Accept the changes.

Prisma SD-WAN Administrator’s Guide 492 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Branch High Availability

Configure a Main Interface for HA Connectivity

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Configure a main interface for heartbeat exchange in HA deployments with L3 ports. To configure
an HA interface for HA deployments, first, create an HA group at the site level, then create an
interface on both the devices in the same subnet. Configure the Use this interface for as HA for
the main interface, and finally configure the control interface as the main interface created above.

You will need ION device software version 6.3.1 or higher to configure a main interface as
a used-for-HA interface.

STEP 1 | Navigate to Workflows > Devices > Claimed Device.

STEP 2 | Select a device and then select a port on the device to configure for HA.

STEP 3 | On the Interfaces tab, select Main Interfaces.

STEP 4 | For Admin Up, select Yes.

STEP 5 | (Optional) Enter Description and Tags.

STEP 6 | Select the Interface Type as Port.

STEP 7 | From Use this Port for, select HA.

STEP 8 | Select Scope as Global to advertise the prefix.

STEP 9 | Select Static IPv4 Configuration for the interface.

Provide IP Address, Default Gateway, and DNS Server. The IP address should be same as the
peer IP address. Example of the IP address on the active and backup devices is shown below:
Active device:
• IP Address/Mask—100.1.10.1/24
• Default Gateway—100.1.10.2
• Use this interface for—HA
Backup device:
• IP Address/Mask—100.1.10.2/24
• Default Gateway—100.1.10.1
• Use this interface for—HA

Prisma SD-WAN Administrator’s Guide 493 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Branch High Availability

STEP 10 | Save the configuration.

STEP 11 | To make the device level configuration, on the Basic Info tab, on Redundancy, create a HA
group, and then assign and configure HA.
The Redundancy section displays the details of the devices in the HA group, including the
status of the devices and the priorities set for the devices.

STEP 12 | Add HA Configuration.

STEP 13 | Select the port configured for the HA Control Interface.

STEP 14 | Save the changes.

STEP 15 | On the other HA device, configure the similar HA set up.

Prisma SD-WAN Administrator’s Guide 494 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Branch High Availability

Add ION Devices to HA Groups

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

After creating an HA Group, you can add ION devices to the HA Group. An HA Group can include
a maximum of two ION devices in this release.
STEP 1 | Select an HA Group.
You can navigate in any of the following ways to view an HA Group.
• Select Workflow > Sites. From the ellipsis menu select HA Groups.
• Select Workflow > Devices > Claimed Devices. Select a device and from the ellipsis menu,
select Configure the Device.

STEP 2 | On the HA Groups screen, for an HA group click add under the Devices column.

STEP 3 | On the Add Spoke HA Configuration screen:

1. Select an HA Group from the Spoke Cluster drop-down list.
The Enabled check box is selected by default.
2. Enter a Priority between 1 and 254.
If preempt is enabled, the device with the higher priority will be the active device. If
preempt is not enabled, then the device first added to the HA group will be active. It is
recommended to have a minimum difference of at least 40 between the priorities of an
active ION device and a backup ION device.
3. For Track Availability, select an interface for tracking from Name.
• Track Availability for interfaces tracks the physical status of the interface.
• When using a 1200-S and you're using an SVI for the Used for HA interface, the
following configuration is mandatory:
• Configure the interface carrying the HA control VLAN as a trunk port (even if
carrying a single VLAN).
• Enable Interface tracking for the trunk switch ports to ensure correct failover
behavior. Ensure that the tracking decrement value is the same as the existing
device HA priority in order for the ION to decrement to zero under this failure
condition.
• (Optional)Track availability for WAN tracks Layer 3 reachability for WAN circuits.
If there is a transport issue causing middle mile failure, using track availability for
WANs, an HA switchover can be induced by lowering the priority of the active

Prisma SD-WAN Administrator’s Guide 495 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Branch High Availability

device. This should only be enabled when using unique IP addresses on each WAN
interface, it is not supported in Bypass Configurations.
• A maximum of four interfaces can be tracked for availability.
• Only WAN facing interfaces with an attached circuit label are listed for tracking Layer
3 reachability on the WAN.
4. Enter a value in the Reduce Priority field to reduce the device priority when the selected
interface or Layer 3 reachability over the WAN circuits is down.
5. Click Save.
The device is added to the HA Group. An up arrow indicates that the device is enabled.

• The HA switchover from active to backup device occurs when the track
availability fails. As soon as the interface is available again or when the Layer
3 reachability on the WAN is restored, an HA switchover is induced restoring
the devices to their original state.
• We do not recommend to enable tracking of Layer 3 availability for:
• A private WAN interface that has BGP peering configured.
• Devices sharing a single circuit.

Prisma SD-WAN Administrator’s Guide 496 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Branch High Availability

View Device Configuration of HA Groups

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Device configuration of the ION devices added in an HA group can be viewed from the device
configuration screen of the selected device.

Select an HA Group.
You can navigate in any of the following ways to view an HA Group.
• Select Workflow > Sites. From the ellipsis menu select HA Groups.
• Select Workflow > Devices > Claimed Devices. Select a device and from the ellipsis menu,
select Configure the Device.
• Select Map and select a branch site. Select the Summary tab.
On the Basic Info tab, the Redundancy section will display details of devices in the HA group,
including the status of the devices and the priorities set for the devices.

Prisma SD-WAN Administrator’s Guide 497 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Branch High Availability

Edit HA Groups and Group Membership

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Information in HA Groups can be updated by selecting an HA Group either from Map, Site Details
or Device Configuration screen.
STEP 1 | Select Workflow > Sites.

STEP 2 | Select the site and from the ellipsis menu, select HA Groups.

STEP 3 | On the HA Groups screen, from the ellipsis menu of the selected HA group, select Edit.

STEP 4 | On the Edit HA Group screen, change information as needed and click Update.

STEP 5 | To edit HA Group Membership, on the HA Groups screen, from the ellipsis menu of the
selected HA group, select Edit Membership.

STEP 6 | On the Membership for HA Group screen, you can choose among replace, remove or add
options to replace, remove or add ION devices respectively.

Prisma SD-WAN Administrator’s Guide 498 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Branch High Availability

Branch HA Topologies
Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Prisma SD-WAN supports different High Availability (HA) topologies for ION devices at branch
sites. Use the following table to view the topology as per your device platform and configuration.

Topology Models Supporting the Topology

Configure Branch HA with Gen-1 Platforms ION 2000, ION 3000, ION 7000, ION 9000
(2000, 3000, 7000, and 9000)

Configure Branch HA with Gen-2 Platforms ION 3200, 5200, and 9200
(3200, 5200, and 9200)

Configure Branch HA with Gen-2 Embedded ION 1200-S and 3200 (L2)
Switch Platforms (1200-S or 3200-L2)

Configure Branch HA for Devices with ION 1200-S-C-5G

Software Cellular Bypass (1200-S-C-5G)

Configure Branch HA for Platforms without ION 1000, 1200, or for any model (with or
Bypass Pairs without bypass pairs).

Configure Branch HA with Gen-1 Platforms (2000, 3000, 7000,

and 9000)
Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

The example showcases two ION 2000 devices equipped with a single pair of hardware bypass
functionality. Furthermore, it accommodates the integration of ION 3000 models with four
pairs of hardware bypass, as well as ION 7000 and ION 9000 models equipped with four
pairs of hardware bypass capability. These ION devices mark a significant advancement in
software-defined enterprise technology, using software bypass to enable elastic WAN network
connectivity, enhancing both performance and adaptability.

Prisma SD-WAN Administrator’s Guide 499 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Branch High Availability

The topology has the following features:

• The active device has one Internet connection.
• The backup device has one MPLS/Private connection.
• The ION devices operate in an active/backup configuration, and through fail-to-wire
functionality, the active ION constantly maintains complete control and utilizes the full
capacity of all the WAN circuits.
• The controller interface serves the purpose of monitoring device heartbeats. To achieve this,
it's essential to establish a connection with a southbound switch.
• The LAN addressing is identical on both devices, permitting only the active device to use
Address Resolution Protocol (ARP) and communicate with hosts and network devices below.
• The Controller addressing is unique, enabling the backup device to communicate with the
controller through the active device for connectivity.
• Prisma SD-WAN facilitates the utilization of both the fabric overlay and the underlay (private
MPLS). If you opt for the underlay, it's imperative to configure the necessary routing exchange
between the ION device and the PE (peer edge) router.

STEP 1 | Create physical connections between the interfaces of the active and backup ION device.
1. Connect Port 5 of ION 1 to Port 1 of ION 2. (Internet).
2. Connect Port 5 of ION 2 to Port 1 of ION 1. (MPLS).
This ensures that the Internet and MPLS circuits are available to both the ION devices.

STEP 2 | Configure bypass pairs for each ION device.

• Between Ports 4 and 5 of the active ION device. (Port 4—WAN (Internet), Port 5—LAN)
• Between Ports 4 and 5 of the standby ION device. (Port 4—WAN (MPLS), Port 5—LAN)

Prisma SD-WAN facilitates the utilization of both the fabric overlay and the underlay
(private MPLS). If you opt for the underlay, it's imperative to configure the necessary
routing exchange between the ION device and the PE router.

STEP 3 | Configure the controller interface.

The controller interface, used for handling High Availability (HA), is responsible for establishing
connections between the devices and the controller. Consequently, it is crucial that these
interfaces possess external reachability (direct or via overlay) and are configured with DNS
servers capable of resolving public addresses.

Prisma SD-WAN Administrator’s Guide 500 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Branch High Availability

STEP 4 | Configure an interface for LAN connectivity.

In this example, we are configuring Port 3 for LAN connectivity to enable data exchange.
You can use a single interface to transit to a layer 3 switch below, or alternatively, you can
create multiple LAN subinterfaces and ports to communicate directly with different host
subnets.

If using a transit LAN to a layer 3 switch, you must also set up routing accordingly.
The LAN addressing is identical on both devices, permitting only the active device to
use Address Resolution Protocol (ARP) and communicate with the hosts and network
devices in the LAN.

STEP 5 | Add the ION Devices to the HA Groups.

Configure Branch HA with Gen-2 Platforms (3200, 5200, and

9200)
Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

The example showcases two ION 5200 devices equipped with two pairs of hardware bypass
functionality. Furthermore, it accommodates the integration of 3200 models with one pair of
hardware bypass, as well as 9200 models equipped with four pairs of hardware bypass capability.
These ION devices mark a significant advancement in software-defined enterprise technology,
leveraging software bypass to enable elastic WAN network connectivity, enhancing both
performance and adaptability.

The topology has the following features:

• The active device has two Internet connections.
• The backup device has one MPLS/Private connection.
• The ION devices operate in an active/backup configuration, and through fail-to-wire
functionality, the active ION constantly maintains complete control and utilizes the full
capacity of all the WAN circuits.
• The devices establish a connection through a trunk, facilitating both data connectivity and
enabling High Availability (HA) via device heartbeat monitoring.

The High Availability (HA) connection needs to be established with a south-bound

switch, the devices cannot be directly connected to each other.

Prisma SD-WAN Administrator’s Guide 501 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Branch High Availability

• The LAN addressing is identical on both devices, permitting only the active device to use
Address Resolution Protocol (ARP) and communicate with hosts and network devices in the
LAN.
• The High Availability (HA) addressing is unique, enabling the backup device to communicate
with the controller through the active device for connectivity.
• Prisma SD-WAN facilitates the utilization of both the fabric overlay and the underlay (private
MPLS). If you opt for the underlay, it's imperative to configure the necessary routing exchange
between the ION device and the PE (peer edge) router.

STEP 1 | Create physical connections between the interfaces of the active and backup ION device.
1. Connect Port 4 of ION 1 to Port 1 of ION 2. (Internet 1).
2. Connect Port 4 of ION 2 to Port 1 of ION 1. (MPLS).
3. Connect Port 6 of ION 1 to Port 3 of ION 2. (Internet 2).
This ensures that the Internet and MPLS circuits are available to both the ION devices.

STEP 2 | Configure bypass pairs for each ION device.

• Between Ports 3 and 4 of the active ION device. (Port 3—WAN (Internet-1), Port 4—LAN)
• Between Ports 3 and 4 of the standby ION device. (Port 3—WAN (MPLS), Port 4—LAN)
• Between Ports 5 and 6 of the active ION device. (Port 5—WAN (Internet-2), Port 6—LAN)

Prisma SD-WAN facilitates the utilization of both the fabric overlay and the underlay
(private MPLS). If you opt for the underlay, it's imperative to configure the necessary
routing exchange between the ION device and the PE router.

STEP 3 | Configure a High Availability (HA) also known as Used-for-HA subinterface.

In this example, we are configuring a subinterface on port 7 with VLAN tag 130 as the Used-
for-HA interface for heartbeat exchange between the devices.

The interface designated for handling High Availability (HA) will be responsible for
establishing connections between the devices and the controller. Consequently, it is
crucial that these interfaces possess external reachability (direct or via overlay) and are
configured with DNS servers capable of resolving public addresses.

Prisma SD-WAN Administrator’s Guide 502 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Branch High Availability

STEP 4 | Configure an interface for LAN connectivity.

In this example, we are configuring port 7 with VLAN tag 150 for LAN connectivity to enable
data exchange between devices.
This can involve a single subinterface used as a transit to a layer 3 switch below, or
alternatively, you can create multiple LAN subinterfaces and ports to communicate directly
with different host subnets.

If using a transit LAN to a layer 3 switch, you must also set up routing accordingly.
The LAN addressing is identical on both devices, permitting only the active device
to use Address Resolution Protocol (ARP) and communicate with hosts and network
devices below.

STEP 5 | Add the ION Devices to the HA Groups.

Configure Branch HA with Gen-2 Embedded Switch Platforms

(1200-S or 3200-L2)
Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

The example showcases two ION 1200-S or ION 3200 (in L2 mode) devices, representing the
next generation of software-defined enterprise technology. These devices feature switch ports,
cellular 5G/LTE technologies (ION 1200-S), and 802.1x authentication capabilities.

The topology has the following features:

• The active device has one Internet connection.
• The backup device has one MPLS/Private connection.
• The ION devices operate in an active/backup configuration, and through fail-to-wire
functionality, the active ION constantly maintains complete control and utilizes the full
capacity of all the WAN circuits.
• The devices establish a connection through a trunk, facilitating both data connectivity and
enabling High Availability (HA) via device heartbeat monitoring. This connection can be

Prisma SD-WAN Administrator’s Guide 503 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Branch High Availability

established either with a south-bound switch or directly between the devices, eliminating the
necessity for additional LAN switch hardware at the site.
If the devices are directly connected and they lose connectivity with each other, both will
transition to an Active/Active state, continuing to serve outbound connections. However,
inbound connections will remain inactive until High Availability (HA) is re-established.

Directly establishing the High Availability (HA) connection between devices is

recommended only in cases where there are no southbound switches present at the
branch.
• The LAN addressing is identical on both devices, permitting only the active device to use
Address Resolution Protocol (ARP) and communicate with hosts and network devices in the
LAN.
• The High Availability (HA) addressing is unique, enabling the backup device to communicate
with the controller through the active device for connectivity.
• Prisma SD-WAN facilitates the utilization of both the fabric overlay and the underlay (private
MPLS). If you opt for the underlay, it's imperative to configure the necessary routing exchange
between the ION device and the PE (peer edge) router.

STEP 1 | Create physical connections between the interfaces of the active and backup ION device.
1. Connect Port 4 of ION 1 to Port 1 of ION 2. (Internet).
2. Connect Port 4 of ION 2 to Port 1 of ION 1. (MPLS).
This ensures that the Internet and MPLS circuits are available to both the ION devices.

STEP 2 | Configure bypass pairs for each ION device.

• Between Ports 3 and 4 of the active ION device. (Port 3—WAN (Internet), Port 4—LAN)
• Between Ports 3 and 4 of the standby ION device. (Port 3—WAN (MPLS), Port 4—LAN)

Prisma SD-WAN facilitates the utilization of both the fabric overlay and the underlay
(private MPLS). If you opt for the underlay, it's imperative to configure the necessary
routing exchange between the ION device and the PE router.

STEP 3 | Configure the High Availability (Used-for-HA) interface.

In this example, we are configuring SVI 130 as the Used-for-HA interface for heartbeat
exchange between the devices.
The interface designated for handling High Availability (HA) will be responsible for establishing
connections between the devices and the controller. Consequently, it is crucial that these
interfaces possess external reachability (direct or via overlay) and are configured with DNS
servers capable of resolving public addresses.

Prisma SD-WAN Administrator’s Guide 504 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Branch High Availability

STEP 4 | Configure an SVI interface for LAN connectivity.

In this example, we are configuring SVI 100 for LAN connectivity to enable data exchange.
You can use a single interface to transit to a layer 3 switch below, or alternatively, you can
create multiple LAN subinterfaces and ports to communicate directly with different host
subnets.

If using a transit LAN to a layer 3 switch, you must also set up routing accordingly.

STEP 5 | Configure a trunk port for the LAN and HA SVIs.

In this instance, we are configuring a trunk port on port 5, where both the LAN (SVI 100) and
HA SVI (SVI 130) are assigned. Both the Ports 5 on the ION devices will be directly connected
to the LAN switch.
The embedded Layer 2 switch on the ION 1200-S and 3200 operates via Multiple Spanning
Tree Protocol (MSTP) when in layer 2 mode. When integrating these switches with
neighboring LAN switches, it's crucial to note that the adjacent switches should not operate
using Per VLAN Spanning-Tree (PVST). Instead, they should use MSTP (which is Rapid
Spanning Tree Protocol (RSTP) backwards compatible).
For redundancy purposes, trunk ports can be connected to redundant switches. With the
implementation of MSTP, it ensures the creation of a loop-free topology, thus maintaining
network stability.

STEP 6 | Add the ION Devices to the HA Groups.

Enable Interface tracking for the trunk switch ports to ensure correct fail-over
behavior. Ensure that the tracking decrement value is the same as the existing
device HA priority in order for the ION device to decrement to zero under this failure
condition.

Configure Branch HA for Devices with Software Cellular Bypass

(1200-S-C-5G)
Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

The example showcases two ION 1200-S-C-5G devices, representing the next generation of
software-defined enterprise technology. These devices feature switch ports, cellular 5G/LTE
technologies, and 802.1x authentication capabilities. With the implementation of software

Prisma SD-WAN Administrator’s Guide 505 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Branch High Availability

bypass, both cellular connections can be utilized concurrently, enabling elastic WAN network
connectivity.

The topology has the following features:

• The active device has one cellular network. (Cellular Internet 1)
• The backup device has one cellular network. (Cellular Internet 2).
• The ION devices operate in an active/backup configuration, and through fail-to-wire
functionality, the active ION device constantly maintains complete control and utilizes the full
capacity of all the WAN circuits.
• The devices establish a connection with the LAN switch through a trunk, facilitating both data
connectivity and enabling High Availability (HA) via device heartbeat monitoring.
• The LAN addressing is identical on both devices, permitting only the active device to use
Address Resolution Protocol (ARP) and communicate with hosts and network devices in the
LAN.
• The High Availability (HA) addressing is unique, enabling the backup device to communicate
with the controller through the active device for connectivity.

STEP 1 | Create software cellular bypass pairs between WAN and cellular interfaces of the same ION
device.
Software cellular bypass creates a software bridge between the ethernet and cellular
interfaces of an ION device. When both the links are active, the active ION device employs a
path selection algorithm to select the best path.

The Ethernet link is omitted in this example as we are using the built-in cellular
capabilities.

1. Create a cellular bypass pair between Cellular Port and Port 4 of ION 1.
2. Create a cellular bypass pair between Cellular Port and Port 4 of ION 2.

STEP 2 | Create physical connections between the interfaces of the active and backup ION device.
1. Connect Port 4 of ION 1 to Port 1 of ION 2.
2. Connect Port 4 of ION 2 to Port 1 of ION 1.
This ensures that the cellular circuits are available to both the ION devices.

Prisma SD-WAN Administrator’s Guide 506 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Branch High Availability

STEP 3 | Configure WAN (peer) interfaces on Port 1 for each ION device.
The ION devices operate in an active/backup configuration, and through fail-to-wire
functionality, the active ION device constantly maintains complete control and utilizes the full
capacity of all the WAN circuits. As a result, you need to configure WAN circuits on both the
ION devices.
The initial step is to configure a cellular bypass pair and configure a WAN port (Port 4) on each
ION device. The next step is to mirror the WAN configuration on the connected WAN port
(Port 1) of the other ION device.

STEP 4 | Configure the High Availability (HA) (Used-for-HA) interface.

In this example, we are configuring SVI 130 as the Used-for-HA interface for heartbeat
exchange between the devices.
The interface designated for handling High Availability (HA) will be responsible for establishing
connections between the devices and the controller. Consequently, it is crucial that these
interfaces possess external reachability (direct or via overlay) and are configured with DNS
servers capable of resolving public addresses.

STEP 5 | Configure an SVI interface for LAN connectivity.

In this example, we are configuring SVI 100 for LAN connectivity to enable data exchange
between devices.
This can involve a single SVI used as a transit to a layer 3 switch below, or alternatively, you
can create multiple LAN SVIs to communicate directly with different host subnets.

If using a transit LAN to a layer 3 switch, you must also set up routing accordingly.

STEP 6 | Configure a trunk port for the LAN and HA SVIs.

In this instance, we are configuring a trunk port on port 5, where both the LAN (SVI 100) and
HA SVI (SVI 130) are assigned. Both the Ports 5 on the ION devices will be directly connected
to the LAN switch.
The embedded Layer 2 switch on the ION 1200-S and 3200 operates via Multiple Spanning
Tree Protocol (MSTP) when in layer 2 mode. When integrating these switches with
neighboring LAN switches, it's crucial to note that the adjacent switches should not operate
using Per VLAN Spanning-Tree (PVST). Instead, they should use MSTP (which is Rapid
Spanning Tree Protocol (RSTP) backwards compatible).
For redundancy purposes, trunk ports can be connected to redundant switches. With the
implementation of MSTP, it ensures the creation of a loop-free topology, thus maintaining
network stability.

Prisma SD-WAN Administrator’s Guide 507 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Branch High Availability

STEP 7 | Add the ION Devices to the HA Groups.

Enable Interface tracking for the trunk switch ports to ensure correct failover behavior
if you're connecting them to a LAN switch below. Ensure that the tracking decrement
value is the same as the existing device HA priority in order for the ION to decrement
to zero under this failure condition. If you're connecting the ION devices back to back,
this step is not required.

Configure Branch HA for Platforms without Bypass Pairs

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

The example features two ION 1000 devices that do not natively provide hardware bypass
capabilities. To ensure high availability (HA), we opt to terminate the circuits into both the ION
devices. Although connecting these circuits via a northbound switch is the most likely physical
design, for the sake of simplicity, we illustrate the circuits going directly into both devices. It's
important to note that this design is flexible and can be adapted to accommodate any model ION,
not solely limited to the ION 1000 platform. These ION devices represent a significant leap in
software-defined enterprise technology.

The topology has the following features:

• Both the active and backup devices are connected to circuits, each necessitating its own
unique IP address.
• The ION devices function in an active/backup configuration, but the WAN interfaces will
consistently remain active, necessitating their own unique addressing.
• The devices establish a connection with the LAN switch through a trunk, facilitating both data
connectivity and enabling High Availability (HA) via device heartbeat monitoring.
• The LAN addressing is identical on both devices, permitting only the active device to use
Address Resolution Protocol (ARP) and communicate with hosts and network devices below.
In contrast, the High Availability (HA) addressing is unique, enabling the backup device to
communicate with the controller through the active device for connectivity.
• Prisma SD-WAN facilitates the utilization of both the fabric overlay and the underlay (private
MPLS). If you opt for the underlay, it's imperative to configure the necessary routing exchange
between the ION device and the PE (peer edge) router.

Prisma SD-WAN Administrator’s Guide 508 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Branch High Availability

STEP 1 | Configure the internet port.

Configure Port 1 as the internet port on both the ION devices.

The ION devices function in an active/backup configuration, but the WAN interfaces
will consistently remain active, necessitating their own unique addressing.

STEP 2 | Configure the WAN port.

configure Port 2 for Private WAN (MPLS) on both the ION devices.
The ION devices function in an active/backup configuration, but the WAN interfaces will
consistently remain active, necessitating their own unique addressing.

Prisma SD-WAN facilitates the utilization of both the fabric overlay and the underlay
(private MPLS). If you opt for the underlay, it's imperative to configure the necessary
routing exchange between the ION device and the PE router.

STEP 3 | Configure High Availability (HA) (Used-for-HA) interface.

In this example, we are configuring a subinterface on port 3 with VLAN tag 130 as the Used-
for-HA interface for heartbeat exchange between the devices.
The interface designated for handling High Availability (HA) will be responsible for establishing
connections between the devices and the controller. Consequently, it is crucial that these
interfaces possess external reachability (direct or via overlay) and are configured with DNS
servers capable of resolving public addresses.

STEP 4 | Configure an interface for LAN connectivity.

In this example, we are configuring a subinterface on port 3 with VLAN tag 100 for LAN
connectivity to enable data exchange between the devices.
You can use a single interface to transit to a layer 3 switch below, or alternatively, you can
create multiple LAN subinterfaces and ports to communicate directly with different host
subnets.

If using a transit LAN to a layer 3 switch, you must also set up routing accordingly.
The LAN addressing is identical on both devices, permitting only the active device to
use Address Resolution Protocol (ARP) and communicate with the hosts and network
devices in the LAN.

STEP 5 | Add the ION Devices to the HA Groups.

Prisma SD-WAN Administrator’s Guide 509 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Branch High Availability

Prisma SD-WAN Administrator’s Guide 510 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Clarity Reports
Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Active WAN Clarity license

The WAN Clarity Report is auto-generated weekly and provides aggregate views of ingress
and egress traffic distribution, 90th percentile bandwidth utilization across circuits, WAN
utilization over a threshold, heat maps, top applications, clients, servers, client and server pairs,
and undefined domains for the entire week and separately for periods of high utilization.
Download the entire reports package or view the reports from the Prisma SD-WAN controller,
allowing for week-over-week trend comparisons, as well as comparisons across sites and circuits.
The WAN Clarity Report is available for immediate use as a licensed license service. Contact the
Prisma SD-WAN sales team to enable the license. The reports include,
• WAN Clarity Branch Reports
• WAN Clarity Data Center Reports
• WAN Clarity Aggregate On-Demand Bandwidth Reports

511
Prisma SD-WAN Clarity Reports

WAN Clarity Branch Reports

The following are the descriptions of branch reports in the WAN Clarity Reports.
• Traffic Distribution
• Utilization Quadrant
• Utilization over Threshold
• Heatmap
• Hotspots
• Top N
• Application Volume per Circuit

Traffic Distribution
The Traffic Distribution report helps administrators understand utilization across different WAN
path types at an AppFabric-level. This report provides a quick overview of traffic distribution
across the AppFabric, ensuring traffic meets the aggregate path policy objectives.

The sample chart above lists traffic distribution for a global enterprise for the week of July 5,
2021. This enterprise’s objective of using more of their public WAN circuit types (e.g., broadband
Internet) versus their private WAN circuits (e.g., MPLS) is being met at an aggregate level. The
following Utilization Quadrant report will help identify which sites and circuits an administrator
will focus on next.

Utilization Quadrant
The Utilization Quadrant report offers a visual synopsis of circuit utilization for all sites. The
report plots 90th percentile utilization for every circuit across the AppFabric, in both ingress and
egress directions. The quadrant highlights circuits whose 90th percentile utilization is above 50%
of the provisioned capacity in either the ingress or egress direction, thereby making it a candidate
for further investigation.
For example, if a particular site and circuit show up week after week, it may warrant adjustments
to the circuit capacity. However, to assess whether the high utilization in a specific circuit is

Prisma SD-WAN Administrator’s Guide 512 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Clarity Reports

carrying business-critical traffic and occurs during business-impacting hours, you may use the next
set of reports to clarify the utilization.

The sample chart above summarizes utilization over a week for a global enterprise. 13 circuits
stand out based on their utilization at the 90th percentile. One site and circuit to review further is
the MPLS circuit at Chicago that seems to stand out for its egress utilization. The Utilization Over
Threshold report in the next section will provide more clarity as to the days and minutes when the
MPLS circuit was highly utilized.

Utilization Over Threshold

The Utilization Over Threshold reports provides any site and circuit present in the three
quadrants of the Utilization Quadrant report, representing greater than 50% utilization (at the
90th percentile). This report provides a daily aggregate of minutes when a circuit operates over
the defined utilization threshold. For the initial WAN Clarity Reports release, the threshold set is
70%. This report supplements the Quadrant report as it informs administrators of the days and
the duration when a particular circuit exceeded that threshold.

Prisma SD-WAN Administrator’s Guide 513 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Clarity Reports

Prisma SD-WAN Administrator’s Guide 514 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Clarity Reports

The sample chart above displays the total minutes when the Chicago MPLS circuit operated at
or above 70% of the provisioned bandwidth. The majority of the high utilization is during the
workweek and in the egress direction. However, to understand when the hotspots occurred
during those days, review the Heatmap report described in the next section.

Heatmap
The Heatmap reports provide any site and circuit present in the three quadrants of the Utilization
Quadrant report, representing greater than 50% utilization (at the 90th percentile). The report
provides context to the day's hours (site local time) when the high utilization occurs. If the
observed contention happens during business hours, an assessment of provisioned capacity
may be warranted. The heatmap also sheds light on abnormal bandwidth-consumption behavior
outside of regular business hours.

The sample chart above shows the bandwidth consumption trend for the MPLS circuit in Chicago
for one week. This chart is interesting as many more egress activities post business hours (after
1600 hours) than during business hours. This may not be anomalous if scheduled software
upgrades, backup replication jobs, etc., typically happen after business hours.
However, there is also a good bit of contention between 2021-07-05 and 2021-07-11 during
regular business hours. Suppose this trend is observed week after week. In that case, the network
administrator should reassess the provisioned bandwidth on this circuit or rewrite application
policies to load-balance traffic across multiple paths. The following set of Hotspot reports will
help identify which traffic contributes to the heavy load during these periods

Hotspots
The Hotspot reports provide each site and circuit with a corresponding Heatmap report for
granular insight into the circuits at the hotspots' time. The reports provide a list of applications,
undefined domains, destination IPs, source IPs, and source and destination IP pairs observed
during the hotspots.

Prisma SD-WAN Administrator’s Guide 515 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Clarity Reports

A hotspot is any period when the circuit utilization in either the ingress or egress direction is
above 70% of the provisioned bandwidth. The charts generated for each hotspot report displays
the top 10, and a companion CSV file is available within the package that provides all of the data
for each hotspot report. The charts are generated for the top 10 largest sites by volume. You can
preview these charts.

Hotspot Report Description

Hotspots: Applications Provides clarity as to which applications contribute to the

hotspots. The report gives insight into whether business-
relevant applications are consuming bandwidth during hotspots.
This information can be instrumental in ensuring that the
appropriate QoS and Path policies are applied in the future to
guarantee that business-critical applications are serviced first,
with non-business-relevant applications potentially offloaded
to alternate paths. If business-critical applications contribute to
the hotspots week after week, reassess if the circuit capacity
may be oversubscribed.

Prisma SD-WAN Administrator’s Guide 516 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Clarity Reports

Hotspot Report Description

The sample chart above lists the top 10 applications accessed

during hotspots on the MPLS link at Chicago for one week.
One of the takeaways from this report is the amount of traffic
matching enterprise SSL and enterprise-unknown applications,
which are generic catch-all applications for flows destined
to enterprise prefixes: SSL and non-SSL (and non-HTTP),
respectively.
The next set of reports around undefined domains and
destination IPs can help clarify which enterprise FQDNs and IPs
have the highest traffic to see if they are candidates for custom
application creation.

Hotspots: Destination IPs Based on the hotspots identified in the heatmap, the Hotspots:
Destination IPs report clarify which destination IP addresses

Prisma SD-WAN Administrator’s Guide 517 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Clarity Reports

Hotspot Report Description

contributed to the hotspots. This report is useful to correlate
with the Hotspots: Application report, especially when the top
application is a generic one like enterprise-unknown.
With these destination IP addresses, you will have enough
information to create a custom application so that they can
apply unique QoS, path, or security policies to these flows as
needed, or at a minimum, define an application for purposes of
utilization tracking and performance.

The sample chart above lists the top 10 destination IP

addresses accessed when the MPLS link in Chicago was hot.

Hotspots: Undefined Lists the HTTP and SSL undefined domains that you may
Domains observe during the hotspots. As these domains currently do not

Prisma SD-WAN Administrator’s Guide 518 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Clarity Reports

Hotspot Report Description

map to any system or previously defined custom application
signatures, you may not be able to service them appropriately.
Instead, you may observe the domains match the flow of the
generic application signatures of enterprise-SSL, enterprise-
HTTP, HTTP, or SSL.
This report is useful to correlate with the Hotspots: Application
report, especially when the top application is a generic one
like enterprise-http or enterprise-ssl. With these domains, an
administrator will have enough information to create a custom
L7 application definition and apply unique QoS, path, or security
policies to these flows as needed, or at a minimum, define an
application for purposes of utilization tracking and performance.

Prisma SD-WAN Administrator’s Guide 519 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Clarity Reports

Hotspot Report Description

The sample chart above lists the top 10 domains accessed when
the MPLS link in Chicago was experiencing a hotspot in either
the ingress or egress direction.

Hotspots: Source IPs Helps you understand the consumption from an end user’s
perspective. It sheds light on the top bandwidth consumers
from a source IP perspective during the observed hotspot
periods.
This information can help filter out sources that may contribute
to the unnecessary load on the circuit. For example, a server
that is unscheduled to run backup replication jobs during
regular business hours.

Prisma SD-WAN Administrator’s Guide 520 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Clarity Reports

Hotspot Report Description

The sample chart above lists the IP addresses of the top 10
users who were active when the MPLS link in Chicago was
experiencing a hotspot in either the ingress or egress direction.

Hotspots: Source IP – While the previous Hotspot reports provided visibility into the
Destination IP Pairs most-active origin and endpoints when the link was hot, this
report, Hotspots: Source IPs and Destination IPs, lists the most
active source-destination IP pairs.
This report helps determine if the same set of source and
destination IP pairs contribute to the contention week after
week.

Prisma SD-WAN Administrator’s Guide 521 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Clarity Reports

Hotspot Report Description

The sample chart above lists the top 10 source and destination
IP pairs that were active when the MPLS link in Chicago was
experiencing a hotspot in either the ingress or egress direction.

Top N
Top N reports are a set of reports that provide insight into the top applications, source IPs,
destination IPs, source and destination IP pairs, and undefined domains for the entire week. You
may view these reports at a site level. They include a chart listing the top 10 of each category and
a companion CSV file with information about all the contributors in that specific category. The
charts are generated for the top 10 largest sites by volume. You can preview these charts. You
can use insights from this report to understand site-specific trends and turn them into actions
such as changing path policies, changing application priorities, and reassessing the provisioned
bandwidth for over-subscribed and under-utilized circuits.
Unlike the Hotspots report, which only looks at flows that traversed the network during periods
of hotspots, the Top N reports study flow and application data for the entire week to determine
which applications, users, and domains contribute the most to high bandwidth utilization.
As shown in the previous sections, sample reports for the Chicago branch for the same week are
listed below.

Top N Report Description

Top N: Applications Lists the top applications for the entire week and is not limited
to hotspots. You may generate this report per site, unlike the
Hotspots Application report, which is specific to periods of
hotpots (utilization over 70%) on a particular circuit.

Prisma SD-WAN Administrator’s Guide 522 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Clarity Reports

Top N Report Description

Prisma SD-WAN Administrator’s Guide 523 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Clarity Reports

Top N Report Description

The sample chart above lists the top 10 applications for Chicago
across all circuits for the week. Note that a similar set of
applications are listed for the Hotspot: Applications chart for
the Chicago MPLS circuit. This indicates that further refinement
of application definitions is required, with possible path, QoS,
and security policies.

Top N: Source IPs Lists the top source IPs for the entire week and is not limited
to hotspots. You may generate this report per site, unlike the
Hotspots Source IP report, which is specific to periods of
hotpots (utilization over 70%) on a particular circuit.

The report above was generated for Chicago for the same
duration as the Hotspots Source IP report, as shown in an
earlier section. Note that top users for the week vary from the

Prisma SD-WAN Administrator’s Guide 524 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Clarity Reports

Top N Report Description

top users during hotspots. Suppose there is an overlap with the
Hotspots Source IP report. In that case, a possible conclusion
could be that the end user experience was impacted, which
could have affected Application SLAs.

Top N: Destination IPs Lists the top destination IPs for the entire week and is not
limited to hotspots. You may generate this report per site,
unlike the Hotspots Destination IP report, which is specific to
periods of hotpots (utilization over 70%) on a particular circuit.
This report helps understand the destination of most traffic
during the week. One potential use case for this information
could be the flagging of anomalous or ill-intended destination
IPs.

Prisma SD-WAN Administrator’s Guide 525 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Clarity Reports

Top N Report Description

The report above lists the top 10 destination IP addresses for
the Chicago branch for the same duration as analyzed in the
Hotspots Destination IPs report in the earlier section. Notice
there are some overlapping IP addresses between the two
reports, which could prompt an administrator to create one or
more custom applications to track performance and utilization
for these highly utilized destination IP addresses.

Top N: Undefined Domains Lists the top HTTP and SSL domains accessed per site during
the week. These domains currently do not map to any system
or previously defined custom application signatures, and
therefore may not be appropriately serviced. Instead, you
may observe these domains in flows that match the generic
application signatures of enterprise-SSL, enterprise-HTTP,
HTTP, or SSL.
This report helps identify missing domains for existing
custom applications or indicates a need to create new custom
applications.

Prisma SD-WAN Administrator’s Guide 526 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Clarity Reports

Top N Report Description

The image above lists the top 10 domains at the Chicago

branch. If significant traffic to 10.212.26.24 is observed week
after week, an administrator should assess if this domain
belongs to an existing application. If not, it is recommended that
a custom application be created for this domain to appropriate
tracking and policy treatment.

Application Volume per Circuit

The Application Volume per Circuit reports list the total volume of application data transferred
per circuit and provide this information in a CSV file format. The report helps understand how
traffic is shaped and how application traffic is load-balanced across different available paths.
This data helps redefine path policy. A significant use case is studying application data on metered
links. If applications other than mission-critical applications are visible on these links, they can

Prisma SD-WAN Administrator’s Guide 527 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Clarity Reports

cause unnecessary tariffs on these metered links. An application policy for these links can be re-
written to remove the metered link as a possible option in such an event.

Prisma SD-WAN Administrator’s Guide 528 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Clarity Reports

WAN Clarity Data Center Reports

The Data Center reports provide an insight into utilization trends from a Data Center perspective.
Similar to the branch reports, these reports identify top applications, source IP addresses,
destination IP addresses, source-destination IP address pairs, and undefined domains along with
top branches. You can generate this set of reports for hotspots observed in the data center.
It is important to note that a hotspot definition for a data center differs from that for a branch.
While for branches, utilization over 70% of configured bandwidth is considered a hotspot, for
a data center, you may consider 90th percentile utilization as a hotspot. It, therefore, becomes
imperative that you accurately set the circuit bandwidth allocations at the data center. These
reports provide an approximation of the utilization trends as the reports generated only consider
overlay paths.
In summary, the WAN Clarity Report generates every week to help you understand how the
circuits in the Prisma SD-WAN AppFabric can be utilized from an entire fabric, site, circuit,
application, and user perspective. These reports provide actionable insights that you can use for
capacity planning, path policy adjustments, QoS policy adjustments, and enforcement of proper
use of network resources by the end-user community.
The following sections describe the data center reports in the WAN Clarity Reports in more detail.
• Traffic Distribution
• Circuit Utilization
• Top N Reports

Traffic Distribution
The Traffic Distribution report helps administrators understand traffic volume distribution to
all the data centers in the AppFabric. These reports help understand traffic flow from branches,
applications, and top applications from top branches to and from the data centers in the form
of Sankey charts. These reports deliver an HTML report with Sankey charts for the top 10
contenders and a CSV file with the entire dataset.
Traffic Distribution: Top Applications Report
Provides details into the flow of application traffic to and from all the data centers in the
AppFabric. It provides visibility into the top 10 ingress and egress applications by volume.

Prisma SD-WAN Administrator’s Guide 529 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Clarity Reports

The HTML report also provides an insight into top applications by total volume across all the DCs
in the form of a Combined Egress and Ingress traffic report.

In the examples above, there is only a single data center: DC1. The data flow label above the data
center block indicates traffic flow, either to or from that data center.
In the case of multiple DCs, you may decipher the traffic volume going to each of the data centers
from the flow stream's thickness. The supplemental CSV can help understand the accurate
distribution of application traffic volume across the data centers.

Prisma SD-WAN Administrator’s Guide 530 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Clarity Reports

See the sample report below:

Prisma SD-WAN Administrator’s Guide 531 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Clarity Reports

Traffic Distribution: Top Branches Report

Provides details into the flow of branch traffic to all the data centers in the AppFabric. It provides
visibility into the top 10 ingress and egress flows from branches by volume and a combined
summary report.

Prisma SD-WAN Administrator’s Guide 532 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Clarity Reports

Traffic Distribution: Top Applications from Top Branches

Provides details into the top 10 applications emerging from the top 10 branches to all the data
centers in the AppFabric. The report provides visibility into top ingress and egress branches and
the top applications' flow by volume emerging from these branches.

Prisma SD-WAN Administrator’s Guide 533 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Clarity Reports

Circuit Utilization
The Circuit Utilization report provides the utilization summary for all DC circuits on both the
ingress and egress directions. The circuit utilization report consists of raw data packaged in CSV
files that have information on circuit utilization data and percentile utilization. The report package
also contains an HTML report for each DC circuit.
The HTML report contains a series of topics that shed light on the bandwidth utilization, observed
hotspots, branches, applications, source IPs, destination IPs, and unknown domains contributing
to those hotspots. We classify a circuit to be hot when the utilization is at the 90th percentile. The
report provides a summary of the circuit configuration and bandwidth utilization in the form of
provisioned bandwidth, median utilization, and 90th percentile utilization.
The Circuit Utilization report summarizes the circuit configuration and bandwidth utilization in the
form of provisioned bandwidth, median utilization, and 90th percentile utilization.

Prisma SD-WAN Administrator’s Guide 534 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Clarity Reports

The table above is from a report for DC1 - Circuit, where the 90th percentile utilization is at
5.33595% of the provisioned bandwidth, indicating that the circuit is not contentious and possibly
overprovisioned.
The Circuit Utilization report then plots the utilization trend for the past week in an interactive
chart that can zoom in and study the trend in detail. It also marks the 90th percentile utilization
and highlights hotspots in red.

In the sample report above, the utilization above 53.35951 Mbps, as mentioned in the table, is
highlighted in red as possible hotspots.
The circuit utilization report then highlights the top branches, applications, source IPs (branch
IPs for ingress reports), destination IPs (branch IPs for egress reports), IP pairs, and undefined
domains contributing to the hotspot. The sample reports below highlight the top contributors to
the hotspots for DC1 – Circuit 1.

Hotspot Reports
The Hotspot reports generated for every DC site circuit give us visibility into the circuit’s 90th
percentile utilization. The reports provide a list of branches, applications, undefined domains,
destination IPs, source IPs, and source and destination IP pairs observed during the hotspots.

Prisma SD-WAN Administrator’s Guide 535 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Clarity Reports

Hotspot Report Description

Hotspot: Top Branches Highlights the traffic volume contributed by the top 10
branches during the hotspot observed on the DC circuit.
Use data from this report to redefine data center transit
features under path policies for branches.
Top branch transmitting traffic on this circuit when utilization is
above the 90th percentile is shown below:

Hotspot: Top Apps Highlights the top 10 applications contributing to the hotspot
observed on the DC circuit over the course of the week.
Use data from this report to redefine path policies for
applications that may directly offload to the internet. This
report can also help network administrators redefine application
priority to apply the right QoS to frequently used applications.
Top applications receiving traffic on this circuit when the
utilization is above the 90th percentile is shown below:

Hotspot: Top Undefined Highlights the top 10 undefined defined domains contributing
Domains to the hotspot observed on the DC circuit over the week.

Prisma SD-WAN Administrator’s Guide 536 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Clarity Reports

Hotspot Report Description

Use data from this report to redefine existing custom
applications or create new custom applications.
Top undefined domains discovered for apps http, ssl,
enterprise-http, and enterprise-ssl, receiving traffic on this
circuit when utilization is above the 90th percentile is shown
below:

Hotspot: Top Source IPs Highlights the top 10 source IPs contributing to the hotspot
observed on the DC circuit over the week. For the Ingress
direction, these IPs are the Branch IPs.

For the egress direction, these IPs may identify as source IPs,
i.e., indicating the origin being the data center.

Prisma SD-WAN Administrator’s Guide 537 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Clarity Reports

Hotspot Report Description

Use data from this report to identify top contributors to

the hotspot on the DC circuit and establish proper network
resource enforcement.

Hotspot: Top Destination Highlights the top 10 destination IPs contributing to the
IPs hotspot observed on the DC circuit over the week.

For the egress direction, these IPs are the Branch IPs, indicating
the flow termination are branches in the App-Fabric.

Prisma SD-WAN Administrator’s Guide 538 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Clarity Reports

Hotspot Report Description

Use data from this report to identify top contributors to
the hotspot on the DC circuit and establish proper network
resource enforcement.

Hotspot: Top IP Pairs Highlights the top 10 source and destination IP pairs
contributing to the hotspot observed on the DC circuit over the
week.

The Circuit Utilization report is generated for both ingress and egress directions for each data
center circuit. It can assess utilization trends, refine path and QoS policies, and identify users who
are misusing network resources, enabling the network administrators to enforce proper use of
network resources.

Top N Reports
The Top N reports are a set of reports that provide insight into the top branches, applications,
source IPs, destination IPs, source and destination IP pairs, and undefined domains for the entire
week. Generate these reports for each data center in a CSV file with information about all the
specific category contributors.
Use the insights from this report to understand site-specific trends and turn them into actions
such as changing path policies, changing application priorities, and reassessing the provisioned
bandwidth for over-subscribed and under-utilized circuits.
Unlike the Hotspots report, which only looks at flows that traversed the network during periods
of hotspots, the Top N report studies flow and application data for the entire week to determine
which applications, users, and domains contribute the most to high bandwidth utilization.

Prisma SD-WAN Administrator’s Guide 539 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Clarity Reports

WAN Clarity Aggregate On-Demand Bandwidth Reports

Prisma SD-WAN Bandwidth Licensing On Demand is a flexible license-based licensing model that
helps enterprises adapt to varying bandwidth requirements at branch sites caused by increasing
cloud adoption, voice/video applications consumption, and a hybrid workforce that invariably
contributes to variable traffic bursts and consumption.
WAN Clarity aggregate bandwidth reports provide visibility into bandwidth utilization aggregated
across all branches for monitoring and planning purposes.
The bandwidth utilization is measured as follows:
1. All the ION devices report the ingress and egress bytes used every one minute.
2. These one minute interval readings are combined into contiguous 5-minute blocks.
3. The biggest 5-minute block is selected which becomes the basis to report aggregate bandwidth
for a specific 24-hour period.
4. The utilization is measured based on the total cumulative/aggregate bandwidth (ingress
+egress) passing through the ION device across WAN interfaces (ingress/egress) during a
designated period of time.
5. The information is displayed on a monthly basis.

Prisma SD-WAN Administrator’s Guide 540 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN SASE Easy
Onboarding
Effortlessly integrate Prisma SD-WAN with Prisma Access through a native onboarding process.
Prisma Secure Access Service Edge (SASE) offers the most comprehensive solution in the industry
for secure access at the edge, allowing organizations to connect and safeguard users, devices, and
applications. Prisma SASE is the perfect fit for remote sites with single or multiple internet links,
ensuring direct, reliable, and secure connections to both public and private applications.
Earlier, you needed the Prisma Access for Networks (Cloud Managed) CloudBlade to connect
Prisma Access to Prisma SD-WAN. With the native SASE Integration with Prisma SD-WAN
feature, you can directly onboard Prisma SD-WAN sites to Prisma Access, bypassing the need of a
CloudBlade.
Currently, this integration is supported only for Cloud Managed Prisma Access. Users with
Panorama Managed Prisma Access will be supported in future releases.
In case you have previously set up a CloudBlade to establish the connection between Prisma
SD-WAN and Prisma Access, you must first deactivate the CloudBlade and contact Palo Alto
Networks Customer Support before using this workflow.

Where Can I Use This? What Do I Need?

• Strata Cloud Manager Prisma SD-WAN

• Active Prisma SD-WAN license
• Prisma SD-WAN AppFabric deployed at
one or more locations.
• Physical and/or virtual ION devices
running software versions 5.6.X or
higher.
Prisma Access Cloud Managed
• Prisma Access with Aggregate
Bandwidth; the bandwidth licensing
mode must be enabled per compute
location on the Prisma Access Cloud
Managed portal.
• Identification of the IPSec Termination
Nodes within Prisma Access for
connectivity.
Ensure that you have Prisma Access (Cloud
Managed) and Prisma SD-WAN in the
same TSG.

541
Prisma SD-WAN SASE Easy Onboarding

Native SASE integration creates an IPSec tunnel between a Prisma SD-WAN circuit and Prisma
Access. To use this workflow you must first do the following:
• Create a Prisma SD-WAN branch site.
• Assign an ION device to the site.
• Attach a circuit to a WAN interface.

Prisma SD-WAN Administrator’s Guide 542 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN SASE Easy Onboarding

Connect a Single Prisma SD-WAN Site to Prisma Access

Where Can I Use This? What Do I Need?

• Strata Cloud Manager Prisma SD-WAN

• Active Prisma SD-WAN license
• Prisma SD-WAN AppFabric deployed at
one or more locations.
• Physical and/or virtual ION devices
running software versions 5.6.X or
higher.
Prisma Access Cloud Managed
• Prisma Access with Aggregate
Bandwidth; the bandwidth licensing
mode must be enabled per compute
location on the Prisma Access Cloud
Managed portal.
• Identification of the IPSec Termination
Nodes within Prisma Access for
connectivity.
Ensure that you have Prisma Access (Cloud
Managed) and Prisma SD-WAN in the
same TSG.

Use this workflow to onboard a single Prisma SD-WAN site to Prisma Access.

Prisma SD-WAN Administrator’s Guide 543 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN SASE Easy Onboarding

STEP 1 | Configure SASE connectivity.

This is a one-time activity.

1. Select Manage > Resources > SASE Connectivity.

2. Enter an ION Peering Default Local AS Number.

The BGP Local AS number is defined to quickly on-board ECMP sites. This can be a 16-
bit AS number, but private BGP AS number(s) are recommended.
3. Specify a Tunnel Inner IP Pool using IP/Mask notation.
This IP Pool should be unused or unique across the entire network and should not be
used by the Palo Alto Service Infrastructure Subnet.

The number of tunnels that can be created in the Prisma SD-WAN Fabric to
Prisma Access are directly limited by this configuration. Each tunnel will use
a /31 subnet from this pool.
4. (Optional) Select a Security Zone to bind the tunnel(s) created in the onboarding process
to the selected zone.
If you don’t select a Security Zone, the created tunnels will not be bound to a security
zone.

STEP 2 | Select Workflows > Prisma SD-WAN Setup > Branch Sites.

STEP 3 | Click Connect to Prisma Access for the site that you want to connect to Prisma Access under
Prisma Access Connection.

STEP 4 | Select a Prisma Access Location.

Prisma Access recommends the first location in the list closest to the Prisma SD-WAN
site address. The recommendation is based on the address (latitude and longitude
values) entered during site creation in Prisma SD-WAN.

STEP 5 | Select the corresponding IPSec Termination Node.

For every 1 Gbps of bandwidth allocated to a Prisma Access region, a new Termination Node is
spun up; you can accordingly select a different termination node.

Prisma SD-WAN Administrator’s Guide 544 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN SASE Easy Onboarding

STEP 6 | Click Connect Sites.

You can view the status of the connection in the SASE Connection column.

For each Prisma SD-WAN circuit for a site, a corresponding tunnel to Prisma Access
is created in this process. You can have a maximum of 4 circuits connecting to Prisma
Access for a site.

STEP 7 | (Optional) You can view the details of the Prisma Access peer by selecting Workflows >
Prisma SD-WAN Setup > Branch Sites > Select a Site > Overlay Connections > Branch-
Standard VPN.

Prisma SD-WAN Administrator’s Guide 545 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN SASE Easy Onboarding

STEP 8 | (Optional) To view additional information for SASE connectivity:

1. Select Workflows > Prisma SD-WAN Setup > Branch Sites and select a site.
2. View details in the Prisma Access Connectivity section.

3. (Optional) Click Edit to update the service connectivity details.

1. Select the Active Prisma Access Location and/or the IPSec Termination Node.
You can view the Allocated Bandwidth for each Prisma Access Location.
2. Click Next to update the remote network tunnel configuration details.
3. Click the pencil icon to update the details for a tunnel.

4. Click Update.

Disconnect from Prisma Access

You can disconnect your site from Prisma Access. This removes the tunnel configuration between
Prisma SD-WAN and Prisma Access, but it stores SASE Configuration objects such as PA locations
and circuits for ease in reconnection.
STEP 1 | Select Workflows > Prisma SD-WAN Setup > Branch Sites and select a site.

STEP 2 | View details in the Prisma Access Connectivity section.

STEP 3 | Click Disconnect from Prisma Access.

Prisma SD-WAN Administrator’s Guide 546 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN SASE Easy Onboarding

Connect Multiple Prisma SD-WAN Sites to Prisma

Access
Where Can I Use This? What Do I Need?

• Strata Cloud Manager Prisma SD-WAN

• Active Prisma SD-WAN license
• Prisma SD-WAN AppFabric deployed at
one or more locations.
• Physical and/or virtual ION devices
running software versions 5.6.X or
higher.
Prisma Access Cloud Managed
• Prisma Access with Aggregate
Bandwidth; the bandwidth licensing
mode must be enabled per compute
location on the Prisma Access Cloud
Managed portal.
• Identification of the IPSec Termination
Nodes within Prisma Access for
connectivity.
Ensure that you have Prisma Access (Cloud
Managed) and Prisma SD-WAN in the
same TSG.

Use this workflow to connect multiple Prisma SD-WAN sites to Prisma Access.
STEP 1 | Select Workflows > Prisma SD-WAN Setup > Branch Sites.

STEP 2 | Select the sites to be integrated and click Connect to Prisma Access.

STEP 3 | Verify the appropriate Prisma Access Location and IPSec Termination Node and click
Connect Sites.

Prisma SD-WAN Administrator’s Guide 547 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN SASE Easy Onboarding

Edit Application Policy Network Rules

Where Can I Use This? What Do I Need?

• Strata Cloud Manager Prisma SD-WAN

• Active Prisma SD-WAN license
• Prisma SD-WAN AppFabric deployed at
one or more locations.
• Physical and/or virtual ION devices
running software versions 5.6.X or
higher.
Prisma Access Cloud Managed
• Prisma Access with Aggregate
Bandwidth; the bandwidth licensing
mode must be enabled per compute
location on the Prisma Access Cloud
Managed portal.
• Identification of the IPSec Termination
Nodes within Prisma Access for
connectivity.
Ensure that you have Prisma Access (Cloud
Managed) and Prisma SD-WAN in the
same TSG.

When the IPSec tunnels are active from the Prisma SD-WAN sites to the Prisma Access regions,
the next step is to modify policies to send traffic down these tunnels. To begin this process, we
must modify Service and Data center groups and configure these groups in policy.
When making policy configurations, remember that the ION devices makes intelligent per-app
selections using the network policies to chain multiple different path options together in Active-
Active and Active-Backup modes.
Example:
• Application A: Take Standard VPN direct to Prisma Access.
• Application B: Take Standard VPN direct to Prisma Access, Backup to Direct Internet.
• Application C: Use only Direct Internet.
The Prisma SD-WAN secure Application Fabric (AppFabric) enables granular controls for virtually
unlimited number of policy permutations down to the sub-application level. Here are some of the
most common examples of how a traffic policy can be configured per-application:
• Send all internet-bound traffic from a set of branches to Prisma Access. (Blanket Suspect list)
• Send all internet traffic direct to the internet except for certain applications needing additional
inspection or security. (Suspect list—Safelist)

Prisma SD-WAN Administrator’s Guide 548 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN SASE Easy Onboarding

• Send all internet-bound traffic from a set of branches to Prisma Access except for specific
known applications. (Suspect list—Safelist)
In order to modify application policy, the following steps should be performed. They are detailed
in the following sections:

Prisma SD-WAN Administrator’s Guide 549 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN SASE Easy Onboarding

Understand Service and Data Center Groups

Where Can I Use This? What Do I Need?

• Strata Cloud Manager Prisma SD-WAN

• Active Prisma SD-WAN license
• Prisma SD-WAN AppFabric deployed at
one or more locations.
• Physical and/or virtual ION devices
running software versions 5.6.X or
higher.
Prisma Access Cloud Managed
• Prisma Access with Aggregate
Bandwidth; the bandwidth licensing
mode must be enabled per compute
location on the Prisma Access Cloud
Managed portal.
• Identification of the IPSec Termination
Nodes within Prisma Access for
connectivity.
Ensure that you have Prisma Access (Cloud
Managed) and Prisma SD-WAN in the
same TSG.

Prisma SD-WAN uses mapping of standard services and Prisma SD-WAN data centers to allow
flexibility when creating network policy rules, while accounting for uniqueness across sites. For
example, an administrator may want to create a single network policy that directs all HTTP and
SSL Internet bound traffic through the primary Palo Alto Prisma Access for Networks in the region
if it is available. If not available, it may leverage the backup Palo Alto Prisma Access for Networks
in the region. Now, the administrator will have different primary and backup cloud security service
endpoints based on their geographic location. Regardless of the site location, the intent and the
policy rules will remain the same.
This is where the concept of endpoints, groups, and domains come into play. To leverage the
underlying resources available to an administrator, it is important to understand how an endpoint,
group, and domain work in the Prisma SD-WAN system.
• Endpoint—A service endpoint is a label representing a specific location or network service. It
can be of type Prisma SD-WAN, specifically Prisma SD-WAN Data Centers for Data Center
transit services, or of type standard.
• Group—A service group is a label representing a set of common service endpoint types. This
service group label will be used in network policy rules to express intent to allow or force
traffic to the defined service endpoints. It can be of type Prisma SD-WAN or standard and may
contain zero or more service endpoints.

Prisma SD-WAN Administrator’s Guide 550 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN SASE Easy Onboarding

• Domain—A domain is a collection of groups which can be assigned to a set of sites. There can
be multiple domains defined, but a site may only be assigned to one domain at a time.

A site will be able to use only the endpoints configured in a group within a domain that is
assigned to the site. The same group, however, can be in multiple domains with different
service endpoints, allowing you to use the same policy across different sites utilizing
different endpoints.

Let us further explore the concept of endpoints, groups, and domains using the following
illustration.

The illustration displays how endpoints added to a group are associated with a domain. The
domains are then bound to a site, thus mapping standard services or Prisma SD-WAN data
centers uniquely for each site.

A group, with different endpoints, can be mapped to one or more domains and a domain
can be mapped to one or more sites.

Another example to illustrate the concept is shown. For a customer with sites in North America
and Europe that has one Prisma SD-WAN-enabled data center in each region and has adopted a
Palo Alto Prisma Access for Networks within each region, with two geographic locations in each
region, domain mapping is accomplished as follows:

The same endpoint can be added to more than one group. Only one active group and one
backup group may be used in a network policy rule.

Prisma SD-WAN Administrator’s Guide 551 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN SASE Easy Onboarding

Verify Standard VPN Endpoints

Where Can I Use This? What Do I Need?

• Strata Cloud Manager Prisma SD-WAN

• Active Prisma SD-WAN license
• Prisma SD-WAN AppFabric deployed at
one or more locations.
• Physical and/or virtual ION devices
running software versions 5.6.X or
higher.
Prisma Access Cloud Managed
• Prisma Access with Aggregate
Bandwidth; the bandwidth licensing
mode must be enabled per compute
location on the Prisma Access Cloud
Managed portal.
• Identification of the IPSec Termination
Nodes within Prisma Access for
connectivity.
Ensure that you have Prisma Access (Cloud
Managed) and Prisma SD-WAN in the
same TSG.

With the native integration of Prisma SD-WAN with Prisma Access, Standard Endpoints for all
Prisma Access regions will be created automatically. In addition, each of the endpoints will be
configured with a Liveliness probe to the Prisma Access Firewall monitor address. The monitor
will run an ICMP check every ten (10) seconds and mark the tunnel as failed after three (3)
consecutive failures. The only action required will be to add these Endpoints to Groups and
Domains.

Prisma SD-WAN Administrator’s Guide 552 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN SASE Easy Onboarding

Configure Standard Groups

Where Can I Use This? What Do I Need?

• Strata Cloud Manager Prisma SD-WAN

• Active Prisma SD-WAN license
• Prisma SD-WAN AppFabric deployed at
one or more locations.
• Physical and/or virtual ION devices
running software versions 5.6.X or
higher.
Prisma Access Cloud Managed
• Prisma Access with Aggregate
Bandwidth; the bandwidth licensing
mode must be enabled per compute
location on the Prisma Access Cloud
Managed portal.
• Identification of the IPSec Termination
Nodes within Prisma Access for
connectivity.
Ensure that you have Prisma Access (Cloud
Managed) and Prisma SD-WAN in the
same TSG.

With the native SASE integration for Prisma SD-WAN, the default standard group Prisma Access:
All Regions will automatically be created.
The only action required will be to add the appropriate Prisma Access Region Endpoints to this
Group and any Domain (as needed).
STEP 1 | From Resources, select Service & DC Groups.

STEP 2 | Click Add next to Domains, provide a name in the popup and select Done.

STEP 3 | Next, map the service endpoints to the appropriate Prisma Access: All Regions group in each
domain.

If more than one endpoint is part of the group, they will be considered as equal in
network policy path selection.

Prisma SD-WAN Administrator’s Guide 553 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN SASE Easy Onboarding

STEP 4 | Finally, proceed to binding domains to sites.

Prisma SD-WAN Administrator’s Guide 554 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN SASE Easy Onboarding

Assign Domains to Sites

Where Can I Use This? What Do I Need?

• Strata Cloud Manager Prisma SD-WAN

• Active Prisma SD-WAN license
• Prisma SD-WAN AppFabric deployed at
one or more locations.
• Physical and/or virtual ION devices
running software versions 5.6.X or
higher.
Prisma Access Cloud Managed
• Prisma Access with Aggregate
Bandwidth; the bandwidth licensing
mode must be enabled per compute
location on the Prisma Access Cloud
Managed portal.
• Identification of the IPSec Termination
Nodes within Prisma Access for
connectivity.
Ensure that you have Prisma Access (Cloud
Managed) and Prisma SD-WAN in the
same TSG.

Binding a domain is essentially mapping a site to a domain, enabling access to all the endpoints
within groups/domain. Different domains can be mapped to different sites, but only one domain
may be mapped per site.
STEP 1 | Select Manage > Resources > Service & DC Groups.

STEP 2 | Select Sites.

STEP 3 | From the drop-down next to each site, select the appropriate domain.
To bulk edit all sites, select the Edit All button.

STEP 4 | Click Save.

Prisma SD-WAN Administrator’s Guide 555 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN SASE Easy Onboarding

Prisma SD-WAN Administrator’s Guide 556 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Incidents and
Alerts
Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Learn about the incidents and alerts generated in the Prisma SD-WAN system.
• Incidents and Alarms
• Monitor Incidents
• Incident and Alarm Categories
• Alert and Incident Codes
• Troubleshoot Incidents
• Correlate Incidents with SNMP Traps
• Device High Temperature Incident
• Set Up Incident Policies

557
Prisma SD-WAN Incidents and Alerts

Prisma SD-WAN Administrator’s Guide 558 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Device and
Tenant Management
Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Prisma SD-WAN provides a set of operational features for Managed Service Providers (MSPs) to
manage devices and tenants within their purview.
• Multi-Tenancy
• MSP Account Roles and Permissions
• Manage Devices for Client Tenants

559
Prisma SD-WAN Device and Tenant Management

Multi-Tenancy
Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

The Prisma SD-WAN controller has multi-tenancy integrated into the solution, allowing service
providers, enterprise customers, and managed support organizations to provide dedicated
services based on their organizational structure. Some examples of multi-tenancy are:
• MSPs operating the Prisma SD-WAN environment for multiple customers.
• Enterprise customers with a central purchasing model, which uses several lines of business
independently within the enterprise.
• Prisma SD-WAN MSP Dashboard
• Monitor Tenant Devices
• Monitor Tenant Branches
• Monitor Tenant Alarms
• Access Child Tenants

Prisma SD-WAN MSP Dashboard

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Monitor your devices and tenants using the Prisma SD-WAN MSP dashboard. After logging in to
the Prisma SD-WAN MSP portal, access the dashboard by clicking Summary Dashboard.

The Summary screen displays a high-level summarized status of all your tenants. The information
is refreshed every 5 minutes.The Summary screen offers you the following widgets:

Widget Description

Tenants by Open Alarms Displays the open alarms by priority across all your tenants. Click
a priority to view the Alarms page. The tenant count shows the
total number of tenants available under the MSP tenant.

Top Tenants with Open Displays the tenants with the maximum open alarms for a data
Alarms center site, branch site or across devices. Select the Data Center,

Prisma SD-WAN Administrator’s Guide 560 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Device and Tenant Management

Widget Description
Branch, or Device tab to view the respective alarms. Click the
alarm count to view the Alarms page.

Open Alarms by Codes Displays the number of open alarms based on the alarm codes.
Click the Impacted Tenant to view the alerts and alarms for the
tenant on the Events page within the tenant portal.
If more than one tenant has the same alarm, then an alarm count
is displayed. Click the alarm count to view the Alarms page on the
MSP Portal.

Branch Health Displays the health of a branch site. A branch has poor health
when the site health score is less than 60. The branch health
score is determined by the best link health score. So if all links
have a health score lower than 60, the branch health score would
accordingly be lower than 60.

Branch Link Health Displays the health of the Secure Fabric links for branches across
all tenants.
Good—Indicates a health score>80.
Fair—Indicates a health score between 60-80.
Poor—Indicates a health score<60.

Top Tenants with Poor Displays the top tenants who have poor link health in percentage.
Links Prisma SD-WAN calculates poor link health percentage for a
tenant by dividing the number of links having a health score of
less than 60 by the total links for the tenant and multiplying by
100.

Devices to Controller Displays the number of online and offline devices connected to
Connectivity the Prisma SD-WAN controller for a branch and data center site.
Click View All Tenants with Offline Devices to view the device
metrics for a tenant.

You will be able to view statistics for Branch Health, Branch Link Health, and Top
Tenants with Poor Links only after your tenant has been migrated to the new data lake
infrastructure. If you cannot view statistics, contact the Palo Alto Networks Accounts
Team.

Monitor Tenant Devices

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Monitor the health of your devices across all your tenants from the Prisma SD-WAN MSP Portal.

Prisma SD-WAN Administrator’s Guide 561 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Device and Tenant Management

STEP 1 | Select Monitor > Devices.

STEP 2 | Use the following widgets to monitor the health of your devices.
Devices to Controller Connectivity
The Devices to Controller Connectivity widget depicts the number of online and offline
devices connected to the Prisma SD-WAN controller for a branch and data center site across
your tenants.
Tenant Device Metrics
The Tenant Device Metrics widget displays the number of online and offline devices for
individual tenants. Click a tenant to view the details for the online and offline devices for the
tenant.

Click the User icon and select MSP Portal to return to the MSP portal.

You can sort devices for branches and data centers based on their connectivity to the
controller by clicking Online or Offline on the Devices to Controller Connectivity widget. For
example, when you click Online under the Data Center column on the Devices to Controller
Connectivity widget, the Data Center Device Connectivity column on the Tenant Device
Metrics widget displays the number of online data center devices.

Monitor Tenant Branches

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Monitor the health of your branches across all your tenants from the Prisma SD-WAN MSP
Portal.

Prisma SD-WAN Administrator’s Guide 562 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Device and Tenant Management

STEP 1 | Select Monitor > Branches.

The Branch and Branch Link Health widget displays the link health for all branches.
• Good—Indicates a health score>80.
• Fair—Indicates a health score between 60-80.
• Poor—Indicates a health score<60.
The Tenant Branch Metrics widget displays branch health and link health for branches for
individual tenants.

STEP 2 | (Optional) Click a Tenant name to view the dashboard for a tenant.

Click the User icon and select MSP Portal to return to the MSP portal.

Monitor Tenant Alarms

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Monitor the open alarms for devices across all your tenants.
STEP 1 | Select Alarms on the left pane.

The Alarms page displays alarms based on priority.

The Tenant Alarm Metrics widget displays the total open alarms and alarms based on priority
for individual tenants.
You can filter alarms based on priority. For example, when you click the count for Tenant with
P2 Alarms, the Tenant Alarm Metrics widget sorts tenants based on the number of open P2
alarms. The default sorting is based on P1 alarms.

STEP 2 | (Optional) Click a Tenant name or an Alarm to view details of the alarms for the tenant.

Access Child Tenants

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Prisma SD-WAN Administrator’s Guide 563 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Device and Tenant Management

Access your child tenants from the Prisma SD-WAN MSP dashboard.
STEP 1 | Select Manage > Dashboard

STEP 2 | Click a tenant from the Tenant List to view the Summary dashboard for your child tenant.

Device Lifecycle
Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

From the Prisma SD-WAN web interface, you as a managed service provider have the ability to
manage the lifecycle of the ION devices in your deployment. Some of the supported capabilities
are:
• Centralized device inventory management (MSP parent tenant).
• Assignment and allocation of device resources to associated child tenants.
• Software upgrade and downgrade capabilities for device and tenant assignments.
• Reclamation of child tenants' resources when no longer needed, returning devices to the
resource pool for re-allocation and re-assignment.
• Streamlined support processes.

The Device Lifecycle capability applies only to physical ion devices and not virtual devices
(vffs).

Tenant Types
Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

There are different tenant types within the Prisma SD-WAN MSP environment.
Prisma SD-WAN Support Tenant—is an MSP tenant that Palo Alto Networks Operations and
Support teams use to allocate MSP and child tenant(s) devices.
MSP Tenant—is a tenant in the Prisma SD-WAN environment that manages networks of other
tenants. MSP tenant operators cannot delete tenants. They can only assume a role within the
regular tenant they are managing.

Prisma SD-WAN Administrator’s Guide 564 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Device and Tenant Management

Client Tenants—are tenants who have ION devices assigned and deployed to various sites. One
or more MSP tenants can manage these tenants. However, a single device in the child tenant can
only be assigned to a single MSP tenant.
The Prisma SD-WAN support and operations teams allocate the devices to an MSP tenant.

Prisma SD-WAN Administrator’s Guide 565 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Device and Tenant Management

MSP Account Roles and Permissions

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Role-based access control and authentication is supported for all operations performed by the
MSPs. The MSP tenant, though subservient to the Prisma SD-WAN tenant, acts as a super-tenant
to all the client tenants under its control.
Typically, MSP accounts are regular user accounts with additional set of roles, and Single Sign-
On (SSO) access through an enterprise Identity Provider (IdP). A group name within an IdP
system may be mapped to the same name to create a custom role. The MSP roles and their
responsibilities can be classified as:

MSP Role Permissions

MSP Root (esp_root) A single root user who has complete control over all aspects
of the MSP account. A root user is intended to be a fail-safe,
fallback user account and should not be used for regular day-
to-day access, administration, and management.

MSP Super (esp_super) A super administrator with privileges to manage other

user accounts within the provider account. Optionally, this
administrator manages and administers other customer
networks.

Identity and Access An IAM administrator with privileges to manage other user
Management (IAM) accounts within the MSP account.
Administrator
(esp_iam_admin)

ESP Machine Admin An administrator with privileges to manage machine (ION

(esp_machine_admin) device) allocation and deallocation to child tenants.

MSP User (esp_user) A user with privileges to manage and administer other
customer networks after an administrator has assigned the
user to a customer account.

In a MSP account, you may view, manage, or administer other client networks and accounts, if:
• The client and the provider authorize the client account for management by the provider. This
authorization takes place through Prisma SD-WAN customer support for security and tracking.
• Specific users of a provider account are assigned to manage specific, approved client
accounts for that provider. This is handled by the users of a provider account who have super
administrator or administrator privileges.

Prisma SD-WAN Administrator’s Guide 566 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Device and Tenant Management

Add a User Role in the Child Tenant

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

A parent tenant can add a user to operate in the child tenant environment. The permissions and
access for this user will be determined by the child tenant.
STEP 1 | In the MSP Portal, select Manage > System > User Management.

STEP 2 | Click Add User.

STEP 3 | Add the user details.

STEP 4 | For Clients Administered, select a child tenant.

STEP 5 | Click the Role drop-down to select a role for the user.

The roles are displayed based on the roles configured in the child tenant.If the user
with the specific role is not configured in the child tenant, you will not be able to select
a role from the Role drop-down.

STEP 6 | Click Done and then click Save.

Prisma SD-WAN Administrator’s Guide 567 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Device and Tenant Management

Manage Devices for Client Tenants

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Prisma SD-WAN allocates the devices to MSP tenant(s) through their support or operations team.
MSP tenants can manage the device's lifecycle based on their Roles and Permissions.
• Allocate a Device
• Return a Device
• Re-allocate a Device
• Revoke the Device

Allocate a Device
STEP 1 | Log in to the MSP Portal with valid credentials.

STEP 2 | Select Manage > Devices.

Multiple regions where the MSPs can manage their client tenants are listed.

STEP 3 | Select the region from where the device needs to be allocated to the client tenant.
The inventory of devices allocated to the MSP tenant for the region is listed in the Available
for Client Allocation state.
Sales Order # can be used to group all devices in the same order and simplify bulk device
allocation to a tenant.
Order Association Date (UTC) shows the date associated with the order.

STEP 4 | (Optional) Apply any of the following filter criteria to refine your search.
• Search for a device with the model or serial #.
• Select any client from the drop-down to view the devices allocated to that client by the
logged in MSP.
• Choose the state of the device from the drop-down.

Prisma SD-WAN Administrator’s Guide 568 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Device and Tenant Management

STEP 5 | Allocate the device to a client tenant.

1. Select the device and choose Allocate the device from the ellipsis menu.
2. From the Allocate Device window, select Any Client available to the MSP.
3. Confirm to Allocate the device.

The allocated device is now listed in the client tenant’s inventory in an Unclaimed state.
Select Bulk Actions to allocate multiple devices to a single client tenant.

Return a Device
STEP 1 | Log in to the MSP Portal with valid credentials.

STEP 2 | Select Manage > Devices.

Multiple regions where the MSPs can manage their client tenants is listed.

STEP 3 | Select the region from where the device needs to be allocated to the client tenant.
The inventory of devices allocated to the MSP tenant for the region are listed in the Available
for Client Allocation state.

STEP 4 | (Optional) Apply any of the following filter criteria to refine your search.
• Search for a device with the model or serial #.
• Select any client from the drop-down to view the devices allocated to that client.
• Choose the state of the device from the drop-down.

STEP 5 | Return a device to Palo Alto.

1. Select the device state as Available for Client Allocation in the MSP inventory.
2. Select Return to Palo Alto from the ellipsis menu.
3. Confirm return of the device to Palo Alto.
The device returns to the Prisma SD-WAN inventory where the support admin can re-
allocate the device or the customer support team can initiate the RMA process.
Select Bulk Actions to return multiple devices to Prisma SD-WAN.

Re-allocate a Device
STEP 1 | Log in to the MSP Portal with valid credentials.

STEP 2 | Select Manage > Devices.

Multiple regions where the MSPs can manage their client tenants are listed.

Prisma SD-WAN Administrator’s Guide 569 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Device and Tenant Management

STEP 3 | Select the region from where the device needs to be allocated to the client tenant.
The inventory of devices allocated to the MSP tenant for the region are listed in the Available
for Client Allocation state.

STEP 4 | (Optional) Apply any of the following filter criteria to refine your search.
• Search for a device with the model or serial #.
• Select any client from the drop-down to view the devices allocated to that client.
• Choose the state of the device from the drop-down.

STEP 5 | Re-allocate the device to a client tenant.

1. Select the device state To Return from the Any State drop-down.
The device must be marked To Return by the client tenant for the MSP to re-allocate the
device.
2. Select the device from the list and click Re-allocate from the ellipsis menu.
3. From the Re-allocate Device window, select Any Client available to the MSP.
4. Confirm to Re-allocate the device.

The re-allocated device is now listed in the client tenant’s inventory in an Unclaimed
state.

Revoke the Device

STEP 1 | Log in to the MSP Portal with valid credentials.

STEP 2 | Select Manage > Devices.

Multiple regions where the MSPs can manage their client tenants is listed.

STEP 3 | Select the region from where the device needs to be allocated to the client tenant.
The inventory of devices allocated to the MSP tenant for the region are listed in the Available
for Client Allocation state.

STEP 4 | (Optional) Apply any of the following filter criteria to refine your search.
• Search for a device with the model or serial #.
• Select any client from the drop-down to view the devices allocated to that client.
• Choose the state of the device from the drop-down.

Prisma SD-WAN Administrator’s Guide 570 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Device and Tenant Management

STEP 5 | Revoke a Device.

1. Select the device in the Available for Client Allocation state.
2. Select Revoke the device from the ellipsis menu.
3. Confirm to Revoke the device.

The device moves to the Revoked state where the client may mark the device as Return
to Prisma SD-WAN or Put device back in use.

Prisma SD-WAN Administrator’s Guide 571 ©2024 Palo Alto Networks, Inc.
Prisma SD-WAN Device and Tenant Management

Manage System Administration in the MSP Portal

Where Can I Use This? What Do I Need?

• Prisma SD-WAN Active Prisma SD-WAN license

Manage and monitor users and permissions from the Prisma SD-WAN MSP Portal.
Select ManageSystem.

Tab Description

Company Information Enter the details of your organization on the Company

Information page.

User Management Select User Management to add or edit a user.

Client User Option Enable Single User on the Client User Option screen to display a
single user instead of individual users from your account in your
child tenant’s user list.

IP Access Restrictions Enter the IP addresses or prefixes that will have access to the
Prisma SD-WAN MSP Portal on the IP Access Restrictions page.

Password Requirements Set the character and security requirements for login
passwords to the Prisma SD-WAN MSP Portal on the Password
Requirements page.

Audit Logs Use Audit Logs to view configuration changes in the MSP Portal.

Advanced Settings Use Advanced Settings to allow device advanced actions.

Prisma SD-WAN Administrator’s Guide 572 ©2024 Palo Alto Networks, Inc.