PAN-OS SD-WAN: Key Configuration Planning Considerations

Successfully deploying Palo Alto Networks SD-WAN (whether using Prisma SD-WAN ION devices or the SD-WAN feature on NGFWs integrated with Prisma Access/Strata Cloud Manager) requires careful planning. Understanding network architecture, performance needs, and application requirements is crucial for ensuring reliable connectivity, optimal application performance based on SLAs, and effective failover.

Key Planning Considerations

1. Link Requirements:
Defining the characteristics and desired behavior of each WAN link is fundamental. This includes:
- Identifying the types of links available at each site (e.g., MPLS, Business Broadband, Consumer Broadband, LTE/5G).
- Understanding or defining acceptable thresholds for key path quality metrics: latency , jitter , and packet loss for each link type.
- Determining how links should be grouped (e.g., all broadband links together) using Link Tags .
- Planning failover policies and how traffic should be steered if a primary link degrades or fails.
This information directly influences path quality monitoring, traffic distribution policies, and application performance profiles.
3. Connection Throughput:
Knowing the actual usable bandwidth of each WAN connection at every site is essential. This includes:
- Documenting the **advertised upload and download speeds**.
- Considering potential oversubscription ratios, especially for consumer-grade links.
- This data is used to configure the **Max Bandwidth settings** for each link/interface within the SD-WAN configuration.
- The SD-WAN engine uses these throughput values (along with path quality metrics) for intelligent path selection decisions, especially when applying **Quality of Service (QoS)** profiles or steering critical application traffic. Accurately defining throughput helps prevent link oversaturation and ensures applications get the bandwidth they need.
5. Branch and Hub Locations:
Understanding the physical and logical topology of the network is crucial. This involves:
- Mapping out all **branch locations** that will participate in the SD-WAN fabric.
- Identifying **hub locations** (e.g., data centers, major regional offices, Prisma Access locations) that will serve as centralized points for traffic aggregation, security inspection, or access to internal resources.
- Planning the required **VPN tunnel mesh** (Hub-and-Spoke, Partial Mesh, Full Mesh) based on traffic patterns and communication needs between sites.
- Determining where connections to cloud services (like Prisma Access) or data centers (Service Connections) are required.
This topology dictates the number and type of devices needed, VPN tunnel configurations, and overall routing design.

Why Other Factors Are Less Critical *During Initial Planning*

2. IP Addresses

❌ While essential for network operation, specific IP address assignment for interfaces, tunnels, and devices is typically part of the detailed *configuration* phase, not the high-level *planning* phase. Planning focuses more on subnet requirements, reachability, and topology rather than individual IP allocation.

4. Dynamic Routing

❌ SD-WAN can operate effectively using static routes between sites and hubs, especially in simpler deployments. While integration with dynamic routing protocols (OSPF, BGP) is possible and often necessary for larger or more complex environments (e.g., integrating with existing MPLS routing or advertising routes from the data center), it's an *implementation detail* rather than a fundamental *initial planning requirement* for all SD-WAN deployments. The decision to use dynamic routing depends on the specific network environment and integration needs identified during planning.

✅ Summary: Thorough SD-WAN planning prioritizes understanding the available **link characteristics and requirements**, the **throughput capacity** of those links, and the **physical/logical locations** of branches and hubs to design an effective and resilient network architecture.