Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/paloaltonetworks/sdwan
SD-WAN configuration templates
https://github.com/paloaltonetworks/sdwan
sd-wan skillet skillets
Last synced: 2 days ago
JSON representation
SD-WAN configuration templates
- Host: GitHub
- URL: https://github.com/paloaltonetworks/sdwan
- Owner: PaloAltoNetworks
- License: mit
- Created: 2020-09-02T17:00:09.000Z (about 4 years ago)
- Default Branch: master
- Last Pushed: 2021-05-10T14:02:46.000Z (over 3 years ago)
- Last Synced: 2023-08-01T12:18:58.601Z (over 1 year ago)
- Topics: sd-wan, skillet, skillets
- Homepage:
- Size: 76.2 KB
- Stars: 3
- Watchers: 7
- Forks: 3
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# SD-WAN Configuration Skillets
## Tested with Panorama 10.0.5, SD-WAN plugin 2.0.2, and PAN-OS 10.0.5
This is a set of modular skillets for Panorama and the SD-WAN plugin
The set of skillets do not provide a panorama day 1, upgrade software,
or install and activate the plugin.Each step uses a workflow skillet model to guide the user, query panorama
to provide valid configuration options, and give a step summary at the end.Use sd-wan-skillet-worksheet.txt to have required values available during the skillet.
### Optional Step to include IronSkillet
This will load the shared device-group and template configuration for the
IronSkillet day one best practice baseline.In step 2 below when adding a new site, if the user opts to include
IronSkillet, the newly created template-stack will include the
iron-skillet template.This is useful to inherit the security elements such as device hardening
and recommended security profiles/groups.### Step 0 - Device Onboarding
Preliminary step to configure Panorama with device serial numbers. One or more
devices can be onboarded during this step.After devices are configured with the Panorama IP they will connect without
any template stack or device-group association. During this step the intent
is to upgrade software, install content updates, and license the devices.### Step 1 - Configure Shared Elements
Add the following shared elements to Panorama:
* recommended link tags
* application group to be used in policies
* catch-all traffic distribution and path quality profiles
* catch-all sdwan post rule for unmatched sessions
* application pre-rule for bgp traffic including an sdwan logging profile
* recommended traffic distribution profiles
* reference interface profiles and template
* SD-WAN VPN Address Pool### Step 2 - Add New Site
Configure template, stack, and device-group for a new hub or branch site.
Includes the following configuration elements:
* add device-group with a sample SD-WAN policy rule
* add template with interface profiles and predefined zones
* add template stack including site-specific template
* include a virtual-router instance
* select to include ironSkillet as part of the template-stackThe template created is topology agnostic. The next step will add interfaces
to become topology specific based on interface requirements.NOTE: add new templates as required to match topology variation such as
number of interfaces and interface types.### Step 3 - Add Interface to Template
The previous step creates a site template foundation and this step then adds
each required interface based on the topology.Topology variation for this skillet is based on the PHY interface type.
If static the user will be prompted for panorama variable name assignment for the
interface and next-hop gateway addresses. If a dhcp interface, no panorama
variables are used.When the device is assigned to its template-stack and respective template,
the user will then input the values for the associated panorama variables
if the template uses static interfaces.The user can choose if the added interface is sd-wan enabled or just a
standard interface. If sd-wan enabled, then the sd-wan virtual interface
and associated configuration will be included.Configuration elements in this step include:
* physical ethernet interface attributes
* enable SD-WAN on the phy interface
* assign an SD-WAN interface profile to the phy interface
* zone and virtual-router assignment for the interface
* create panorama variables for static interface ip address and gatewayThis is step is repeated for each interface to be added to the site template.
This workflow includes 2 rest type skillets to query Panorama and generate
a set of pulldown list options for:* template selection
* zone names
* virtual-router names
* interface profile names### Step 4 - Assign Device to Device-Group and Template-Stack
Assign an already onboarded and licensed device to a device-group and
template-stack based on the device's role in the topology. The device MUST
be assigned to a template with matching physical interface requirements.If the template includes Panorama variables, a list of variables will be
presented allowing the user input the device-specific values.Repeat this step for each device to be assigned to a device-group and
template-stack. Currently the skillet only supports assigned of a single
device. Bulk loading can be done using csv import.### Step 5 - Onboard Device to SD-WAN Plug-In
The device is mapped into the SD-WAN topology using the following elements:
* SD-WAN type: hub or branch
* virtual-router name
* site description
* (Optional) BGP routing configurationRepeat this step for each device to be included in the SD-WAN topology.
Currently the skillet only supports single device onboarding. Bulk loading
can be done using csv import.### Next Steps
* Use the Panorama GUI to create the vpn cluster
* configure security policies to map application usage for SD-WAN
* push the configuration to the devices and validate a successful commit