topic Re: Request for SD-WAN Deployment Documentation in Azure in Advanced SD-WAN for NGFW Discussions

Request for SD-WAN Deployment Documentation in Azure

kganesh — Tue, 21 Apr 2026 16:04:48 GMT

I need to integrate the Palo Alto firewalls deployed in Azure into our existing SD-WAN setup. Currently, seven offices are already connected through SD-WAN. The Azure VM‑500 firewalls are configured in an active‑passive setup and are managed via Panorama.
It would be very helpful if you could share any SD-WAN deployment documentation or reference material to guide this integration.

Re: Request for SD-WAN Deployment Documentation in Azure

lucy98dana — Mon, 27 Apr 2026 06:07:18 GMT

At a high level, the recommended approach is to treat Azure as another SD-WAN site (or hub) rather than just a standalone security zone. You can terminate SD-WAN tunnels (IPsec or GRE/IPsec depending on your vendor) directly on the VM-500 firewalls. Each of your seven branch offices would then establish tunnels to the Azure firewalls, allowing centralized inspection and routing. If your SD-WAN solution supports dynamic path selection, you can integrate Azure as an additional path and apply policies for traffic steering (e.g., SaaS via internet breakout, internal apps via Azure).

Re: Request for SD-WAN Deployment Documentation in Azure

kiwi — Tue, 28 Apr 2026 13:58:24 GMT

Hi @kganesh ,

On-prem firewalls use Gratuitous ARP (GARP) to handle failover, but Azure doesn't support GARP afaik.

Treat Azure as your "Hub." You’ll terminate your SD-WAN tunnels on an Azure Standard Load Balancer (ALB) front-end IP rather than the firewalls directly.
Health Probes: The ALB uses health probes to monitor the VM-500s. It only sends SD-WAN traffic to whichever unit is currently "Active," ensuring your branch offices always stay connected to the right gateway.

Since you’re already using Panorama, do not manually build these IPsec tunnels one by one.

The Plugin: Install the SD-WAN Plugin for Panorama.
The Workflow: Define your Azure VM-500s as a "Hub" and your seven offices as "Branches". Panorama will then automate the entire mess of IKE gateways, IPsec profiles, and BGP peering across the whole environment.

For a setup with seven offices, static routes will eventually break your brain so :

Use BGP to propagate routes between Azure and your offices.
If you want to avoid managing dozens of User-Defined Routes (UDRs) in Azure, look into Azure Route Server (ARS). It allows your firewalls to "talk" directly to the Azure VNet, automatically updating the routing table whenever a new branch subnet is added.

Some reference links:

Palo Alto SD-WAN Admin Guide: Specifically the Enable SD-WAN with Auto VPN section.
Azure Architecture Center: The Highly Available NVA Guide explains why you need that Load Balancer.
Panorama Plugin Setup: How to install and configure the SD-WAN plugin.

Hope this helps,

Re: Request for SD-WAN Deployment Documentation in Azure

kganesh — Wed, 13 May 2026 03:00:40 GMT

Hi kiwi ,

Thanks for the sharing detail information, however ,the current SD-WAN deployment is configured in a full mesh topology (not hub-and-branch). We now need to onboard an Azure VM-Series (VM-500) firewall into the existing SD-WAN setup as a new branch.

To achieve this, I am planning to use the public IP assigned to the untrust interface on the Azure firewall for establishing Auto VPN/IPsec tunnels with the other branch offices.

Please let me know if this approach looks good or if you have any recommendations.