topic Panorama SD-WAN Zone Mapping? No longer needed or no longer available? in Panorama Discussions https://live.paloaltonetworks.com/t5/panorama-discussions/panorama-sd-wan-zone-mapping-no-longer-needed-or-no-longer/m-p/1227876#M2858 <P class="first:mt-0 last:mb-0" dir="ltr"><SPAN>I know this has been posted in the past, but I want to check if there are some new answers before reaching out to our SE. There is a "</SPAN><A href="https://docs.paloaltonetworks.com/plugins/vm-series-and-panorama-plugins-release-notes/panorama-plugin-for-sd-wan/sd-wan-plugin-300/known-issues-in-sd-wan-plugin-300" target="_blank"><SPAN>known issue</SPAN></A><SPAN>" where the zone mapping tab was removed from Panorama. The <A title="SD-WAN - Add SD-WAN Branch or Hub Firewall" href="https://docs.paloaltonetworks.com/sd-wan/administration/enable-sd-wan-with-auto-vpn/add-sd-wan-branch-or-hub-firewall" target="_self">current documentation</A> still mentions the need to map the pre-defined zones to existing zones when adding the device to SD-WAN or via CSV. The known issue states:<BR /><BR /></SPAN></P> <BLOCKQUOTE dir="ltr"><SPAN>PLUG-13152<BR /><BR /></SPAN><SPAN>The SD-WAN plugin creates predefined zones automatically that does not require any user configuration. Hence, we have removed the following predefined zones tabs from the SD-WAN plugin web interface:<BR /><BR /></SPAN><SPAN>* Zone Internet</SPAN><BR /><SPAN>* Zone to Hub</SPAN><BR /><SPAN>* Zone to Branch</SPAN><BR /><SPAN>* Zone Internal<BR /><BR /></SPAN><SPAN>This issue is addressed in SD-WAN plugin 2.2.5 and 3.0.5</SPAN></BLOCKQUOTE> <P><SPAN>The documentation states, "If you have pre-existing zones for your Palo Alto Networks<SUP class="ph sup">®</SUP>&nbsp;firewalls, you will be mapping them to the predefined zones used in&nbsp;<SPAN class="ph">SD-WAN</SPAN>." and later goes into detail on how to map the zones.</SPAN></P> <P class="first:mt-0 last:mb-0" dir="ltr">&nbsp;</P> <P class="first:mt-0 last:mb-0" dir="ltr"><SPAN>I imagine you then have to replace your existing zones with the pre-defined ones, no? Either that or create rules that allow communication between your existing zones and the pre-defined zones. The "does not require any user configuration" bit makes it sound like it "just works" but that does not seem to be the case.</SPAN></P> <P class="first:mt-0 last:mb-0" dir="ltr">&nbsp;</P> <P class="first:mt-0 last:mb-0" dir="ltr"><SPAN>What is the appropriate solution? Do we need to rename all of the relevant zones?<BR /><BR /><STRONG>Relevant Versions:</STRONG></SPAN></P> <P class="first:mt-0 last:mb-0" dir="ltr"><SPAN>Panorama: 11.2.4-h1</SPAN></P> <P class="first:mt-0 last:mb-0" dir="ltr"><SPAN>SD-WAN Plugin: sd_wan-3.3.3</SPAN></P> <P class="first:mt-0 last:mb-0" dir="ltr"><SPAN>Firewalls: 11.1.2-h3 (mostly)</SPAN></P> Thu, 01 May 2025 15:52:28 GMT VRT-JH 2025-05-01T15:52:28Z Panorama SD-WAN Zone Mapping? No longer needed or no longer available? https://live.paloaltonetworks.com/t5/panorama-discussions/panorama-sd-wan-zone-mapping-no-longer-needed-or-no-longer/m-p/1227876#M2858 <P class="first:mt-0 last:mb-0" dir="ltr"><SPAN>I know this has been posted in the past, but I want to check if there are some new answers before reaching out to our SE. There is a "</SPAN><A href="https://docs.paloaltonetworks.com/plugins/vm-series-and-panorama-plugins-release-notes/panorama-plugin-for-sd-wan/sd-wan-plugin-300/known-issues-in-sd-wan-plugin-300" target="_blank"><SPAN>known issue</SPAN></A><SPAN>" where the zone mapping tab was removed from Panorama. The <A title="SD-WAN - Add SD-WAN Branch or Hub Firewall" href="https://docs.paloaltonetworks.com/sd-wan/administration/enable-sd-wan-with-auto-vpn/add-sd-wan-branch-or-hub-firewall" target="_self">current documentation</A> still mentions the need to map the pre-defined zones to existing zones when adding the device to SD-WAN or via CSV. The known issue states:<BR /><BR /></SPAN></P> <BLOCKQUOTE dir="ltr"><SPAN>PLUG-13152<BR /><BR /></SPAN><SPAN>The SD-WAN plugin creates predefined zones automatically that does not require any user configuration. Hence, we have removed the following predefined zones tabs from the SD-WAN plugin web interface:<BR /><BR /></SPAN><SPAN>* Zone Internet</SPAN><BR /><SPAN>* Zone to Hub</SPAN><BR /><SPAN>* Zone to Branch</SPAN><BR /><SPAN>* Zone Internal<BR /><BR /></SPAN><SPAN>This issue is addressed in SD-WAN plugin 2.2.5 and 3.0.5</SPAN></BLOCKQUOTE> <P><SPAN>The documentation states, "If you have pre-existing zones for your Palo Alto Networks<SUP class="ph sup">®</SUP>&nbsp;firewalls, you will be mapping them to the predefined zones used in&nbsp;<SPAN class="ph">SD-WAN</SPAN>." and later goes into detail on how to map the zones.</SPAN></P> <P class="first:mt-0 last:mb-0" dir="ltr">&nbsp;</P> <P class="first:mt-0 last:mb-0" dir="ltr"><SPAN>I imagine you then have to replace your existing zones with the pre-defined ones, no? Either that or create rules that allow communication between your existing zones and the pre-defined zones. The "does not require any user configuration" bit makes it sound like it "just works" but that does not seem to be the case.</SPAN></P> <P class="first:mt-0 last:mb-0" dir="ltr">&nbsp;</P> <P class="first:mt-0 last:mb-0" dir="ltr"><SPAN>What is the appropriate solution? Do we need to rename all of the relevant zones?<BR /><BR /><STRONG>Relevant Versions:</STRONG></SPAN></P> <P class="first:mt-0 last:mb-0" dir="ltr"><SPAN>Panorama: 11.2.4-h1</SPAN></P> <P class="first:mt-0 last:mb-0" dir="ltr"><SPAN>SD-WAN Plugin: sd_wan-3.3.3</SPAN></P> <P class="first:mt-0 last:mb-0" dir="ltr"><SPAN>Firewalls: 11.1.2-h3 (mostly)</SPAN></P> Thu, 01 May 2025 15:52:28 GMT https://live.paloaltonetworks.com/t5/panorama-discussions/panorama-sd-wan-zone-mapping-no-longer-needed-or-no-longer/m-p/1227876#M2858 VRT-JH 2025-05-01T15:52:28Z Re: Panorama SD-WAN Zone Mapping? No longer needed or no longer available? https://live.paloaltonetworks.com/t5/panorama-discussions/panorama-sd-wan-zone-mapping-no-longer-needed-or-no-longer/m-p/1235223#M2949 <P>I ended up finding out that plugin versions &gt;2.2.4 or &gt;3.0.4 force you to use the pre-defined zones. To make this work, I created policies such as "trust to zone-internal", "zone-internal to trust", "zone-to-branch to trust" and "trust to zone-to-branch". The alternative would be to replace your VPN/trust zones with the pre-defined ones, like changing your "trust" zone to "zone-internal", for example. Kind of annoying, but is what it is.</P> Fri, 01 Aug 2025 16:34:08 GMT https://live.paloaltonetworks.com/t5/panorama-discussions/panorama-sd-wan-zone-mapping-no-longer-needed-or-no-longer/m-p/1235223#M2949 VRT-JH 2025-08-01T16:34:08Z