SDWAN Zone Mapping

Showing results for 
Show  only  | Search instead for 
Did you mean: 

SDWAN Zone Mapping

L1 Bithead

Trying to make sure I understand this correctly.  For each zone to used within the SDWAN they must be mapped to the pre-defined SDWAN zones.  For the following example would this be the correct method of mapping:


Pre-SDWAN zones (same zones at all sites)


Private WAN





SDWAN Zone Mapping

Zone Internet: Untrust Trust-1, Trust-2,Trust-3

Zone to Hub: Trust-1, Trust-2,Trust-3

Zone to Branch: Trust-1, Trust-2,Trust-3

Zone Internal: Trust-1, Trust-2,Trust-3


Community Team Member

Hi @Jeff-Intuitive ,


I'm pretty sure that Untrust will map to Zone Internet only.


Depending on the other access you need :

  • Zone Internet—For traffic going to and coming from the untrusted internet.
  • Zone to Hub—For traffic going from branch firewalls to hub firewalls and for traffic going between hub firewalls.
  • Zone to Branch—For traffic going from hub firewalls to branch firewalls and for traffic between branch firewalls.
  • Zone Internal—For internal traffic at a specific location.




LIVEcommunity team member, CISSP
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

that is what we learned as well, thanks for that.  The interesting thing is the plugin requires us to hand type, not select, the zones.  If you don't map all the zones though it does not work and it doesn't replicated the configuration across a HA pair, had to manually do both nodes.

L1 Bithead

I'm currently also doing the first steps with SDWAN.

We need to recycle the prexisting zones, so the preexisting SDWAN zone and Trust zone should be mapped to zone-to-branch and zone-internal, but that doesn't work.

Only the Untrust <> Zone-Internet mapping worked.

Also - how should the policy in Panorama and locally on the Firewall look like? Which logs should I expect to see on the firewall and in Panorama?

L1 Bithead

Several components here for it to work, all done through Panorama not on the firewall itself.


Map zones as you saw

Create the SDWAN policy for the zone to encrypt the traffic when talking to the 'zone-hub' 'zone-branch' etc etc

Create Firewall policy that allows those zones to talk to one another.

For my understanding:
The SDWAN Policy needs to be created with the SDWAN zones, so zone-internal, zone-internet, zone-to-branch and in the security policies I can use the mapped zones like trust, untrust and sdwan?

What zones should I see in the traffic logs?

  • 5 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!