In PANOS SD-WAN (not PRISMA), you must either use predefined zones (zone-to-branch, zone-to-hub, etc.), or you can map pre-existing zones to the predefined zones in Panorama.
Before SD-WAN, using IPSEC tunnels, we could give each tunnel/branch its own zone and control access very easily. Since SD-WAN requires use of predefined zones, it seems line zone-based policy is mostly useless when differentiating between sites, because from the hub's perspective in a hub/spoke topology, every spoke is in the zone-to-branch zone. I could create all of my policies using address objects and apply them via subnet, but it seems weird that normally PA NGFWs are heavily zone-based, and implementing SD-WAN seems to remove zones from the equation almost fully.
Am I missing something here?
At least from my understanding, you aren't missing anything. The feature, at least when I was looking into it, really seemed designed around branch offices that fit a cookie-cutter deployment. As an example, if you were a retail establishment and just had stores connecting to your datacenter. When you don't fit that model, the setup didn't really meet our needs for that.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!