This is the method used for regular router...Assuming it would be applicable for the SD-WAN, couple of clarification questions:

1. Edge Routers are mostly deployed based on template...So you are saying using CLI template to defind the "ip nbar protocol-pack bootflash:[pack_name].pack" command to deploy to edge router?

2. What do you mean "compatible with protocol-pack NBAR engine version."? Or you mean the IOS-XE version?

1. There is separate template which is called "CLI-template" and added to device template as additional template. Configuration which can not be done via feature template is done using CLI-template

2.

Site2-Rtr1#sh ip nbar version
NBAR software version: 48
NBAR minimum backward compatible version: 48
NBAR change ID: BLD_NBAR_XE1711_20230207_110948

Loaded Protocol Pack(s):
Name: Advanced Protocol Pack
Version: 64.0
Publisher: Cisco Systems Inc.
NBAR Engine Version: 48
State: Active

Name: Advanced Protocol Pack
Version: 65.0
Publisher: Cisco Systems Inc.
NBAR Engine Version: 46
Creation time: Thu Mar 23 09:36:15 UTC 2023
File: bootflash:/pp-adv-cat8k-179.1a-46-65.0.0.pack
State: Inactive

As you see I've added and forced protocol pack version 65, however its engine version is 46 and local NBAR software version (48) is not compatible.

NBAR engine version depends on IOS XE version. 46 for 17.9.x , 48 for 17.11.x

Thanks for the info!

Will the update process be different if SD-AVC is in use in SD-WAN?

Yes,

this command is rejected when sd-avc is enabled. You should upload protocol pack in SD-AVC dashboard (vManage itself has SD-AVC service as container), and deploy it:

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/avc/sd-avc/4-4-0/ug/sd-avc-4-4-0-ug/using.html#concept_dsk_jmr_dhb

https://www.cisco.com/c/en/us/support/docs/routers/sd-wan/218082-configure-sd-avc-on-sd-wan.html#

Thanks for the confirmation. I did review the links before. With regular routers, it is clear about SD-AVC portal. But the challenge is where is the SD-AVC portal when enabled on vManage? Using port 8443 access vManage still gives me the vManage, not the SD-AVC portal…

Thanks! This is kinda the reason I posted the question here the first place…there simply isn’t clear documentation regarding this topic…

Yeap, some topics are not documented. You should check yourself.

For example, what I said regarding ip nbar protocol pack in case of controller mode without sd-avc works with CLI template (I tested it and posted). With sd-avc this is not accepted, so you can not push protocl pack via CLI-template. However, I can not also reach sd-avc dashboard to do actual protocol pack upload.

So basically the update process would be the same whether I have SD-AVC enabled or not?

In case of SD-AVC is enabled on vManage (thus it is enabled on AV enabled routers) , you should disable Application Visibility (router loses SD-AVC as well) for router, update NBAR2 via CLI-template and then enable Application Visibility:

When SD-AVC is not enabled on vManage (thus it is not enabled on AV enabled routers) , you do update directly via CLI-template.

I thought by "Disabling policy" you mean disabling the local policy, which essentially disable the Application Visibility...

So by "Disabling policy" you actually mean disable the central policy OR both central and local policies?

Only local policy and in fact AVC functionality from local policy. Other local policies still will be on place.

I shared picture above.