About Auto VPN

Table of Contents

Filter

Expand All | Collapse All

Next-Generation Firewall Docs

Getting Started
Administration
Version
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1
Networking
Version
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
AIOps
Incidents & Alerts
Release Notes
Version
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1

Auto VPN

Configure Auto VPN

About Auto VPN

Learn more about Auto VPN on

Strata Cloud Manager

Contact your account team to enable Cloud Management for NGFWs using Strata Cloud Manager.

Where Can I Use This?	What Do I Need?
`NGFW (Managed by Strata Cloud Manager)` `VM-Series, funded with Software NGFW Credits`	`AIOps for NGFW Premium license (use the Strata Cloud Manager app)`

Auto VPN enables you to create a VPN cluster to connect multiple local area networks (LANs). When you create a VPN cluster, you must specify which firewall acts as the gateway device that facilitates communication between the branch firewalls and automatically creates secure connections between the gateway and branch devices.

Auto VPN supports hub-and-spoke topology only. Auto VPN does not support mesh topology between gateway devices.

After you create the VPN cluster, the firewalls automatically set up a route-based VPN tunnels and makes routing decisions based on the Layer 3 Ethernet interface IP addresses. If traffic is routed to a specific destination through a VPN tunnel, then it is handled as VPN traffic. These tunnels are created only between the gateway device and the branch devices. Tunnels are not created between any branch devices.

The VPN is secured using Internet Protocol Security (IPSec); a set of protocols used to set up a secure tunnel for VPN traffic. The information in the TCP/IP packet is secured. The IP packet (header and payload) is embedded in another Internet Protocol payload, and a new header is applied and then sent through the IPSec tunnel. The source IP address in the new header is that of the local VPN peer and the destination IP address is that of the VPN peer on the far end of the tunnel. When the packet reaches the remote VPN peer (the firewall at the far end of the tunnel), the outer header is removed and the original packet is sent to its destination.

To set up the VPN tunnel, the branch devices need to be authenticated. After successful authentication, the branch devices negotiate the encryption mechanism and algorithms to secure the communication. The Internet Key Exchange (IKE) process is used to authenticate the VPN branch devices and IPSec security associations (SAs) are defined at each end of the tunnel to secure the VPN communication. IKE uses pre-shared keys to set up the SAs for the IPSec tunnel. The SAs specify all of the required parameters for secure transmission— including the security parameter index (SPI), security protocol, cryptographic keys, and the destination IP address—encryption, data authentication, data integrity, and endpoint authentication. IPv4

Auto VPN

Configure Auto VPN

Next-Generation Firewall Docs

About Auto VPN

Next-Generation Firewall Docs

About Auto VPN

Recommended For You

Activation & Onboarding

Next-Generation Firewalls

Cloud-Delivered Security Services

Network Security

Visibility & Monitoring

Best Practices

Experts Corner