Next-Generation Firewall
Configure Auto VPN
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1
-
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
-
-
-
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1
Configure Auto VPN
Create a VPN cluster to logically group hub and branch firewalls and automatically
secure connections between these devices.
Contact your account team to enable Cloud Management for NGFWs using
Strata Cloud Manager.
Where Can I Use
This? | What Do I Need? |
---|---|
|
|
To configure Auto VPN, you must create a VPN cluster to determine which branch
firewalls communicate with which gateway devices and automatically create secure
connections between the gateway and branch firewalls. VPN clusters are logical
groupings of managed firewalls that
supports
a hub and spoke topology, so consider such things as geographical location or
function when logically grouping your firewalls. Auto VPN supports a maximum of
1,000 VPN clusters.
The routing configuration is automatically generated when Auto VPN is configured.
This includes creating the IPSec tunnels between your gateway and branch devices,
and autogenerating the Border Gateway Protocol (BGP) AS number and Router ID.
- Log in toStrata Cloud Manager.
- Review all pending configuration changes.The Auto VPN push is a specialized push that includes all pending configuration changes onStrata Cloud Manager. Before you continue, Palo Alto Networks recommends reviewing all pending configuration changes to ensure they are ready to be pushed.
- Configure the Layer 3 Ethernet interfaces and logical routers.
- The Layer 3 Ethernet interface can be a static, DHCP, or PPoE interface. Repeat this step to configure as many Layer 3 Ethernet interfaces as needed.Only Layer 3 interfaces are supported for configuring Auto VPN.
- Associate the Layer 3 Ethernet interfaces you created in the previous step with the logical router.Repeat this step to configure as many logical routers are needed.
- SelectandManageConfigurationNGFW and Prisma AccessGlobal SettingsAuto VPNAdd VPN Cluster.You must be in theGlobalconfiguration scope to configure theGlobal Settings.
- Enter a descriptiveNamefor the VPN cluster.
- (SD-WAN only)Enablethe VPN cluster for SD-WAN.
- Configure one or more hub firewalls.The hub firewall can either be an on-premise firewall or aPrisma Accessremote network.A hub firewall that initiates and terminates VPN connections across your branch firewalls. Add at least one hub firewall to create a VPN cluster.
- Add Hub devices.
- (Select andTo add on-premise firewall as a hub)Adda managed firewall to act as a hub firewall.You can select multiple firewalls if you want to add multiple hub firewalls to the VPN cluster. Adding multiple hub firewalls allows you to specify a hub firewall priority in the event one firewall is down and unable to act as the hub firewall.
- (To add) WithPrisma Accessas a hubPrisma Accesssupport, on-premises firewalls and cloud security platforms work together to provide a complete solution with consistent security policies managed by the Strata Cloud Manager. In the hub-and-spoke topology, thePrisma Accesshub support enables you to connect the PAN-OS firewalls withPrisma Accesscompute nodes (CNs) to achieve cloud-based security. In a VPN cluster, it is mandatory to configure atleast one hub and one branch firewall, where the hub can be either an on-premise hub orPrisma Accesshub.You need a validPrisma Accesslicense (along with the AIOps for NGFW Premium license) to add aPrisma Accessremote network as a hub. Without aPrisma Accesslicense, the option to addPrisma Accessremote network as a hub will not be available to you.To add aPrisma Accessremote network as a hub:
- (Mandatory) Allocate a bandwidth () for the compute location to which the location maps.WorkflowsPrisma Access SetupRemote NetworksBandwidth Management
- InPrisma Access, selectUse Prisma Access As HubtoAddthePrisma Accessremote network to act as a hub firewall. You can select multiplePrisma Accessremote network to act as a hub if you want to add multiplePrisma Accesshub to the VPN cluster.
- Select theLogical Router.
- Select aBGP Redistribution Profile.The predefinedAll-Connected-RoutesBGP redistribution profile provides the tunnel and route peering configuration required for connectivity, and also completes route advertisements to allow for branch to branch communication.
- Select the interfaces (Interfaces 1-4) to send traffic through.At a minimum, you must select interfaces forInterface 1andInterface 2.
- (Optional) Select the MPLSPrivate Link.If you select a private link, then the IPSec tunnel is created only for thePrivate Linkbetween the hub firewalls and branch firewalls.
- Select thePriority.Range is1through8where1is the highest priority and8is the lowest priority.
- Configure the branch devices.These are the branch firewalls for which the hub firewall initiates and terminates VPN connections across the other branch firewalls in the VPN cluster.
- Add Branch devices.
- Select andAddmanaged firewalls.
- Select theLogical Router.
- Select theBGP Redistribution Profile.The predefinedAll-Connected-RoutesBGP redistribution profile provides the tunnel and route peering configuration required for connectivity, and also completes route advertisements to allow for branch to branch communication.
- (Optional) (Only for) (Prisma AccesshubEnable Static Route from branch firewall to) By default,Prisma AccesshubEnable static route to Prisma Accessis enabled when you have aPrisma Accesshub in your topology. WhenEnable static route to Prisma Accessis enabled, it routes the traffic between thePrisma Accesshub and the branch firewalls. Disable this option to add your own routes.To enable static route toPrisma Accessremote network, ensure the following:
- You can select only the regions (Location) and compute nodes (IPSec Termination Node) that are already configured (inRemote Network Setup). If you need static routing, first completeLocationandIPSec Termination Nodeconfiguration inRemote Network Setup (Workflows > Prisma Access Setup > Remote Networks)and return to this task.
WhenEnable static route to Prisma Accessis enabled, assign thePrisma Access LocationandIPSec Termination Nodeto a remote network:- Select thePrisma Access Locationwhere thePrisma Accesshub is located.
- Select theIPSec Termination Nodethat you want to use for this remote network.Prisma Accessuses this node to associate remote network locations with compute locations.
- Select the interfaces (Interfaces 1-4) to send traffic through.At a minimum, you must select interfaces forInterface 1andInterface 2.
- (Optional) Select the MPLSPrivate Link.If you select a private link, then the IPSec tunnel is created only for the Private Link between the hub firewalls and branch firewalls.When you usePrisma Accesshub in your topology, you must configure only a non-private interface, asPrisma Accesscan connect only through non-private interfaces. Even if you select MPLSPrivate Linkfor a VPN cluster that containsPrisma Accessas hub, the private interfaces are not used to connect to thePrisma Accesshub. The private interfaces only connect to other private interfaces in on-premises gateways in the VPN cluster.
- Save.
- Select and edit theGeneral Settingsto configure theVPN Address Pooland.AS Number RangeThe VPN address pool must be a valid subnet address.
- Specify theAS Number Rangethat ranges between 64512—65534.It is mandatory to configure the AS range larger than the number of devices in the VPN cluster.
- Enable mesh connection between hubsto establish mesh connection between the hubs (on-premises firewalls andPrisma Access) in the VPN cluster.
- Select.Push ConfigVPN PushPush VPNis available only when configuring Auto VPN to push the automatically generated VPN configuration created when you create a VPN cluster.TheVPN Pushincludes all pending configuration changes onStrata Cloud Manager. Verify that any pending configuration changes are ready to be pushed.