Focus

Next-Generation Firewall

Configure Auto VPN

Table of Contents

Filter

Expand All | Collapse All

Next-Generation Firewall Docs

Getting Started
Administration
Version
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1
Networking
Version
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
AIOps
Incidents & Alerts
Release Notes
Version
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1

About Auto VPN

Refresh a Pre-Shared Key

Configure Auto VPN

Create a VPN cluster to logically group hub and branch firewalls and automatically secure connections between these devices.

Contact your account team to enable Cloud Management for NGFWs using Strata Cloud Manager.

Where Can I Use This?	What Do I Need?
`NGFW (Managed by Strata Cloud Manager)` `VM-Series, funded with Software NGFW Credits`	`AIOps for NGFW Premium license (use the Strata Cloud Manager app)` Prisma Access License (to configure Prisma Access remote network as a hub)

To configure Auto VPN, you must create a VPN cluster to determine which branch firewalls communicate with which gateway devices and automatically create secure connections between the gateway and branch firewalls. VPN clusters are logical groupings of managed firewalls that supports a hub and spoke topology, so consider such things as geographical location or function when logically grouping your firewalls. Auto VPN supports a maximum of 1,000 VPN clusters.

The routing configuration is automatically generated when Auto VPN is configured. This includes creating the IPSec tunnels between your gateway and branch devices, and autogenerating the Border Gateway Protocol (BGP) AS number and Router ID.

Strata Cloud Manager

Review all pending configuration changes.

The Auto VPN push is a specialized push that includes all pending configuration changes on

Strata Cloud Manager

. Before you continue, Palo Alto Networks recommends reviewing all pending configuration changes to ensure they are ready to be pushed.

Configure the Layer 3 Ethernet interfaces and logical routers.

Configure a Layer 3 Interface.

The Layer 3 Ethernet interface can be a static, DHCP, or PPoE interface. Repeat this step to configure as many Layer 3 Ethernet interfaces as needed.

Only Layer 3 interfaces are supported for configuring Auto VPN.

Configure a Logical Router.

Associate the Layer 3 Ethernet interfaces you created in the previous step with the logical router.

Repeat this step to configure as many logical routers are needed.

Configure a BGP Redistribution Profile.

Select

Manage

Configuration

NGFW and Prisma Access

Global Settings

Auto VPN

and

Add VPN Cluster

You must be in the

Global

configuration scope to configure the

Global Settings

Enter a descriptive

Name

for the VPN cluster.

(SD-WAN only)

Enable

the VPN cluster for SD-WAN.

Configure one or more hub firewalls.

The hub firewall can either be an on-premise firewall or a

Prisma Access

remote network.

A hub firewall that initiates and terminates VPN connections across your branch firewalls. Add at least one hub firewall to create a VPN cluster.

Add Hub devices

(To add on-premise firewall as a hub)

Select and

Add

a managed firewall to act as a hub firewall.

You can select multiple firewalls if you want to add multiple hub firewalls to the VPN cluster. Adding multiple hub firewalls allows you to specify a hub firewall priority in the event one firewall is down and unable to act as the hub firewall.

(To add Prisma Access as a hub) With

Prisma Access

support, on-premises firewalls and cloud security platforms work together to provide a complete solution with consistent security policies managed by the Strata Cloud Manager. In the hub-and-spoke topology, the

Prisma Access

hub support enables you to connect the PAN-OS firewalls with

Prisma Access

compute nodes (CNs) to achieve cloud-based security. In a VPN cluster, it is mandatory to configure atleast one hub and one branch firewall, where the hub can be either an on-premise hub or

Prisma Access

hub.

You need a valid

Prisma Access

license (along with the AIOps for NGFW Premium license) to add a

Prisma Access

remote network as a hub. Without a

Prisma Access

license, the option to add

Prisma Access

remote network as a hub will not be available to you.

To add a

Prisma Access

remote network as a hub:

(Mandatory) Allocate a bandwidth (

Workflows

Prisma Access Setup

Remote Networks

Bandwidth Management

) for the compute location to which the location maps.

Prisma Access

, select

Use Prisma Access As Hub

Add

the

Prisma Access

remote network to act as a hub firewall. You can select multiple

Prisma Access

remote network to act as a hub if you want to add multiple

Prisma Access

hub to the VPN cluster.

Select the

Logical Router

Select a

BGP Redistribution Profile

The predefined

All-Connected-Routes

BGP redistribution profile provides the tunnel and route peering configuration required for connectivity, and also completes route advertisements to allow for branch to branch communication.

Select the interfaces (

Interfaces 1

) to send traffic through.

At a minimum, you must select interfaces for

Interface 1

and

Interface 2

(Optional) Select the MPLS

Private Link

If you select a private link, then the IPSec tunnel is created only for the

Private Link

between the hub firewalls and branch firewalls.

Select the

Priority

Range is

through

where

is the highest priority and

is the lowest priority.

Configure the branch devices.

These are the branch firewalls for which the hub firewall initiates and terminates VPN connections across the other branch firewalls in the VPN cluster.

Add Branch devices

Select and

Add

managed firewalls.

Select the

Logical Router

Select the

BGP Redistribution Profile

The predefined

All-Connected-Routes

BGP redistribution profile provides the tunnel and route peering configuration required for connectivity, and also completes route advertisements to allow for branch to branch communication.

(Optional) (Only for Prisma Access hub) (Enable Static Route from branch firewall to Prisma Access hub) By default, Enable static route to Prisma Access
is enabled when you have a

Prisma Access

hub in your topology. When

Enable static route to Prisma Access

is enabled, it routes the traffic between the

Prisma Access

hub and the branch firewalls. Disable this option to add your own routes.

To enable static route to

Prisma Access

remote network, ensure the following:

You can select only the regions (Location
) and compute nodes (IPSec Termination Node
) that are already configured (in Remote Network Setup
). If you need static routing, first complete Location
and IPSec Termination Node
configuration in Remote Network Setup (Workflows > Prisma Access Setup > Remote Networks)
and return to this task.

When

Enable static route to Prisma Access

is enabled, assign the

Prisma Access Location

and

IPSec Termination Node

to a remote network:

Select the

Prisma Access Location

where the

Prisma Access

hub is located.

Select the

IPSec Termination Node

that you want to use for this remote network.

Prisma Access

uses this node to associate remote network locations with compute locations.

Select the interfaces (

Interfaces 1

) to send traffic through.

At a minimum, you must select interfaces for

Interface 1

and

Interface 2

(Optional) Select the MPLS

Private Link

If you select a private link, then the IPSec tunnel is created only for the Private Link between the hub firewalls and branch firewalls.

When you use

Prisma Access

hub in your topology, you must configure only a non-private interface, as

Prisma Access

can connect only through non-private interfaces. Even if you select MPLS

Private Link

for a VPN cluster that contains

Prisma Access

as hub, the private interfaces are not used to connect to the

Prisma Access

hub. The private interfaces only connect to other private interfaces in on-premises gateways in the VPN cluster.

Save

Select and edit the

General Settings

to configure the

VPN Address Pool

and

AS Number Range

The VPN address pool must be a valid subnet address.

Specify the

AS Number Range

that ranges between 64512—65534.

It is mandatory to configure the AS range larger than the number of devices in the VPN cluster.

Enable mesh connection between hubs

to establish mesh connection between the hubs (on-premises firewalls and

Prisma Access

) in the VPN cluster.

Select

Push Config

VPN Push

Push VPN

is available only when configuring Auto VPN to push the automatically generated VPN configuration created when you create a VPN cluster.

The

VPN Push

includes all pending configuration changes on

Strata Cloud Manager

. Verify that any pending configuration changes are ready to be pushed.

About Auto VPN

Refresh a Pre-Shared Key

Next-Generation Firewall Docs

Configure Auto VPN

Next-Generation Firewall Docs

Configure Auto VPN

Recommended For You

Activation & Onboarding

Next-Generation Firewalls

Cloud-Delivered Security Services

Network Security

Visibility & Monitoring

Best Practices

Experts Corner