Expand all | Collapse all
SD-WAN VPN Clusters
Associate SD-WAN hubs and branches within a VPN cluster.
Associate SD-WAN branch firewalls with one or
more SD-WAN hubs to enable secure communication between the branch
and hub locations. When you associate branches and hubs in an SD-WAN
VPN cluster, the firewall creates the required IKE and IPSec VPN
connections between the sites based on the type of VPN cluster you
specify.
| ( PAN-OS 9.1.2 and later 9.1 releases,
and SD-WAN Plugin 1.0.2 and later 1.0 releases ) Add up
to 20 IP address ranges (IP network with netmask) that Panorama
draws from to use as VPN tunnel IP addresses. Panorama draws from
the largest range first, then from the next largest range. A VPN
cluster member will get its IP address from the VPN address pool
(the ranges) you provide. You must configure at least one entry.
If you upgrade from an earlier SD-WAN plugin,
you must check that the ranges in the VPN Address Pool are still
correct. If not, enter new ranges. After you Commit, all tunnels
will be dropped for new tunnels, so do this when cluster members
are not busy.
|
| Enter a Name that
identifies the VPN cluster. |
| Select the Type of
SD-WAN VPN cluster: Hub Spoke —SD-WAN
topology where a centralized firewall at a primary office or location
acts as a gateway between branches connected using a VPN connection.
Traffic between branches passes through the hub before continuing
to the target branch.
|
| Add one or more branches
to associate with one or more hubs. |
| In the Branches window, Group
HA Peers to sequentially display branches that are HA
peers. |
| In the Gateways window, Add one
or more hubs to associate with one or more branches. |
| In the Gateways window, Group
HA Peers to sequentially display hubs that are HA peers. |
| ( PAN-OS 9.1.4 and later 9.1 releases,
and SD-WAN Plugin 1.0.4 and later 1.0 releases ) When you start
with these releases, for any new or previously existing VPN cluster
that has more than one hub, in the Gateways window you must prioritize
the hubs to determine that traffic be sent to a particular hub and
to determine the subsequent hub failover order. A cluster supports
a maximum of four hubs. Select a hub and click in the Hub
Failover Priority field. Enter a priority (range is 1
to 4) of the hub. If you upgrade to these releases, the default
priority is set to 4. The plugin internally maps the priority
to a BGP local preference value; the lower the priority value, the
higher the priority and local preference. Priority 1
maps to local preference 250. Priority 2 maps to local preference 200. Priority 3 maps to local preference 150. Priority 4 maps to local preference 100.
Multiple
hubs can have the same priority; an HA pair must have the same priority.
Panorama uses the branch’s BGP template to push the local preference
of the hubs to the branches in the cluster. If multiple hubs
in the cluster have the same priority, Panorama enables ECMP in
two places on each branch firewall to determine how branches select the
path. ECMP is enabled for the virtual router ()
and ECMP Multiple AS Support is enabled for
BGP ().
If all hubs in the cluster have a unique priority, ECMP is disabled
on the branches. |
| ( PAN-OS 9.1.2 and later 9.1 releases,
and SD-WAN Plugin 1.0.2 and later 1.0 releases ) Hubs and branches
uses a strong, random IKE preshared key to secure VPN tunnels, and
each firewall has a master key that encrypts the preshared key.
You can refresh the IKE preshared key. You must Commit and Push
to Devices to push the key to devices in the cluster.
Refresh
IKE Key when cluster members are not busy.
|