SD-WAN VPN Clusters
Table of Contents
Expand all | Collapse all
SD-WAN VPN Clusters
Associate SD-WAN hubs and branches within a VPN cluster.
- PanoramaSD-WANVPN Clusters
In a hub-spoke topology, associate SD-WAN branch firewalls with one or more SD-WAN
hubs to enable secure communication between the branch and hub locations. In a full mesh
topology, associate SD-WAN branch firewalls with each other (and optionally with SD-WAN
hubs). When you associate branches and hubs in a SD-WAN VPN cluster, the firewall
creates the required IKE and IPSec VPN connections between the sites based on the type
of VPN cluster you specify.
Field | Description |
|---|---|
VPN Address Pool | |
| IPv4 / IPv6 | Select the type of VPN address pool: IPv4 or IPv6. |
Member | Add up to 20 IP address ranges (IP network with netmask for IPv4, or IPv6
network with prefix length for IPv6) that Panorama draws from to use
as VPN tunnel IP addresses. The panorama draws from the largest
range first, then from the next largest range. A VPN cluster member
will get its IP address from the VPN address pool (the ranges) you
provide. You must configure at least one entry. The total maximum of
20 IP address ranges applies to the combination of IPv4 and IPv6
address pools.
If both IPv4 and IPv6 address pools are configured, the tunnel
interface will use IPv4 addresses only. If only IPv4 address pools
are configured, the tunnel interface will use IPv4 addresses. If
only IPv6 address pools are configured, the tunnel interface will
use IPv6 addresses. If you upgrade from an earlier SD-WAN plugin, you must check that the ranges in
the VPN Address Pool are still correct. If not, enter new ranges.
After you Commit, all tunnels will be dropped for new tunnels, so do
this when cluster members aren't busy. |
BGP Prisma Address Pool | |
Member | Add up to 5 IP address ranges (IP
network with netmask) that are used for local BGP address for Prisma
Access loopback addresses. |
Add | |
Name | Enter a Name that
identifies the VPN cluster. |
Type | Select the Type of
SD-WAN VPN cluster:
|
|
Authentication Type
|
Select the type of authentication: Pre Shared
Key or Certificate.
|
|
PQ PPK (PAN-OS 11.2.5 and later 11.2 versions, SD-WAN plugin
3.3.3 and later 3.3 versions)
|
The SD-WAN plugin now enables you to configure post-quantum IKEv2
VPNs with RFC 8784 PPKs. The PQ PPK is
enabled by default for new VPN clusters. When enabled, the SD-WAN
plugin autogenerates IPSec tunnels to create the SD-WAN overlay. The
SD-WAN plugin automatically generates 10 strong PQ PPKs, each 64
bits (128 characters) long to ensure strength and randomness. Upon
activation, all autogenerated IPSec tunnels in the SD-WAN overlay
implement these quantum-resistant keys. The PQ PPK negotiation mode
is set to "preferred" for optimal compatibility.
|
Branches | Add branches to associate
with each other (in a full mesh cluster) or add one or more branches
to associate with one or more hubs (in a hub-spoke or full mesh
cluster). |
Group HA Peers | In the Branches window, Group
HA Peers to sequentially display branches that are HA
peers. |
Hubs | In the Gateways window, Add one
or more hubs to associate with one or more branches. |
Hub Failover Priority | For any new or previously existing VPN cluster
that has more than one hub, in the Gateways window you must prioritize
the hubs to determine that traffic be sent to a particular hub and
to determine the subsequent hub failover order. A cluster supports
a maximum of four hubs. Select a hub and click in the Hub Failover
Priority field. Enter a priority (range is 1 to 4) of
the hub. The plugin internally maps the priority to a BGP
local preference value; the lower the priority value, the higher
the priority and local preference.
Multiple
hubs can have the same priority; an HA pair must have the same priority.
Panorama uses the branch’s BGP template to push the local preference of
the hubs to the branches in the cluster. If multiple hubs
in the cluster have the same priority, Panorama enables ECMP in
two places on each branch firewall to determine how branches select
the path. ECMP is enabled for the virtual router (NetworkVirtual RoutersECMP) and ECMP Multiple
AS Support is enabled for BGP (NetworkVirtual RoutersBGPAdvanced). If all hubs in the
cluster have a unique priority, ECMP is disabled on the branches. |
Allow DIA VPN | For a particular SD-WAN hub, select Allow
DIA VPN to allow the hub to participate in DIA AnyPath
failover. A maximum of four hubs in a VPN cluster can participate
in DIA AnyPath. If they are HA hubs, a total of eight hubs are supported.
If you Allow DIA VPN for one HA peer in a pair, you must also enable
it for the other HA peer. |
Group HA Peers | In the Gateways window, Group
HA Peers to sequentially display hubs that are HA peers. |
Refresh IKE Key | Hubs and branches use a strong, random IKE pre-shared key to secure VPN tunnels, and each
firewall has a master key that encrypts the pre-shared key. You can
refresh the IKE pre-shared key. Commit and Push to Devices to push
the key to devices in the cluster. Refresh IKE Key when
cluster members are not busy. |
|
Refresh PQPPK List (PAN-OS 11.2.5 and later 11.2 versions, SD-WAN
plugin 3.3.3 and later 3.3 versions)
|
Refreshing PQ PPK list refreshes all 10 PQ PPKs on all SD-WAN devices
within the VPN cluster. Refreshing the PQ PPK list will update all
SD-WAN tunnels in the VPN cluster. Hence, you must push the
configuration changes to all the hub and branch devices in the
cluster.
|