Add a Standard VPN Endpoint

1. Select ManageResourcesService & DC Groups.
2. Select Manage Endpoints to an endpoint.
3. Select Standard VPN from the drop-down and click Add Endpoint.

   All Palo Alto Networks data center sites are automatically added when Admin Up is selected, which means that it can accept traffic per network policy. These endpoints cannot be deleted from the list. You can clear the Admin Up selection to remove the endpoints from consideration when the system performs path selection per the defined network policy rules.
4. Enter a Name, and optionally, a Description for the service endpoint.
5. Select Admin Up to bring it up.

   If you do not select Admin Up, the endpoint is not used in path selection for forwarding traffic.
6. (Optional) Select Allow Enterprise Traffic to explicitly allow enterprise traffic to transit through the Cloud Security Service.
7. By default, the Prisma Access check box is selected for endpoints created through Easy Onboarding. This check box informs the Site Configuration and Overlay Connections page on the Prisma SD-WAN web interface that VPNs with this endpoint connect to Prisma Access. For manually created endpoints, ensure you select the check box for Prisma Access.
8. (Optional) Click on each of the options in the ellipses to add values for Address, IPs & Hostnames, and Liveliness Probes.

   • Select Address to enter the address of the endpoint location.
   • Select IPs & Hostnames and add their values. By default, the Disable Tunnel Reoptimization option is off, allowing tunnel reoptimization for latency changes.
     When multiple IP addresses or URLs are configured under a Standard VPN endpoint, the ION device probes each endpoint IP address (it will resolve the URLs if configured) to determine the lowest latency endpoint. After the lowest latency endpoint is determined, the ION device builds the Standard VPN tunnel to that IP address. If the configuration liveliness check fails, then it uses the next lowest latency endpoint IP address in the list. Additionally, the ION device tracks the current latency to each endpoint IP address, and, if there is a significant change in the latency to the closest endpoint from the current endpoint, the tunnel is moved.
   • Select Liveliness Probe and configure the following:
     • ICMP PING: Set the probing interval, failure count, and IP address (up to four configurations).
     • HTTP: Define the probing interval, failure count, HTTP status codes, and URL (up to four configurations).
     • Enable DNS Liveliness in Tunnel to resolve DNS for HTTP probes over the service tunnel instead of using WAN interface DNS servers.
       The Enable DNS Liveliness in Tunnel option enhances HTTP probe reliability in the ION devices by performing DNS lookups directly over the Service Link tunnel instead of relying on WAN interface DNS servers. Previously, ION devices sent DNS requests to all interfaces, using the first response received, which could lead to incorrect probe targeting or failures due to misconfigured or unreachable DNS servers.
9. Save & Exit the endpoints dialog.