Focus

SD-WAN Administrator’s Guide

Create a VPN Cluster

Table of Contents

Create a VPN Cluster

Create a VPN cluster to group branches and hubs that communicate with each other into a logical group.

In your SD-WAN configuration, you must configure one or more VPN clusters to determine which branches communicate with which hubs and creates a secure connection between the branch and hub devices. VPN clusters are logical groupings of devices, so consider things such as geographical location or function when logically grouping your devices.

PAN-OS^® supports both hub-spoke and full mesh SD-WAN VPN topologies. In a hub-spoke topology, a centralized firewall hub at a primary office or location acts as the gateway between branch devices. The hub-to-branch connection is a VPN tunnel. In this configuration, traffic between branches must pass through the hub.

The first time you Configure a Virtual SD-WAN Interface with direct internet access (DIA) links for an SD-WAN hub or branch firewall, a VPN cluster called autogen_hubs_cluster is automatically created and the SD-WAN firewall is automatically added to the VPN cluster. This allows the Panorama™ management server to Monitor SD-WAN Application and Link Performance for devices that are protected by the SD-WAN firewall and accessing resources outside of your corporate network. Additionally, any SD-WAN firewall with DIA links that you configure in the future are automatically added to the autogen_hubs_cluster VPN cluster containing all hubs and branches with DIA links to allow Panorama to monitor application and link performance. The autogen_hubs_cluster is purely for monitoring application and link health, and not to create VPN tunnels between the hubs and branches with DIA links. If you need to connect hubs and branches with VPN tunnels, you must create a new VPN cluster and add all the required hubs and branches to that cluster.

A strong, random IKE preshared key is created for all hubs and branches in the VPN cluster to secure the VPN tunnels, and each firewall has a master key that encrypts the preshared key. The system secures the preshared key, even from the administrator. You can refresh the IKE preshared key, which Panorama sends to all members of the cluster.

Refresh the preshared key when cluster members are not busy.

After the SD-WAN Plugin is upgraded to 2.1.0, the hub and branch firewalls in a single VPN cluster must all run either PAN-OS 10.0.4 (or a later 10.0 release) or 10.1.0, not a combination of the two releases.

When viewing VPN clusters, if no data is present or the screen indicates that SD-WAN is undefined, check in the Compatibility Matrix that the Panorama release you are using supports the SD-WAN plugin release you are trying to use.

Plan your branch and hub VPN topology to determine which branches communicate with each of your hubs. For more information, see Plan Your SD-WAN Configuration.
Log in to the Panorama Web Interface.
Specify IP address ranges for the IPSec VPN tunnels that Auto VPN configuration creates.

Auto VPN configuration creates a VPN tunnel between a hub and branches and assigns IP addresses to the tunnel endpoints. Enter subnet ranges that you want Auto VPN to use as VPN tunnel addresses. You can enter up to 20 IP prefix/netmask ranges. Auto VPN draws from that pool for VPN tunnel addresses, drawing from the largest range first (and then drawing from the next largest range when necessary). You must configure at least one range for the pool. If you don’t perform this step before pushing the configuration to a hub or branch, the Commit and Push will fail.

If you upgrade from an earlier SD-WAN Plugin release, you must check that your ranges are still correct. If it is not, enter new ranges. After you Commit, all tunnels are dropped and new tunnels are used, so perform this task during a time you have low traffic.
1. Select PanoramaSD-WANVPN Clusters.
2. At the bottom of the screen, select VPN Address Pool.
3. Add one or more (up to 20) Member IP address and netmask ranges, for example, 192.168.0.0/16.
4. Click OK.
  Do not simply change an existing address pool if Prisma Access is onboarded. If you need to change an address pool, perform the following steps during a maintenance window to update the branch and the Prisma Access CN with your address pool changes:
  Use Panorama to access an SD-WAN branch and delete the existing onboarding that the address pool change will impact; then do a local Commit.
  Update the VPN address pool, and then do a local Commit.
  Perform the Prisma Access onboarding again, and then do a local Commit and Push.
Configure the VPN cluster. Repeat this step to create VPN clusters as needed.
1. Select PanoramaSD-WANVPN Clusters and Add a VPN cluster.
2. Enter a descriptive name for the VPN cluster.
  
  Underscores and spaces are not supported in the VPN cluster name and result in monitoring (PanoramaSD-WANMonitoring) data for the cluster not to be displayed. Choose the name of the VPN cluster carefully so you do not need to change the name in the future. SD-WAN monitoring data is generated based on the old cluster name and cannot be reconciled to a new cluster name, and will cause issues with the number of reported clusters when monitoring your VPN clusters or generating reports.
3. Select the VPN cluster Type.
  
  Only Hub-Spoke VPN cluster type is supported in PAN-OS 10.0.2 and earlier 10.2 releases. Beginning with PAN-OS 10.0.3, you can Create a Full Mesh VPN Cluster with DDNS Service.
4. Add one or more branch devices that you determined need to communicate with each other.
  Select Group HA Peers to display the branch devices that are HA peers together.
  
  Select the branch devices to add to the cluster.
  Click OK.
5. Add one or more hub devices that you determined need to communicate with the branch devices.
  Up to four SD-WAN hub firewalls can be added to a VPN cluster. SD-WAN hubs in an HA configuration are considered as a single SD-WAN hub firewall.
  
  MPLS and satellite link types will form tunnels with only the same link type; for example, MPLS-to-MPLS and satellite-to-satellite. Tunnels will not be created between an MPLS link and an Ethernet link, for example.
  Select Group HA Peers to display the hub devices that are HA peers together.
  Select the hubs to add to the cluster and click OK.
  
  For any new or previously existing VPN cluster that has more than one hub, you must prioritize the hubs to determine a) that traffic be sent to a particular hub, and b) the subsequent hub failover order. The hub failover priority range is 1 to 4. If you upgrade, the default priority is set to 4. The plugin internally translates the hub failover priority to a BGP local preference number as shown in the following table. The lower the priority value, the higher the priority and local preference. A cluster supports a maximum of four hubs. An active/passive HA pair counts as one hub. Multiple hubs can have the same priority; an HA pair must have the same priority. Panorama uses the branch’s BGP template to push the local preference of the hubs to the branches in the cluster.
  
  Hub Failover Priority Local Preference
  
  1
  250
  
  2
  200
  
  3
  150
  
  4
  100
  
  If multiple hubs have the same priority, Panorama enables ECMP in two places on each branch firewall to determine how branches select the path. ECMP is enabled for the virtual router (NetworkVirtual RoutersECMP) and ECMP Multiple AS Support is enabled for BGP (NetworkVirtual RoutersBGPAdvanced).If all hubs in the cluster have a unique priority, ECMP is disabled on the branches. If a hub priority configuration changes, Panorama reevaluates whether to enable or disable ECMP.
  
  If you selected Group HA Peers, select the pair and click in the Hub Failover Priority field; enter a single Priority (range is 1 to 4), which applies to both hubs in the HA pair, and click OK.
  
  The Hub Failover Priority for HA Peers window appears only for configured HA pairs. If you add a new HA pair, you must configure the Hub Failover Priority for each of the two new peers independently.
  
  You will get an error message if you assign different priorities to hubs that are ungrouped HA peers and then you select Group HA Peers and Submit.
  
  For hubs that are not HA pairs, select a hub and click in the Hub Failover Priority field; enter a priority (range is 1 to 4).
6. Click OK to save the VPN cluster.
Advertise additional prefixes at the branch to the hub.

The firewall automatically redistributes (advertises) all non-public, connected routes from the branch to the hub. You can also redistribute any additional prefixes from the branch to the hub. The Prefix(es) to Redistribute field accepts a list of prefixes, rather than just a single prefix.
1. Select PanoramaSD-WANDevices and select a branch firewall.
2. Select BGP and Add one or more IP addresses with netmask to Prefix(es) to Redistribute.
3. Click OK.
Commit and Commit to Panorama.
(SD-WAN Plugin 2.0.1 and later 2.0 releases) If your hub firewalls in a hub-spoke VPN cluster have DHCP or PPPoE interfaces, you must use DDNS. Select NetworkInterfacesEthernet and in the Template field, select Template-stack for a hub.
(SD-WAN Plugin 2.0.1 and later 2.0 releases) Select the interfaces whose IP address indicates Dynamic-DHCP Client or PPPOE, click Override on the bottom of the screen, and click OK to close.
(SD-WAN Plugin 2.0.1 and later 2.0 releases) Verify on Panorama that the DDNS settings were configured.
1. Select NetworkInterfacesEthernet and select the same interface again.
2. Select AdvancedDDNS.
3. See that the DDNS settings were automatically configured with a Hostname and the Vendor set to Palo Alto Networks DDNS.
4. Click OK.
(SD-WAN Plugin 2.0.1 and later 2.0 releases) Commit and Commit to Panorama.
Push the configuration to the hub(s).

When Panorama creates virtual SD-WAN interfaces for hubs, Panorama doesn't necessarily create the interfaces using contiguous interface numbers. It might randomly skip an interface number, for example, sdwan.921, sdwan.922, sdwan.924, sdwan.925. Despite the discontiguous numbering, Panorama creates the correct number of SD-WAN interfaces. Use the operational CLI command show interface sdwan? to see the SD-WAN interfaces.
1. Select Commit and Push to Devices.
2. Edit Selections on the lower left side of the screen.
3. Deselect Filter Selected.
4. Click on Deselect All.
5. Select your hub Device Group. Select Include Device and Network Templates at the bottom of the screen. You must push to hubs before pushing to branches.
  Most branches have dynamic IP addresses through their service providers, so branches must initiate the IKE/IPSec connection because the hub doesn’t have the branches’ IP address.To ensure that the hub is ready to receive the IKE/IPSec connections, the hub’s configuration must be committed and pushed before the branch’s configuration. Thus, when the branch configurations are pushed and the branches initiate the connection to the hub, the hub is ready.
6. Select the Templates tab and Deselect All.
7. The Push Scope is the Device Group. Push the configuration to the hub(s).
Push the configuration to the branch(es) by repeating the prior step, but selecting your branch Device Group.
Refresh the IKE preshared key.

If you need to change the current IKE key that is used to secure the IPSec connections between VPN cluster devices, perform this step to randomly generate a new key for the cluster.

Perform this step when cluster members are not busy.
1. Select PanoramaSD-WANVPN Clusters and select a cluster.
2. At the bottom of the screen, select Refresh IKE Key.
3. A message appears notifying you that Refreshing the IKE key will generate a new security association (SA) for every SD-WAN firewall in the VPN cluster. This may cause a service disruption. Do you wish to continue? Yes | No Select Yes if you wish to continue.
4. Commit.
  
  After you Refresh IKE Key, you must commit to the entire cluster; a partial commit will bring down tunnels.
5. Push to Devices.

Hub Failover Priority	Local Preference
1	250
2	200
3	150
4	100

Configure HA Devices for SD-WAN

Create a Full Mesh VPN Cluster with DDNS Service