To configure Auto VPN, you must create a VPN cluster to determine which branch firewalls communicate with which gateway devices and automatically create secure connections between the gateway and branch firewalls. VPN clusters are logical groupings of managed firewalls that support a hub and spoke topology, so consider such things as geographical location or function when logically grouping your firewalls.

You can now add the Prisma Access as a hub to your VPN cluster while configuring AutoVPN. The Prisma Access hub automatically creates VPN tunnels between hub/branch locations and one or more Prisma Access Remote Networks nodes. The Prisma Access hub operates like a datacenter hub where you can specify traffic distribution.

In the hub-and-spoke topology, the Prisma Access hub support enables you to connect the PAN-OS firewalls with Prisma Access compute nodes (CNs) to achieve cloud-based security.

In Auto VPN configuration, it is mandatory to configure at least one hub (on-premise hub or Prisma Access hub) and one branch firewall.

You can add the Prisma Access hub to the VPN cluster with or without SD-WAN enabled on the branch firewalls.

When choosing a Prisma Access hub to connect with the next-generation firewalls, ensure that all the branch next-generation firewalls are connected to the (geographically) nearest Prisma Access remote network node.

Regardless of the hub being a Prisma Access remote network node or a next-generation firewall, the routing configuration is automatically generated when Auto VPN is configured. This includes creating the IPSec tunnels between your gateway and branch devices, and auto generating the Border Gateway Protocol (BGP) configurations.