Next-Generation Firewall
Configure Auto VPN
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
Cloud Management of NGFWs
- PAN-OS 11.1 & Later
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- Cloud Management of NGFWs
-
-
-
- Configure a Filter Access List
- Configure a Filter Prefix List
- Configure a Filter Community List
- Configure a BGP Filter Route Map
- Configure a Filter Route Maps Redistribution List
- Configure a Filter AS Path Access List
- Configure an Address Family Profile
- Configure a BGP Authentication Profile
- Configure a BGP Redistribution Profile
- Configure a BGP Filtering Profile
- Configure an OSPF Authentication Profile
- Configure a Logical Router
- Configure a Static Route
- Configure OSPF
- Configure BGP
- Configure an IPSec Tunnel
- Web Proxy
- Cheat Sheet: GlobalProtect for Cloud Management of NGFWs
-
PAN-OS 11.1 & Later
- PAN-OS 11.1 & Later
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
-
- Tap Interfaces
-
- Layer 2 and Layer 3 Packets over a Virtual Wire
- Port Speeds of Virtual Wire Interfaces
- LLDP over a Virtual Wire
- Aggregated Interfaces for a Virtual Wire
- Virtual Wire Support of High Availability
- Zone Protection for a Virtual Wire Interface
- VLAN-Tagged Traffic
- Virtual Wire Subinterfaces
- Configure Virtual Wires
- Configure a PPPoE Client on a Subinterface
- Configure an IPv6 PPPoE Client
- Configure an Aggregate Interface Group
- Configure Bonjour Reflector for Network Segmentation
- Use Interface Management Profiles to Restrict Access
-
- DHCP Overview
- Firewall as a DHCP Server and Client
- Firewall as a DHCPv6 Client
- DHCP Messages
- Dynamic IPv6 Addressing on the Management Interface
- Configure an Interface as a DHCP Server
- Configure an Interface as a DHCPv4 Client
- Configure an Interface as a DHCPv6 Client with Prefix Delegation
- Configure the Management Interface as a DHCP Client
- Configure the Management Interface for Dynamic IPv6 Address Assignment
- Configure an Interface as a DHCP Relay Agent
-
- DNS Overview
- DNS Proxy Object
- DNS Server Profile
- Multi-Tenant DNS Deployments
- Configure a DNS Proxy Object
- Configure a DNS Server Profile
- Use Case 1: Firewall Requires DNS Resolution
- Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resolution for Security Policies, Reporting, and Services within its Virtual System
- Use Case 3: Firewall Acts as DNS Proxy Between Client and Server
- DNS Proxy Rule and FQDN Matching
-
- NAT Rule Capacities
- Dynamic IP and Port NAT Oversubscription
- Dataplane NAT Memory Statistics
-
- Translate Internal Client IP Addresses to Your Public IP Address (Source DIPP NAT)
- Create a Source NAT Rule with Persistent DIPP
- PAN-OS
- Strata Cloud Manager
- Enable Clients on the Internal Network to Access your Public Servers (Destination U-Turn NAT)
- Enable Bi-Directional Address Translation for Your Public-Facing Servers (Static Source NAT)
- Configure Destination NAT with DNS Rewrite
- Configure Destination NAT Using Dynamic IP Addresses
- Modify the Oversubscription Rate for DIPP NAT
- Reserve Dynamic IP NAT Addresses
- Disable NAT for a Specific Host or Interface
-
- Network Packet Broker Overview
- How Network Packet Broker Works
- Prepare to Deploy Network Packet Broker
- Configure Transparent Bridge Security Chains
- Configure Routed Layer 3 Security Chains
- Network Packet Broker HA Support
- User Interface Changes for Network Packet Broker
- Limitations of Network Packet Broker
- Troubleshoot Network Packet Broker
-
- Enable Advanced Routing
- Logical Router Overview
- Configure a Logical Router
- Create a Static Route
- Configure BGP on an Advanced Routing Engine
- Create BGP Routing Profiles
- Create Filters for the Advanced Routing Engine
- Configure OSPFv2 on an Advanced Routing Engine
- Create OSPF Routing Profiles
- Configure OSPFv3 on an Advanced Routing Engine
- Create OSPFv3 Routing Profiles
- Configure RIPv2 on an Advanced Routing Engine
- Create RIPv2 Routing Profiles
- Create BFD Profiles
- Configure IPv4 Multicast
- Configure MSDP
- Create Multicast Routing Profiles
- Create an IPv4 MRoute
-
-
PAN-OS 11.2
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 8.1 (EoL)
- Cloud Management and AIOps for NGFW
Configure Auto VPN
Create a VPN cluster to logically group hub and branch firewalls and automatically
secure connections between these devices.
Contact your account team to enable Cloud Management for NGFWs using
Strata Cloud Manager.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
One of these:
|
To configure Auto VPN, you must create a VPN cluster to determine which branch
firewalls communicate with which gateway devices and automatically create secure
connections between the gateway and branch firewalls. VPN clusters are logical
groupings of managed firewalls that
supports
a hub and spoke topology, so consider such things as geographical location or
function when logically grouping your firewalls.
An autogenerated VPN configuration
provides secure connectivity of up to 500 devices.
The routing configuration is automatically generated when Auto VPN is configured.
This includes creating the IPSec tunnels between your gateway and branch devices,
and autogenerating the
Border
Gateway
Protocol
AS number and Router ID.
For HA deployments, Auto VPN generates an
appropriate configuration for the active and passive HA peers (for both branch and
hub HA pairs) automatically. This keeps the active and passive device configurations
in synchronization and thus enables the HA failovers to be seamless between the HA
pairs. Auto VPN can distinguish between the individual and HA hub/branch devices and
generates the appropriate configuration for the HA pairs automatically.
For the Auto VPN, to generate the configuration on the hub/branch HA pairs
automatically, you must ensure the following:
- Both the hub/branch HA pairs must be a part of the same VPN cluster. Otherwise, a commit error is thrown.
- The VPN cluster configuration (such as, interfaces) must be the same on both the hub/branch HA pairs.
- Log in to Strata Cloud Manager.
- Review all pending configuration changes.The Auto VPN push is a specialized push that includes all pending configuration changes on Strata Cloud Manager. Before you continue, Palo Alto Networks recommends reviewing all pending configuration changes to ensure they are ready to be pushed.
- Configure the Layer 3 Ethernet interfaces and logical routers.
- Configure a Layer 3 Interface.The Layer 3 Ethernet interface can be a static, DHCP, or PPoE interface. Repeat this step to configure as many Layer 3 Ethernet interfaces as needed.Only Layer 3 interfaces are supported for configuring Auto VPN.
- Configure a Logical Router.Associate the Layer 3 Ethernet interfaces you created in the previous step with the logical router.Repeat this step to configure as many logical routers are needed.
- Select ManageConfigurationNGFW and Prisma AccessGlobal SettingsAuto VPN and Add VPN Cluster.Be in the Global configuration scope to configure the Global Settings.
- Enter a descriptive Name for the VPN cluster.
- (SD-WAN only) Enable the VPN cluster for SD-WAN.
- Configure one or more hub firewalls. The hub firewall can either be an on-premise firewall or a Prisma Access remote network.A hub firewall that initiates and terminates VPN connections across your branch firewalls. Add at least one hub firewall to create a VPN cluster.
- Add Hub devices.
- (To add an on-premise firewall as a hub) Select and Add a managed firewall to act as a hub firewall.You can select multiple firewalls if you want to add multiple hub firewalls to the VPN cluster. Adding multiple hub firewalls allows you to specify a hub firewall priority in the event one firewall is down and unable to act as the hub firewall.
- (To add Prisma Access as a hub) With Prisma Access support, on-premises firewalls and cloud security platforms work together to provide a complete solution with consistent security policy rules managed by the Strata Cloud Manager. In the hub-and-spoke topology, the Prisma Access hub support enables you to connect the PAN-OS firewalls with Prisma Access compute nodes (CNs) to achieve cloud-based security. In a VPN cluster, it is mandatory to configure at least one hub and one branch firewall, where the hub can be either an on-premise hub or Prisma Access hub.You need a valid Prisma Access license (along with the AIOps for NGFW Premium license) to add a Prisma Access remote network as a hub. Without a Prisma Access license, the option to add a Prisma Access remote network as a hub will not be available to you.To add a Prisma Access remote network as a hub:
- (Mandatory) Allocate a bandwidth (WorkflowsPrisma Access SetupRemote NetworksBandwidth Management) for the compute location to which the location maps.
- In Prisma Access, select Use Prisma Access As Hub to Add the Prisma Access remote network to act as a hub firewall. You can select multiple Prisma Access remote networks to act as a hub if you want to add multiple Prisma Access hub to the VPN cluster.
- Select the Logical Router.
- Select a BGP Redistribution Profile.The predefined All-Connected-Routes BGP redistribution profile provides the tunnel and route peering configuration required for connectivity, and also completes route advertisements to allow for branch to branch communication.
- Select the interfaces (Interfaces 1 - 4) to send traffic through.At a minimum, you must select interfaces for Interface 1 and Interface 2.
- (Optional) Select the MPLS Private Link.If you select a private link, then the IPSec tunnel is created only for the Private Link between the hub firewalls and branch firewalls.
- Select the Priority.Range is 1 through 8 where 1 is the highest priority and 8 is the lowest priority.
- Configure the branch devices.These are the branch firewalls for which the hub firewall initiates and terminates VPN connections across the other branch firewalls in the VPN cluster.
- Add Branch devices.
- Select and Add managed firewalls.
- Select the Logical Router.
- Select the BGP Redistribution Profile.The predefined All-Connected-Routes BGP redistribution profile provides the tunnel and route peering configuration required for connectivity, and also completes route advertisements to allow for branch to branch communication.
- (Optional) (Only for Prisma Access hub) (Enable Static Route from branch firewall to Prisma Access hub) By default, Enable static route to Prisma Access is enabled when you have a Prisma Access hub in your topology. When Enable static route to Prisma Access is enabled, it routes the traffic between the Prisma Access hub and the branch firewalls. Disable this option to add your own routes.To enable a static route to a Prisma Access remote network, ensure the following:
- You can select only the regions (Location) and compute nodes (IPSec Termination Node) that are already configured (in Remote Network Setup). If you need static routing, first complete Location and IPSec Termination Node configuration in Remote Network Setup (Workflows > Prisma Access Setup > Remote Networks) and return to this task.
When Enable static route to Prisma Access is enabled, assign the Prisma Access Location and IPSec Termination Node to a remote network:- Select the Prisma Access Location where the Prisma Access hub is located.
- Select the IPSec Termination Node that you want to use for this remote network. Prisma Access uses this node to associate remote network locations with compute locations.
- (Optional) Select the Link Tag you created for the branch virtual interface, which Auto VPN will assign to the virtual interface. You’ll use this link tag in a traffic distribution profile to allow the branch to participate in DIA AnyPath.
- Select the interfaces (Interfaces 1 - 4) to send traffic through.At a minimum, you must select interfaces for Interface 1 and Interface 2.
- (Optional) Select the MPLS Private Link.If you select a private link, then the IPSec tunnel is created only for the Private Link between the hub firewalls and branch firewalls.When you use a Prisma Access hub in your topology, you must configure only a non-private interface, as Prisma Access can connect only through non-private interfaces. Even if you select MPLS Private Link for a VPN cluster that contains Prisma Access as the hub, the private interfaces are not used to connect to the Prisma Access hub. The private interfaces only connect to other private interfaces in on-premises gateways in the VPN cluster.
- Save.
- Select and edit the General Settings to configure the VPN Address Pool and AS Number Range.The VPN address pool must be a valid subnet address.
- Specify the AS Number Range that ranges between
64512—65534.It is mandatory to configure the AS range larger than the number of devices in the VPN cluster.
- Enable mesh connection between hubs to establish mesh connection between the hubs (on-premises firewalls and Prisma Access) in the VPN cluster.
- Specify the AS Number Range that ranges between
64512—65534.
- Select Push ConfigVPN Push.Push VPN is available only when configuring Auto VPN to push the automatically generated VPN configuration created when you create a VPN cluster.The VPN Push includes all pending configuration changes on Strata Cloud Manager. Verify that any pending configuration changes are ready to be pushed.