>
    Strata Copilot
    Configure Auto VPN
    Focus
    Download PDF
    Focus
    1. Home
    2. Next-Generation Firewall
    3. Auto VPN
    4. Configure Auto VPN
    Download PDF
    Next-Generation Firewall

    Configure Auto VPN

    Table of Contents

    Configure Auto VPN

    Create a VPN cluster to logically group hub and branch firewalls and automatically secure connections between these devices.
    Where Can I Use This?What Do I Need?
    • NGFW (Managed by Strata Cloud Manager
    One of these licenses:
    • Strata Cloud Manager Essentials
    • Strata Cloud Manager Pro
    To configure Auto VPN, you must create a VPN cluster to determine which branch firewalls communicate with which gateway devices and automatically create secure connections between the gateway and branch firewalls. VPN clusters are logical groupings of managed firewalls that supports a hub and spoke topology, so consider such things as geographical location or function when logically grouping your firewalls. An autogenerated VPN configuration provides secure connectivity of up to 500 devices.
    The routing configuration is automatically generated when Auto VPN is configured. This includes creating the IPSec tunnels between your gateway and branch devices, and autogenerating the Border Gateway Protocol AS number and Router ID.
    For HA deployments, Auto VPN generates an appropriate configuration for the active and passive HA peers (for both branch and hub HA pairs) automatically. This keeps the active and passive device configurations in synchronization and thus enables the HA failovers to be seamless between the HA pairs. Auto VPN can distinguish between the individual and HA hub/branch devices and generates the appropriate configuration for the HA pairs automatically.
    For the Auto VPN, to generate the configuration on the hub/branch HA pairs automatically, you must ensure the following:
    • Both the hub/branch HA pairs must be a part of the same VPN cluster. Otherwise, a commit error is thrown.
    • The VPN cluster configuration (such as, interfaces) must be the same on both the hub/branch HA pairs.
    1. Log in to Strata Cloud Manager.
    2. Review all pending configuration changes.
      The Auto VPN push is a specialized push that includes all pending configuration changes on Strata Cloud Manager. Before you continue, Palo Alto Networks recommends reviewing all pending configuration changes to ensure they are ready to be pushed.
    3. Configure the Layer 3 Ethernet interfaces and logical routers.
      1. Configure Layer 3 Interfaces.
        The Layer 3 Ethernet interface can be a static, DHCP, or PPoE interface. Repeat this step to configure as many Layer 3 Ethernet interfaces as needed.
        Only Layer 3 interfaces are supported for configuring Auto VPN.
      2. Configure a Logical Router.
        Associate the Layer 3 Ethernet interfaces you created in the previous step with the logical router.
        Repeat this step to configure as many logical routers are needed.
      3. Create BGP Routing Profiles.
    4. Select ManageConfigurationNGFW and Prisma AccessGlobal SettingsAuto VPNConfigurationNGFW and Prisma AccessSetupAuto VPN and Add VPN Cluster.
      Be in the Global configuration scope to configure the Global Settings.
    5. Enter a descriptive Name for the VPN cluster.
    6. (SD-WAN only) Enable the VPN cluster for SD-WAN.
    7. Configure one or more hub firewalls. The hub firewall can either be an on-premise firewall or a Prisma Access remote network.
      A hub firewall that initiates and terminates VPN connections across your branch firewalls. Add at least one hub firewall to create a VPN cluster.
      1. Add Hub devices.
      2. (To add an on-premise firewall as a hub) Select and Add a managed firewall to act as a hub firewall.
        You can select multiple firewalls if you want to add multiple hub firewalls to the VPN cluster. Adding multiple hub firewalls allows you to specify a hub firewall priority in the event one firewall is down and unable to act as the hub firewall.
      3. (To add Prisma Access as a hub) With Prisma Access support, on-premises firewalls and cloud security platforms work together to provide a complete solution with consistent security policy rules managed by the Strata Cloud Manager. In the hub-and-spoke topology, the Prisma Access hub support enables you to connect the PAN-OS firewalls with Prisma Access compute nodes (CNs) to achieve cloud-based security. In a VPN cluster, it is mandatory to configure at least one hub and one branch firewall, where the hub can be either an on-premise hub or Prisma Access hub.
        You need a valid Prisma Access license (along with the AIOps for NGFW Premium license) to add a Prisma Access remote network as a hub. Without a Prisma Access license, the option to add a Prisma Access remote network as a hub will not be available to you.
        To add a Prisma Access remote network as a hub:
        1. (Mandatory) Allocate a bandwidth (WorkflowsPrisma Access SetupRemote NetworksBandwidth ManagementConfigurationNGFW and Prisma AccessSetup set the Configuration Scope to Prisma Access and select Infrastructure Settings) for the compute location to which the location maps.
        2. In Prisma Access, select Use Prisma Access As Hub to Add the Prisma Access remote network to act as a hub firewall. You can select multiple Prisma Access remote networks to act as a hub if you want to add multiple Prisma Access hub to the VPN cluster.
      4. Select the Logical Router.
      5. Select a BGP Redistribution Profile.
        The predefined All-Connected-Routes BGP redistribution profile provides the tunnel and route peering configuration required for connectivity, and also completes route advertisements to allow for branch to branch communication.
      6. Select the interfaces (Interfaces 1 - 4) to send traffic through.
        At a minimum, you must select interfaces for Interface 1 and Interface 2.
      7. (Optional) Select the MPLS Private Link.
        If you select a private link, then the IPSec tunnel is created only for the Private Link between the hub firewalls and branch firewalls.
      8. Select the Priority.
        Range is 1 through 8 where 1 is the highest priority and 8 is the lowest priority.
    8. Configure the branch devices.
      These are the branch firewalls for which the hub firewall initiates and terminates VPN connections across the other branch firewalls in the VPN cluster.
      1. Add Branch devices.
      2. Select and Add managed firewalls.
      3. Select the Logical Router.
      4. Select the BGP Redistribution Profile.
        The predefined All-Connected-Routes BGP redistribution profile provides the tunnel and route peering configuration required for connectivity, and also completes route advertisements to allow for branch to branch communication.
      5. (Optional) (Only for Prisma Access hub) (Enable Static Route from branch firewall to Prisma Access hub) By default, Enable static route to Prisma Access is enabled when you have a Prisma Access hub in your topology. When Enable static route to Prisma Access is enabled, it routes the traffic between the Prisma Access hub and the branch firewalls. Disable this option to add your own routes.
        To enable a static route to a Prisma Access remote network, ensure the following:
        • You can select only the regions (Location) and compute nodes (IPSec Termination Node) that are already configured (in Remote Network Setup). If you need static routing, first complete Location and IPSec Termination Node configuration in Remote Network Setup (Workflows > Prisma Access Setup > Remote Networks) and return to this task.
        When Enable static route to Prisma Access is enabled, assign the Prisma Access Location and IPSec Termination Node to a remote network:
        • Select the Prisma Access Location where the Prisma Access hub is located.
        • Select the IPSec Termination Node that you want to use for this remote network. Prisma Access uses this node to associate remote network locations with compute locations.
        • (Optional) Select the Link Tag you created for the branch virtual interface, which Auto VPN will assign to the virtual interface. You’ll use this link tag in a traffic distribution profile to allow the branch to participate in DIA AnyPath.
      6. Select the interfaces (Interfaces 1 - 4) to send traffic through.
        At a minimum, you must select interfaces for Interface 1 and Interface 2.
      7. (Optional) Select the MPLS Private Link.
        If you select a private link, then the IPSec tunnel is created only for the Private Link between the hub firewalls and branch firewalls.
        When you use a Prisma Access hub in your topology, you must configure only a non-private interface, as Prisma Access can connect only through non-private interfaces. Even if you select MPLS Private Link for a VPN cluster that contains Prisma Access as the hub, the private interfaces are not used to connect to the Prisma Access hub. The private interfaces only connect to other private interfaces in on-premises gateways in the VPN cluster.
    9. Save.
    10. Select and edit the General Settings to configure the VPN Address Pool and AS Number Range.
      The VPN address pool must be a valid subnet address.
      • Specify the AS Number Range that ranges between 64512—65534.
        It is mandatory to configure the AS range larger than the number of devices in the VPN cluster.
      • Enable mesh connection between hubs to establish mesh connection between the hubs (on-premises firewalls and Prisma Access) in the VPN cluster.
    11. Select Push ConfigVPN Push.
      Push VPN is available only when configuring Auto VPN to push the automatically generated VPN configuration created when you create a VPN cluster.
      The VPN Push includes all pending configuration changes on Strata Cloud Manager. Verify that any pending configuration changes are ready to be pushed.

    © 2026 Palo Alto Networks, Inc. All rights reserved.