SD-WAN Full Mesh VPN Cluster with DDNS Service

High-level steps to create an SD-WAN VPN cluster that is full mesh with DDNS Service.
SD-WAN supports a full mesh topology, in addition to the hub-spoke topology. The mesh can consist of branches with or without hubs. Use full mesh when the branches need to communicate with each other directly.
If the branch firewall receives a dynamic IP address, the firewall requires Dynamic DNS (DDNS) so that a DDNS service can detect the public-facing IP address of the firewall interface that is running SD-WAN. When you push the DDNS setting to all firewalls, that notifies each firewall to register its external interface IP address with the Palo Alto Networks DDNS cloud service so that the IP address is converted to an FQDN.
DDNS is also required because the CPE device from the ISP may be performing source NAT. The DDNS service allows the firewall to register the public-facing IP address with the DDNS server. When you have devices connect for branch-to-branch mesh, Auto VPN contacts the DDNS service for those firewalls to pull their public IP addresses that are registered in the DDNS cloud and uses those public IP addresses to create the IKE peering and the VPN tunnels. If the CPE device is performing source NAT, when you add an SD-WAN branch device to be managed by Panorama, you will enable
Upstream NAT
and the NAT IP Address Type will be
DDNS
.
SD-WAN full mesh with DDNS service requires the following:
  • PAN-OS 10.0.3 or a later 10.0 release
  • SD-WAN Plugin 2.0.1 or a later 2.0 release
  • ZTP Plugin 1.0.1 or a later 1.0 release that is downloaded, installed, and configured in order to leverage the DDNS that is associated with ZTP. Panorama must be ZTP-registered and communicating with the ZTP Service.
  • All firewalls participating in full mesh DDNS must be registered under the same Customer Support Portal account.
  • All firewalls participating in full mesh DDNS must have the latest device certificate installed.
  • If you have a firewall or other network device that controls outgoing traffic positioned in front of the Palo Alto Networks firewall, you must change the configuration on that device to allow traffic from the DDNS-enabled interfaces to the following FQDNs:
    • https://myip.ngfw-ztp.paloaltonetworks.com/      (to reach whatsmyIP service)
    • https://ngfw-ztp.paloaltonetworks.com/              (to reach DDNS registration service)
  1. Install the latest device certificate for Panorama and for all managed firewalls that are hubs or branches.
  2. Install ZTP Plugin 1.0.1 to set up Zero Touch Provisioning.
  3. Install SD-WAN Plugin 2.0.1.
  4. Commit
    on Panorama.
  5. Create the VPN Address Pool as shown in Create a VPN Cluster.
  6. Commit
    and
    Commit to Panorama
    . If your firewalls have static IP addresses, you are done. If your branch or hub firewalls in a VPN mesh have DHCP or PPPoE interfaces, you must use DDNS, so continue this procedure as follows.
  7. Select
    Network
    Interfaces
    Ethernet
    and in the
    Template
    field, select the Template-stack for a particular branch.
  8. Select the interface whose IP address indicates
    Dynamic-DHCP Client
    or
    PPPOE
    , click
    Override
    on the bottom of the screen, and click
    OK
    to close.
  9. If the VPN cluster includes any hubs that have a DHCP or PPPoE interface, repeat Steps 9 through 11, but in the
    Template
    field, select the Template-stack for a particular hub.
  10. Commit
    to Panorama and
    Push to Devices
    .
  11. Verify on the branch firewall that the branch is configured with DDNS.

Recommended For You