VPN Address Pool |
Member | Add up to 20 IP address
ranges (IP network with netmask) that Panorama draws from to use
as VPN tunnel IP addresses. Panorama draws from the largest range
first, then from the next largest range. A VPN cluster member will
get its IP address from the VPN address pool (the ranges) you provide.
You must configure at least one entry.
If
you upgrade from an earlier SD-WAN plugin, you must check that the
ranges in the VPN Address Pool are still correct. If not, enter
new ranges. After you Commit, all tunnels will be dropped for new tunnels,
so do this when cluster members are not busy. |
Add |
Name | Enter a Name that
identifies the VPN cluster. |
Type | Select the Type of
SD-WAN VPN cluster: |
Branches | Add branches to associate
with each other (in a full mesh cluster) or add one or more branches
to associate with one or more hubs (in a hub-spoke or full mesh
cluster). |
Group HA Peers | In the Branches window, Group
HA Peers to sequentially display branches that are HA
peers. |
Hubs | In the Gateways window, Add one
or more hubs to associate with one or more branches. |
Hub Failover Priority | For any new or previously existing VPN cluster
that has more than one hub, in the Gateways window you must prioritize
the hubs to determine that traffic be sent to a particular hub and
to determine the subsequent hub failover order. A cluster supports
a maximum of four hubs. Select a hub and click in the Hub
Failover Priority field. Enter a priority (range is 1
to 4) of the hub. The plugin internally maps the priority
to a BGP local preference value; the lower the priority value, the
higher the priority and local preference. - Priority 1
maps to local preference 250.
- Priority 2 maps to local preference 200.
- Priority 3 maps to local preference 150.
- Priority 4 maps to local preference 100.
Multiple
hubs can have the same priority; an HA pair must have the same priority.
Panorama uses the branch’s BGP template to push the local preference
of the hubs to the branches in the cluster. If multiple hubs
in the cluster have the same priority, Panorama enables ECMP in
two places on each branch firewall to determine how branches select the
path. ECMP is enabled for the virtual router ()
and ECMP Multiple AS Support is enabled for
BGP ().
If all hubs in the cluster have a unique priority, ECMP is disabled
on the branches. |
Allow DIA VPN | For a particular SD-WAN hub, select Allow
DIA VPN to allow the hub to participate in DIA AnyPath
failover. A maximum of four hubs in a VPN cluster can participate
in DIA AnyPath. If they are HA hubs, a total of eight hubs are supported.
If you Allow DIA VPN for one HA peer in a pair, you must also enable
it for the other HA peer. |
Group HA Peers | In the Gateways window, Group
HA Peers to sequentially display hubs that are HA peers. |
Refresh IKE Key | Hubs and branches uses a strong, random
IKE preshared key to secure VPN tunnels, and each firewall has a
master key that encrypts the preshared key. You can refresh the
IKE preshared key. You must Commit and Push to Devices to push the
key to devices in the cluster.
Refresh IKE Key when
cluster members are not busy. |
