Panorama SD-WAN Plugin Help
    : SD-WAN VPN Clusters
    Focus
    Download PDF
    Focus
    1. Home
    2. Panorama SD-WAN Plugin Help
    3. Panorama SD-WAN Plugin
    4. SD-WAN VPN Clusters
    Download PDF

    Panorama SD-WAN Plugin Help

    SD-WAN VPN Clusters

    Table of Contents

    SD-WAN VPN Clusters

    Associate SD-WAN hubs and branches within a VPN cluster.
    • PanoramaSD-WANVPN Clusters
    In a hub-spoke topology, associate SD-WAN branch firewalls with one or more SD-WAN hubs to enable secure communication between the branch and hub locations. In a full mesh topology, associate SD-WAN branch firewalls with each other (and optionally with SD-WAN hubs). When you associate branches and hubs in an SD-WAN VPN cluster, the firewall creates the required IKE and IPSec VPN connections between the sites based on the type of VPN cluster you specify.
    Field
    Description
    VPN Address Pool
    Member
    Add up to 20 IP address ranges (IP network with netmask) that Panorama draws from to use as VPN tunnel IP addresses. Panorama draws from the largest range first, then from the next largest range. A VPN cluster member will get its IP address from the VPN address pool (the ranges) you provide. You must configure at least one entry.
    If you upgrade from an earlier SD-WAN plugin, you must check that the ranges in the VPN Address Pool are still correct. If not, enter new ranges. After you Commit, all tunnels will be dropped for new tunnels, so do this when cluster members are not busy.
    BGP Prisma Address Pool
    Member
    Add up to 5 IP address ranges (IP network with netmask) that are used for local BGP address for Prisma Access loopback addresses.
    Add
    Name
    Enter a Name that identifies the VPN cluster.
    Type
    Select the Type of SD-WAN VPN cluster:
    • Hub-Spoke—SD-WAN topology where a centralized firewall at a primary office or location acts as a gateway between branches connected using a VPN connection. Traffic between branches passes through the hub before continuing to the target branch.
    • Mesh—SD-WAN topology that uses hubs and branches, but allows branch devices to communicate with each other directly.
    Branches
    Add branches to associate with each other (in a full mesh cluster) or add one or more branches to associate with one or more hubs (in a hub-spoke or full mesh cluster).
    Group HA Peers
    In the Branches window, Group HA Peers to sequentially display branches that are HA peers.
    Hubs
    In the Gateways window, Add one or more hubs to associate with one or more branches.
    Hub Failover Priority
    For any new or previously existing VPN cluster that has more than one hub, in the Gateways window you must prioritize the hubs to determine that traffic be sent to a particular hub and to determine the subsequent hub failover order. A cluster supports a maximum of four hubs. Select a hub and click in the Hub Failover Priority field. Enter a priority (range is 1 to 4) of the hub.
    The plugin internally maps the priority to a BGP local preference value; the lower the priority value, the higher the priority and local preference.
    • Priority 1 maps to local preference 250.
    • Priority 2 maps to local preference 200.
    • Priority 3 maps to local preference 150.
    • Priority 4 maps to local preference 100.
    Multiple hubs can have the same priority; an HA pair must have the same priority. Panorama uses the branch’s BGP template to push the local preference of the hubs to the branches in the cluster.
    If multiple hubs in the cluster have the same priority, Panorama enables ECMP in two places on each branch firewall to determine how branches select the path. ECMP is enabled for the virtual router (NetworkVirtual RoutersECMP) and ECMP Multiple AS Support is enabled for BGP (NetworkVirtual RoutersBGPAdvanced). If all hubs in the cluster have a unique priority, ECMP is disabled on the branches.
    Allow DIA VPN
    For a particular SD-WAN hub, select Allow DIA VPN to allow the hub to participate in DIA AnyPath failover. A maximum of four hubs in a VPN cluster can participate in DIA AnyPath. If they are HA hubs, a total of eight hubs are supported. If you Allow DIA VPN for one HA peer in a pair, you must also enable it for the other HA peer.
    Group HA Peers
    In the Gateways window, Group HA Peers to sequentially display hubs that are HA peers.
    Refresh IKE Key
    Hubs and branches uses a strong, random IKE preshared key to secure VPN tunnels, and each firewall has a master key that encrypts the preshared key. You can refresh the IKE preshared key. You must Commit and Push to Devices to push the key to devices in the cluster.
    Refresh IKE Key when cluster members are not busy.

    © 2025 Palo Alto Networks, Inc. All rights reserved.