Create a VPN Cluster

Create a VPN cluster to group branches and hubs that communicate with each other into a logical group.
In your SD-WAN configuration, you must configure one or more VPN clusters to determine which branches communicate with which hubs and creates a secure connection between the branch and hub devices. VPN clusters are logical groupings of devices, so consider things such as geographical location or function when logically grouping your devices.
PAN-OS
®
10.0.2 and earlier releases support only the Hub-Spoke SD-WAN VPN topology. In a Hub-Spoke topology, a centralized firewall hub at a primary office or location acts as the gateway between branch devices. The hub-to-branch connection is a VPN tunnel. In this configuration, traffic between branches must pass through the hub.
SD-WAN full mesh VPN topology is supported in PAN-OS 10.0.3 and later 10.0 releases.
The first time you Configure a Virtual SD-WAN Interface with direct internet access (DIA) links for an SD-WAN hub or branch firewall, a VPN cluster called
autogen_hubs_cluster
is automatically created and the SD-WAN firewall is automatically added to the VPN cluster. This allows the Panorama™ management server to Monitor SD-WAN Application and Link Performance for devices that are protected by the SD-WAN firewall and accessing resources outside of your corporate network. Additionally, any SD-WAN firewall with DIA links that you configure in the future are automatically added to the
autogen_hubs_cluster
VPN cluster containing all hubs and branches with DIA links to allow Panorama to monitor application and link performance. The
autogen_hubs_cluster
is purely for monitoring application and link health, and not to create VPN tunnels between the hubs and branches with DIA links. If you need to connect hubs and branches with VPN tunnels, you must create a new VPN cluster and add all the required hubs and branches to that cluster.
A strong, random IKE preshared key is created for all hubs and branches in the VPN cluster to secure the VPN tunnels, and each firewall has a master key that encrypts the preshared key. The system secures the preshared key, even from the administrator. You can refresh the IKE preshared key, which Panorama sends to all members of the cluster.
Refresh the preshared key when cluster members are not busy.
  1. Plan your branch and hub VPN topology to determine which branches communicate with each of your hubs. For more information, see Plan Your SD-WAN Configuration.
  2. Specify IP address ranges for the IPSec VPN tunnels that Auto VPN configuration creates.
    Auto VPN configuration creates a VPN tunnel between a hub and branches and assigns IP addresses to the tunnel endpoints. Enter subnet ranges that you want Auto VPN to use as VPN tunnel addresses.You can enter up to 20 IP prefix/netmask ranges. Auto VPN draws from that pool for VPN tunnel addresses, drawing from the largest range first (and the drawing from the next largest range when necessary). You must configure at least one range for the pool. If you don’t perform this step before pushing the configuration to a hub or branch, the Commit and Push will fail.
    If you upgrade from an earlier SD-WAN Plugin release, you must check that your ranges are still correct. If it is not, enter new ranges. After you
    Commit
    , all tunnels are dropped and new tunnels are used, so perform this task during a time you have low traffic.
    1. Select
      Panorama
      SD-WAN
      VPN Clusters
      .
    2. At the bottom of the screen, select
      VPN Address Pool
      .
    3. Add
      one or more (up to 20)
      Member
      IP address and netmask ranges, for example, 192.168.0.0/16.
    4. Click
      OK
      .
  3. Configure the VPN cluster. Repeat this step to create VPN clusters as needed.
    1. Select
      Panorama
      SD-WAN
      VPN Clusters
      and
      Add
      a VPN cluster.
    2. Enter a descriptive name for the VPN cluster.
      Underscores and spaces are not supported in the VPN cluster name and result in monitoring (
      Panorama
      SD-WAN
      Monitoring
      ) data for the cluster not to be displayed. Choose the name of the VPN cluster carefully so you do not need to change the name in the future. SD-WAN monitoring data is generated based on the old cluster name and cannot be reconciled to a new cluster name, and will cause issues with the number of reported clusters when monitoring your VPN clusters or generating reports.
    3. Select the VPN cluster
      Type
      .
      Only
      Hub-Spoke
      VPN cluster type is supported in PAN-OS 10.0.2 and earlier 10.0 releases. Beginning with PAN-OS 10.0.3, you can Create a Full Mesh VPN Cluster with DDNS Service.
    4. Add
      one or more branch devices that you determined need to communicate with each other.
      • Select
        Group HA Peers
        to display the branch devices that are HA peers together.
      • Select the branch devices to add to the cluster.
      • Click
        OK
        .
    5. Add
      one or more hub devices that you determined need to communicate with the branch devices.
      Up to four SD-WAN hub firewalls can be added to a VPN cluster. SD-WAN hubs in an HA configuration are considered as a single SD-WAN hub firewall.
      MPLS and satellite link types will form tunnels with only the same link type; for example, MPLS-to-MPLS and satellite-to-satellite. Tunnels will not be created between an MPLS link and an Ethernet link, for example.
      • Select
        Group HA Peers
        to display the hub devices that are HA peers together.
      • Select the hubs to add to the cluster and click
        OK
        .
      • For any new or previously existing VPN cluster that has more than one hub, you must prioritize the hubs to determine a) that traffic be sent to a particular hub, and b) the subsequent hub failover order. The hub failover priority range is 1 to 4. If you upgrade, the default priority is set to 4. The plugin internally translates the hub failover priority to a BGP local preference number as shown in the following table. The lower the priority value, the higher the priority and local preference. A cluster supports a maximum of four hubs. An active/passive HA pair counts as one hub. Multiple hubs can have the same priority; an HA pair must have the same priority. Panorama uses the branch’s BGP template to push the local preference of the hubs to the branches in the cluster.
        Hub Failover Priority
        Local Preference
        1
        250
        2
        200
        3
        150
        4
        100
        If multiple hubs have the same priority, Panorama enables ECMP in two places on each branch firewall to determine how branches select the path. ECMP is enabled for the virtual router (
        Network
        Virtual Routers
        ECMP
        ) and
        ECMP Multiple AS Support
        is enabled for BGP (
        Network
        Virtual Routers
        BGP
        Advanced
        ).If all hubs in the cluster have a unique priority, ECMP is disabled on the branches. If a hub priority configuration changes, Panorama reevaluates whether to enable or disable ECMP.
        • If you selected
          Group HA Peers
          , select the pair and click in the
          Hub Failover Priority
          field; enter a single
          Priority
          (range is 1 to 4), which applies to both hubs in the HA pair, and click
          OK
          .
          The Hub Failover Priority for HA Peers window appears only for configured HA pairs. If you add a new HA pair, you must configure the Hub Failover Priority for each of the two new peers independently.
          You will get an error message if you assign different priorities to hubs that are ungrouped HA peers and then you select
          Group HA Peers
          and
          Submit
          .
        • For hubs that are not HA pairs, select a hub and click in the
          Hub Failover Priority
          field; enter a priority (range is 1 to 4).
    6. Click
      OK
      to save the VPN cluster.
  4. Advertise additional prefixes at the branch to the hub.
    The firewall automatically redistributes (advertises) all non-public, connected routes from the branch to the hub. You can also redistribute any additional prefixes from the branch to the hub. The
    Prefix(es) to Redistribute
    field accepts a list of prefixes, rather than just a single prefix.
    1. Select
      Panorama
      SD-WAN
      Devices
      and select a branch firewall.
    2. Select
      BGP
      and
      Add
      one or more IP addresses with netmask to
      Prefix(es) to Redistribute
      .
    3. Click
      OK
      .
  5. Commit
    and
    Commit to Panorama
    .
  6. (
    SD-WAN Plugin 2.0.1 and later 2.0 releases
    ) If your hub firewalls in a hub-spoke VPN cluster have DHCP or PPPoE interfaces, you must use DDNS. Select
    Network
    Interfaces
    Ethernet
    and in the
    Template
    field, select Template-stack for a hub.
  7. (
    SD-WAN Plugin 2.0.1 and later 2.0 releases
    ) Select the interfaces whose IP address indicates
    Dynamic-DHCP Client
    or
    PPPOE
    , click
    Override
    on the bottom of the screen, and click
    OK
    to close.
  8. (
    SD-WAN Plugin 2.0.1 and later 2.0 releases
    ) Verify on Panorama that the DDNS settings were configured.
    1. Select
      Network
      Interfaces
      Ethernet
      and select the same interface again.
    2. Select
      Advanced
      DDNS
      .
    3. See that the DDNS settings were automatically configured with a
      Hostname
      and the
      Vendor
      set to
      Palo Alto Networks DDNS
      .
    4. Click
      OK
      .
  9. (
    SD-WAN Plugin 2.0.1 and later 2.0 releases
    )
    Commit
    and
    Commit to Panorama
    .
  10. Push the configuration to the hub(s).
    When Panorama creates virtual SD-WAN interfaces for hubs, Panorama doesn't necessarily create the interfaces using contiguous interface numbers. It might randomly skip an interface number, for example, sdwan.921, sdwan.922, sdwan.924, sdwan.925. Despite the discontiguous numbering, Panorama creates the correct number of SD-WAN interfaces. Use the operational CLI command
    show interface sdwan?
    to see the SD-WAN interfaces.
    1. Select
      Commit
      and
      Push to Devices
      .
    2. Edit Selections
      on the lower left side of the screen.
    3. Deselect
      Filter Selected
      .
    4. Click on
      Deselect All
      .
    5. Select your hub Device Group. Select
      Include Device and Network Templates
      at the bottom of the screen. You must push to hubs before pushing to branches.
      Most branches have dynamic IP addresses through their service providers, so branches must initiate the IKE/IPSec connection because the hub doesn’t have the branches’ IP address.To ensure that the hub is ready to receive the IKE/IPSec connections, the hub’s configuration must be committed and pushed before the branch’s configuration. Thus, when the branch configurations are pushed and the branches initiate the connection to the hub, the hub is ready.
    6. Select the
      Templates
      tab and
      Deselect All
      .
    7. The
      Push Scope
      is the Device Group.
      Push
      the configuration to the hub(s).
  11. Push the configuration to the branch(es) by repeating the prior step, but selecting your branch Device Group.
  12. Refresh the IKE preshared key.
    If you need to change the current IKE key that is used to secure the IPSec connections between VPN cluster devices, perform this step to randomly generate a new key for the cluster.
    Perform this step when cluster members are not busy.
    1. Select
      Panorama
      SD-WAN
      VPN Clusters
      and select a cluster.
    2. At the bottom of the screen, select
      Refresh IKE Key
      .
    3. A message appears notifying you that
      Refreshing the IKE key will generate a new security association (SA) for every SD-WAN firewall in the VPN cluster. This may cause a service disruption. Do you wish to continue? Yes | No
      Select
      Yes
      if you wish to continue.
    4. Commit
      .
      After you
      Refresh IKE Key
      , you must commit to the entire cluster; a partial commit will bring down tunnels.
    5. Push to Devices
      .

Recommended For You