Create a Full Mesh VPN Cluster with DDNS Service
Table of Contents
Expand all | Collapse all
- Create a Link Tag
- Configure an SD-WAN Interface Profile
- Configure a Physical Ethernet Interface for SD-WAN
- Configure a Virtual SD-WAN Interface
- Create a Default Route to the SD-WAN Interface
- Create a Path Quality Profile
- Create a SaaS Quality Profile
- Use Case: Configure SaaS Monitoring for a Branch Firewall
- Use Case: Configure a Hub Firewall Failover for SaaS Monitoring from a Branch Firewall to the Same SaaS Application Destination
- Use Case: Configure a Hub Firewall Failover for SaaS Monitoring from a Branch Firewall to a Different SaaS Application Destination
- SD-WAN Traffic Distribution Profiles
- Create a Traffic Distribution Profile
- Create an Error Correction Profile
- Configure an SD-WAN Policy Rule
- Allow Direct Internet Access Traffic Failover to MPLS Link
- Configure DIA AnyPath
- Distribute Unmatched Sessions
- Configure HA Devices for SD-WAN
- Create a VPN Cluster
- Create a Full Mesh VPN Cluster with DDNS Service
- Create a Static Route for SD-WAN
Create a Full Mesh VPN Cluster with DDNS Service
Create an SD-WAN VPN cluster that is full mesh with DDNS Service.
Beginning with PAN-OS 10.0.3, SD-WAN supports a full mesh topology, in addition to the hub-spoke topology. The mesh can consist of branches with or without hubs. Use full mesh when the branches need to communicate with each other directly. Examples of use cases for full mesh include retailers that have branches and hubs, and enterprises that operate with or without hubs.
Some firewall interfaces use DHCP to get their IP address. Branch offices often use a consumer-grade internet service and receive a dynamic IP address, which of course can change. For this reason, the firewalls require Dynamic DNS (DDNS) so that a DDNS service can detect the public-facing IP address of the firewall interface that is running SD-WAN. When you push the DDNS setting to all firewalls, that notifies each firewall to register its external interface IP address with the Palo Alto Networks DDNS cloud service so that the IP address is converted to an FQDN.
DDNS is also required because the CPE device from the ISP may be performing source NAT. (The dynamic IP address may or may not be source-NAT translated). The DDNS service allows the firewall to register the public-facing IP address with the DDNS server. When you have devices connect for branch-to-branch mesh, Auto VPN contacts the DDNS service for those firewalls to pull their public IP addresses that are registered in the DDNS cloud and uses those public IP addresses to create the IKE peering and the VPN tunnels. If the CPE device is performing source NAT, when you add an SD-WAN branch device to be managed by Panorama, you will enable
Upstream NATand the NAT IP Address Type will be
For the CPE device or upstream routing device using source NAT, you are responsible for creating the one-to-one destination NAT rule (with no port translation) on that device to translate the external IP address back to the private IP address assigned to the firewall’s interface. This translation allows the IKE and IPSec protocols to come back into the firewall. (Palo Alto Networks doesn’t have access rights to the upstream CPE or upstream router that is performing source NAT.)
SD-WAN full mesh with DDNS service requires the following:
- PAN-OS 10.0.3 or a later 10.0 release
- SD-WAN Plugin 2.0.1 or a later 2.0 release
- ZTP Plugin 1.0.1 or a later 1.0 release that is downloaded, installed, and configured in order to leverage the DDNS that is associated with ZTP. Panorama must be ZTP-registered and communicating with the ZTP Service.
- Applications and Threats Content Release Version 8354 or a later version
- All firewalls participating in full mesh DDNS must be registered under the same Customer Support Portal (CSP) account.
- All firewalls participating in full mesh DDNS must have the latest device certificate installed. Properly authenticating the firewalls, Panorama, and the cloud services are important security procedures that require the device certificate, and the CSP and ZTP services.
- If you have a firewall or other network device that controls outgoing traffic positioned in front of the Palo Alto Networks firewall, you must change the configuration on that device to allow traffic from the DDNS-enabled interfaces to the following FQDNs:
- https://myip.ngfw-ztp.paloaltonetworks.com/ (to reach whatsmyIP service)
- https://ngfw-ztp.paloaltonetworks.com/ (to reach DDNS registration service)
- Install the latest device certificate for Panorama and for all managed firewalls that are hubs or branches.
- Install ZTP Plugin 1.0.1 to set up Zero Touch Provisioning.
- In the Panorama Administrator’s Guide, read the ZTP Overview.
- Selectand edit the General settings to enablePanoramaZero Touch ProvisioningSetupDynamic IP Registration.
- ClickOK. The General settings indicate On ZTP Service with a Tenant ID number.
- SelectZTP Service Statusand confirm that the firewall Serial Number is listed.
- If you haven’t already done so, install the SD-WAN Plugin 2.0.1 or a later 2.0 release.
- Commiton Panorama.
- Create the VPN Address Pool as shown in Create a VPN Cluster.
- Create the full mesh VPN cluster.
- Select.PanoramaSD-WANVPN Clusters
- Select theTypeto beMesh.
- AddtheBranchesthat need to communicate with each other.
- (Optional)Addone or moreHubsif you also want a hub in the mesh.
- CommitandCommit to Panorama. If your firewalls have static IP addresses, you are done. If your branch or hub firewalls in a VPN mesh have DHCP or PPPoE interfaces, you must use DDNS, so continue this procedure as follows.
- Selectand in theNetworkInterfacesEthernetTemplatefield, select Template-stack for a particular branch.
- Select the interface whose IP address indicatesDynamic-DHCP ClientorPPPOE, clickOverrideon the bottom of the screen, and clickOKto close.
- Verify on Panorama that the DDNS settings were configured.
- Selectand select the same interface again.NetworkInterfacesEthernet
- See that the DDNS settings were automatically configured with aHostnamebased on the interface name, and theVendorset toPalo Alto Networks DDNS. For example, on the Ethernet1/2 interface, the resulting Hostname is 0102.
- If the VPN cluster includes any hubs that have a DHCP or PPPoE interface, repeat Steps 9 through 11, but in theTemplatefield, select Template-stack for a particular hub.Even if your hub is not in a full mesh cluster, but is in a hub-spoke cluster, if the hub uses DHCP or PPPOE to get its IP address for an SD-WAN interface, you must perform the Override steps to enable DDNS.
- Committo Panorama andPush to Devices.
- Verify on the branch firewall that the branch is configured with DDNS.
- Log into the branch firewall.
- Selectand for the Ethernet interface that you configured, scroll over the DDNS Info icon in the Features column to see the Vendor, Hostname, IP address, and other DDNS information.NetworkInterfacesEthernet
- On another branch in the cluster, view that the Peer Address of the interface is a system-generated FQDN for the DDNS registration.
- Log onto another branch and select.NetworkNetwork ProfilesIKE Gateways
- See that the Peer Address is a secure name, not easily referenced and showing no company information; for example 0101.8ced8460fcc5177cd3665ce41b6345323a15a612b8e52ec1d9ec057a582cb4.t13855f6c9a92d6[...]e18a0d96dab45dd767a230daac94408d0.dicedns.net
- View FQDNs of branches and hubs and update DDNS information.
- View FQDNs (generated by DDNS) for other branches and hubs:show dns-proxy fqdn all
- Update the DDNS addresses:request system fqdn refresh